COMMISSION IMPLEMENTING DECISION (EU) 2022/1337

of 28 July 2022

setting out the template for the provision of information to third-country nationals about the processing of personal data in the Entry/Exit System

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes and amending the Convention implementing the Schengen Agreement and Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011 (1), and in particular Article 50(4) and (5) first paragraph thereof,

Whereas:

(1)	Regulation (EU) 2017/2226 established the Entry/Exit System (EES) as a system which registers electronically the time and place of entry and exit of third-country nationals admitted for a short stay to the territory of the Member States and which calculates the duration of their authorised stay.

(2)

Pursuant to Article 50(1) of Regulation (EU) 2017/2226, third-country nationals whose data are to be recorded in the EES are to be informed about their rights and obligations regarding the processing of their data. Pursuant to Article 50(5) of Regulation (EU) 2017/2226 that information is to be provided in the form of a template.

(3)

Where necessary to comply with their national laws, Member States are to complete the template with relevant national information. With a view of providing awareness and clarity towards the third-country nationals, Member States should add, in particular, information related to the consequences of being an overstayer, the rights of data subject, the possibility of assistance by the supervisory authorities, contact details of the relevant data protection authorities and the lodging of complaints.

(4)	The template referred to in Article 50(5) of Regulation (EU) 2017/2226 should therefore be established.

(5)

Given that Regulation (EU) 2017/2226 builds upon the Schengen acquis, Denmark notified on 30 May 2018 its decision to implement Regulation (EU) 2017/2226 in its national law, in accordance with Article 4 of the Protocol on the position of Denmark annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union Denmark is therefore bound by this Decision.

(6)	As regards Ireland, this Decision constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part (2); Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.

(7)

As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning those States association with the implementation, application and development of the Schengen acquis (3), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (4).

(8)

As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (5), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (6).

(9)

As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (7) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (8).

(10)

As regards Bulgaria and Romania, as the verification in accordance with applicable Schengen evaluation procedure has been successfully completed, as confirmed by Council conclusions of 9 and 10 June 2011, the provisions of the Schengen acquis relating to the Schengen Information System have been put into effect by Council Decision (EU) 2018/934 (9) and the provisions of the Schengen acquis relating to the Visa Information System have been put into effect by Council Decision (EU) 2017/1908 (10), all the conditions for the operation of the Entry/Exit System set out in Article 66(2)(b) of Regulation (EU) 2017/2226 are met and those Member States should therefore operate the Entry/Exit System from the start of operations.

(11)

As regards Cyprus and Croatia, the operation of the Entry/Exit System requires the granting of passive access to the Visa Information System and the putting into effect of all the provisions of the Schengen acquis relating to the Schengen Information System in accordance with the relevant Council Decisions. Those conditions can only be met once the verification in accordance with the applicable Schengen evaluation procedure has been successfully completed. The Entry/Exit System should be operated only by those Member States which fulfil those conditions at the start of the operation of the Entry/Exit System. Member States not operating the Entry/Exit System from the start of operations should be connected to the Entry/Exit System, in accordance with the procedure set out in Regulation (EU) 2017/2226, as soon as all of those conditions are met.

(12)	The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (11) and delivered an opinion on 11 March 2022.

(13)	The measures provided for in this Decision are in accordance with the opinion of the Smart Borders Committee, established by Article 68 of Regulation (EU) 2017/2226.

HAS ADOPTED THIS DECISION:

Article 1

The information referred to in Article 50(4) and the template referred to in Article 50(5) of Regulation (EU) 2017/2226 shall be as set out in the Annex to this Decision.

Article 2

This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Brussels, 28 July 2022.

For the Commission

The President

Ursula VON DER LEYEN

(1) OJ L 327, 9.12.2017, p. 20.

(2) This Decision falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

(3) OJ L 176, 10.7.1999, p. 36.

(4) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

(5) OJ L 53, 27.2.2008, p. 52.

(6) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).

(7) OJ L 160, 18.6.2011, p. 21.

(8) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(9) Council Decision 2018/934/EU of 25 June 2018 on the putting into effect of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 165, 2.7.2018, p. 37).

(10) Council Decision 2017/1908/EU of 12 October 2017 on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania (OJ L 269, 19.10.2017, p. 39).

(11) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

ANNEX

Template for the provision of information to third-country nationals about the processing of personal data in the Entry/Exit System

The Entry/Exit System (1) contains personal data records on third-country nationals coming to the territory of the Member States (2) for a short stay (maximum of 90 days in any 180-day period). The system became operational on [date]. As of this date, information about your entries into and exits out of the territory of the Member States, and, if applicable, information on whether you have been refused entry, is registered in the Entry/Exit System.

To this end, your data is collected and processed on behalf of [Authority of the Member State responsible for the processing] (controller(s)). Please see below the contact details. Your personal data is processed for the purposes of border management, preventing irregular immigration and facilitating the management of migration flows. This is required in accordance with Regulation (EU) 2017/2226 (3), specifically Articles 14, 16 to 19 and 23 of Chapter II and Chapter III of the Regulation

What data is collected, recorded and processed?

During checks at the external borders of the Member States, the collection of your personal data is mandatory for the examination of entry conditions. The following personal data is collected and recorded:

(1)	data listed in your travel document; and

(2)	biometric data: from your facial image and fingerprints (4).

Data about you is also collected from other sources, depending on your situation:

(1)	the Visa Information System: data contained in your personal file; and

(2)	the European Travel Information and Authorisation System, in particular the status of your travel authorisation and your family member status, if applicable.

What happens if you do not provide the requested biometric data?

If you do not provide the requested biometric data for registration, verification or identification in the Entry/Exit System, you will be refused entry at the external borders.

Who can access your data?

Member States can access your data for the purposes of border management, facilitation of border crossings, immigration, and law enforcement. Europol may also access your data for law enforcement purposes. Under strict conditions, your data may also be transferred to a Member State, a third country or an international organisation listed in Annex I of Regulation (EU) 2017/2226 (5) for the purposes of return (6) or law enforcement (7).

Your data will be stored in the Entry/Exit System for the following duration, after which it will be automatically erased: (8)

(1)	records of each entry, exit or refusal of entry record are stored for 3 years starting on the date of the entry, exit, refusal of entry record; (9)

(2)	the individual file containing your personal data is stored for 3 years and one day starting from the date of the last exit record or of the refusal of entry record where is no entry recorded during that period;

(3)	where there is no exit record, your data are stored for 5 years starting on the date of the expiration of your authorised stay.

Remaining authorised stay and overstay

You have the right to receive from the border guard information on the maximum remaining duration of your authorised stay on the territory of the Member States. You can also consult the following website [link to EES public website] or, where available, the equipment installed at borders to self verify your remaining authorised stay.

If you overstay the period of your authorised stay, your data will be automatically added to a list of identified persons (a list of overstayers). The list can be accessed by competent national authorities. If you are on this list of overstayers [consequences of being an overstayer to be added by the Member States]. (10) However, if you can provide credible evidence to the competent authorities that you exceeded the authorised duration of your stay due to unforeseeable and serious events, your personal data can be rectified or completed in the Entry/Exit System and you can be removed from the list of overstayers.

Your rights with regard to the processing of personal data

You have the following rights:

(1)	to request from the controller access to data relating to you;

(2)	to request that inaccurate or incomplete data relating to you is rectified or completed; and

(3)	to request that unlawfully processed personal data that concerns you is erased or that the processing thereof is restricted.

If you want to exercise any of these rights listed in points (1) to (3), you must contact the data controller or data protection officer indicated below.

Contact details

Data controller(s): [address and contact details to be filled by MS – data controller].

Data protection officer(s): [address and contact details to be filled by MS].

In line with the division of tasks between Member States’ authorities and the European agencies involved, you can lodge a complaint with:

Supervisory authority of [the Member State] which is in charge of processing your data (e.g. if you allege that they have recorded your data incorrectly):

[Member State specific information to be specified – address and contact details]

European Data Protection Supervisor for matters of data processing by European Agencies:

[contact details to be specified – address and contact details]

[Further information by Member States on rights of the data subjects or the possibility of assistance by the supervisory authorities]. For additional information please consult the Entry/Exit System public website [add link/name].

(1) Regulation (EU) 2017/2226 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011

(2) Austria, Belgium, Bulgaria, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and Switzerland.

(3) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 on establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327 9.12.2017, p. 20).

(4) Please note that the fingerprints data of third-country nationals who do not need a visa to enter the Schengen area and holders of Facilitated Transit Documents will also be stored in the Entry/Exit System. If you need a visa to enter the Schengen area, your fingerprints will already be stored in the Visa Information System as part of your file there and will not be stored again in the Entry/Exit System.

(5) UN organisation, the International Organization for Migration (IOM) or the International Committee of the Red Cross.

(6) Article 41(1) and (2) and Article 42.

(7) Article 41(6).

(8) If you are subject to visa requirement, your fingerprint will not be stored in the Entry/Exit system as they are already stored in the Visa Information System.

(9) In the case of third-country nationals who are family members of mobile EU, EEA or Swiss citizens (i.e. of EU EEA or Swiss citizens who travel to a State other than the State of their nationality or already reside there),and are accompanying or joining the EU, EEA or Swiss citizen, each entry, exit or refusal of entry record will be stored for one year following the date of the exit record or of the refusal of entry record.

(10) The calculation of the duration of the authorised stay and the generation of alerts to Member States when the authorised stay has expired do not apply to third-country nationals who are family members of mobile EU, EEA or Swiss citizens (i.e. of EU EEA or Swiss citizens who travel to a State other than the State of their nationality or already reside there) and are accompanying or joining the EU, EEA or Swiss citizen