|
15.2.2023 |
EN |
Official Journal of the European Union |
L 47/17 |
COMMISSION DELEGATED REGULATION (EU) 2023/333
of 11 July 2022
supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council as regards determining cases where identity data are considered as same or similar for the purpose of the multiple identity detection
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (1), and in particular Article 28(5) thereof,
Whereas:
|
(1) |
Regulation (EU) 2019/817 together with Regulation (EU) 2019/818 of the European Parliament and of the Council (2), establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration. |
|
(2) |
That framework includes a number of interoperability components, including a multiple-identity detector. The multiple-identity detector creates and stores links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The linking of data is essential for the multiple-identity detector to fulfil its objectives. |
|
(3) |
The multiple-identity detection process results in the creation of automated white and yellow links. A white link indicates that the identity data of the linked files are the same or similar whereas a yellow link indicates that the identity data of the linked files cannot be considered to be similar and that manual verification of the different identities should be carried out. |
|
(4) |
Considering the burden on persons whose data is registered in the EU information systems, and the national authorities as well as with Union agencies, it is necessary to limit the number of cases in which yellow links are generated by the multiple-identity detector and therefore require manual verification. |
|
(5) |
Pursuant to Regulation (EU) 2019/817, the European Agency for the Operational Management of Large-Scale Information Systems in the area of Freedom, Security and Justice (‘eu-LISA’), established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (3), should be responsible for the preparation, development and operational management of the interoperability components, including the multi-identity detector. |
|
(6) |
Prior to the development of the multi-identity detector, it is necessary to lay down the procedures to determine the cases in which identity data concerning a person stored across several systems are considered the same or similar for the purpose of multiple-identity detection. |
|
(7) |
Given that Regulation (EU) 2019/817 builds upon the Schengen acquis, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/817 in its national law. It is therefore bound by this Regulation. |
|
(8) |
This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part (4). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application. |
|
(9) |
As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6). |
|
(10) |
As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (7), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8). |
|
(11) |
As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (9) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10). |
|
(12) |
As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession. |
|
(13) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (11) and delivered an opinion on 27 April 2021, |
HAS ADOPTED THIS REGULATION:
Article 1
Definitions
For the purposes of this Regulation, the following definitions apply:
|
(1) |
‘identity data’ means the following data:
|
|
(2) |
‘equal’ means a 100 % correspondence between data from two different EU information systems, including, where necessary, the use of a conversion-harmonisation functionality for harmonising the format of all data before comparison; |
|
(3) |
‘transliteration’ means a type of conversion of a text from one script to another that involves swapping letters in previously identified ways. |
Article 2
Same identity data
The procedures for determining the cases where identity data shall be considered as the same are set out in Annex I.
Article 3
Similar identity data
The procedures for determining the cases where identity data shall be considered as similar are set out in Annex II.
Article 4
Logs
1. The common identity repository shall keep the logs of the comparison of data containing, at least:
|
(a) |
the date and time of the comparison; |
|
(b) |
the result of the comparison, including which identity data was considered as same or similar; |
|
(c) |
the colour of the link following the automated comparison; |
|
(d) |
the colour of the link following the manual processing subsequent to the creation of a yellow link; |
|
(e) |
the amendments to the links, including where the identity data was considered as similar. |
2. The logs shall be stored in the common identity repository. They shall be stored for no longer than one year following the comparison of data. After that period, they shall be automatically erased.
3. The logs shall be used by the common identity repository to produce automatic reports of activities and to support and monitor the accuracy of the comparison of data between EU information systems.
Article 5
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 11 July 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 135, 22.5.2019, p. 27.
(2) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85).
(3) Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p. 1).
(4) This Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).
(5) OJ L 176, 10.7.1999, p. 36.
(6) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).
(7) OJ L 53, 27.2.2008, p. 52.
(8) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).
(9) OJ L 160, 18.6.2011, p. 21.
(10) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).
(11) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(12) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).
(13) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).
(14) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14).
(15) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).
(16) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).
(17) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).
(18) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).
(19) Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (OJ L 218, 13.8.2008, p. 60).
ANNEX I
1. DATA FROM DIFFERENT INFORMATION SYSTEMS
|
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
1 |
Names (including surname and first name) |
Surnames Previously used surnames Aliases surnames Forenames Previously used forenames Aliases forenames Names at birth |
Surname (family name) First name Names Given names |
Surname (family name) Surname at birth Other names (aliases, artistic names, usual names) First name(s) Given name(s) |
Surname (family name) Pseudonyms Aliases Previous names First names (Given names) Pseudonyms Aliases Previous names |
Surname (family name) Surname at birth (former family name(s)) First name(s) (given name(s)) |
|
2 |
Date of birth |
Date of birth Aliases date of birth |
Date or birth |
Date of birth |
Date of birth |
Date of birth |
|
3 |
Gender |
Gender Aliases gender |
Sex |
Sex |
Gender |
Sex |
|
4 |
Nationality and place of birth |
Any nationalities held Aliases nationality Place of birth (country of birth) Aliases place of birth (country of birth) |
Nationality Nationalities |
Current Nationality Place of birth |
Nationality Nationalities Place of birth (town and country) |
Current nationality Nationalities Nationality at birth Place and country of birth |
In the case of the Schengen Information System, for each data provided for in the table, the identity data may belong to one of the following categories:
|
(a) |
‘confirmed identity’, where the person’s identity has been confirmed on the basis of genuine identification documents, as a result of biometric matching or by a statement from the competent authorities; |
|
(b) |
‘not confirmed identity’, where there is not sufficient proof of the person’s identity; |
|
(c) |
‘alias’, where a person uses a false or assumed identity; |
|
(d) |
‘misused identity’, where a person, subject to an alert in the Schengen Information System, uses the identity of another real person, in particular when a document is used to the detriment of the real owner of that document. |
For the purposes of this table, aliases identity data refer to categories (b), (c) and (d), while the non-alias data refer to category (a).
2. SAME IDENTITY DATA
This Annex lays down the cases in which identity data shall be considered as the same. In order for identity data to be considered as the same, all the conditions of Section 3 should be fulfilled.
3. CASES WHERE IDENTITY DATA SHALL BE CONSIDERED AS THE SAME PER DATA CATEGORY
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the cumulative conditions laid down in Sections 3.1, 3.2, 3.3 and 3.4 shall be met.
3.1. Names
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Names (including surname and first name) |
Surnames Previously used surnames Aliases surnames Forenames Previously used forenames Names at birth Aliases forenames |
Surname (family name) First name Names Given names |
Surname (family name) Surname at birth Other names (aliases, artistic names, usual names) First name(s) Given name(s) |
Surname (family name) Pseudonyms Aliases Previous names First names (Given names) Pseudonyms Aliases Previous names |
Surname (family name) Surname at birth (former family name(s)) First name(s) (given name(s)) |
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the following cumulative conditions must be met:
|
(a) |
the data inserted in at least one of the following data fields is equal in the two systems:
|
|
(b) |
the data inserted in at least one of the following data fields is equal in the two systems:
|
3.2. Date of birth
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Date of birth |
Date of birth Aliases date of birth |
Date or birth |
Date of birth |
Date of birth |
Date of birth |
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the values contained under the data-category ‘date of birth’ must be equal in both systems.
3.3. Gender
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Gender |
Gender Aliases gender |
Sex |
Sex |
Gender |
Sex |
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the data contained under the data-category ‘gender’ must be equal in both systems.
3.4. Nationalities and place of birth
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Nationalities and place of birth |
Any nationalities held Aliases nationality Place of birth (country of birth) Aliases place of birth (country of birth) |
Nationality Nationalities |
Current Nationality Place of birth |
Nationality Nationalities Place of birth (town and country) |
Current nationality Nationalities Nationality at birth Place and country of birth |
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, at least one of the data fields under the data-category ‘nationalities and place of birth’ must be equal in both systems, including at least one of the nationalities.
ANNEX II
1. DATA FROM DIFFERENT INFORMATION SYSTEMS
|
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
1 |
Names (including surname and first name) |
Surnames Previously used surnames Aliases surnames Forenames Previously used forenames Names at birth Aliases forenames |
Surname (family name) First name Names Given names |
Surname (family name) Surname at birth Other names (aliases, artistic names, usual names) First name(s) Given name(s) |
Surname (family name) Pseudonyms Aliases Previous names First names (Given names) Pseudonyms Aliases Previous names |
Surname (family name) Surname at birth (former family name(s)) First name(s) (given name(s)) |
|
2 |
Date of birth |
Date of birth Aliases date of birth |
Date or birth |
Date of birth |
Date of birth |
Date of birth |
|
3 |
Gender |
Gender Aliases gender |
Sex |
Sex |
Gender |
Sex |
|
4 |
Nationality and place of birth |
Any nationalities held Aliases nationality Place of birth (country of birth) Aliases place of birth (country of birth) |
Nationality Nationalities |
Current Nationality Place of birth |
Nationality Nationalities Place of birth (town and country) |
Current nationality Nationalities Nationality at birth Place and country of birth |
In the case of the Schengen Information System, for each data provided for in the table, the identity data may belong to one of the following categories:
|
(a) |
‘confirmed identity’, where the person’s identity has been confirmed on the basis of genuine identification documents, as a result of biometric matching or by a statement from the competent authorities; |
|
(b) |
‘not confirmed identity’, where there is not sufficient proof of the person’s identity; |
|
(c) |
‘alias’, where a person uses a false or assumed identity; |
|
(d) |
‘misused identity’, where a person, subject to an alert in the Schengen Information System, uses the identity of another real person, in particular when a document is used to the detriment of the real owner of that document. |
For the purposes of this table, aliases identity data refer to categories (b), (c) and (d), while the non-alias data refer to category (a).
2. SIMILAR IDENTITY DATA
Section 3 provides an exhaustive list of rules for when identity data shall be considered as similar.
eu-LISA, assisted and advised by the Interoperability Advisory Group, shall apply these rules by means of an algorithm in consultation with the Commission assisted and advised by the Interoperability Subgroup of the Expert Group on Information Systems for Borders and Security (‘Expert Group’).
eu-LISA shall monitor the impact of the application of the algorithm and report, on a regular basis, to the Expert Group.
Where necessary, in order to limit the number of cases in which yellow links generated by the multiple-identity detector would need to be turned into white links by the responsible authorities, the Commission, assisted and advised by the Expert Group, shall request eu-LISA to adjust the algorithm by prioritising the yellow links created between identity data that are considered more similar, in compliance with the rules in Section 3.
The multiple-identity detector shall always check identity data against all rules laid down in section 3.
3. CASES WHERE IDENTITY DATA SHALL BE CONSIDERED AS SIMILAR
3.1. Names
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Names (including surname and first name) |
Surnames Previously used surnames Aliases surnames Forenames Previously used forenames Names at birth Aliases forenames |
Surname (family name) First name Names Given names |
Surname (family name) Surname at birth Other names (aliases, artistic names, usual names) First name(s) Given name(s) |
Surname (family name) Pseudonyms Aliases Previous names First names (Given names) Pseudonyms Aliases Previous names |
Surname (family name) Surname at birth (former family name(s)) First name(s) (given name(s)) |
Identity data of the data-category ‘names’ shall be considered similar where there are:
|
(a) |
known transliteration in names; |
|
(b) |
inversions of the following categories of data:
|
|
(c) |
cases where the first name, forename and surname are regrouped in one of the data fields; |
|
(d) |
cases where the order of two words is inversed, including both adjacent and non-adjacent; |
|
(e) |
cases where the order of two letters is inversed, including both adjacent and non-adjacent; |
|
(f) |
cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system; |
|
(g) |
cases where a difference is found due to the use of hyphens, commas or apostrophes; |
|
(h) |
cases where the name is truncated. |
3.2. Date of birth
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Date of birth |
Date of birth Aliases date of birth |
Date or birth |
Date of birth |
Date of birth |
Date of birth |
Identity data of the data-category ‘date of birth’ shall be considered similar where there are:
|
(a) |
cases where the fields of month and day match if they are inversed; |
|
(b) |
cases where the difference in date of birth is due to a known conversion of different calendars; |
|
(c) |
cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system. |
3.3. Gender
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Gender |
Gender Aliases gender |
Sex |
Sex |
Gender |
Sex |
3.4. Nationalities and place of birth
|
Data-category |
SIS |
EES |
ETIAS |
ECRIS-TCN |
VIS |
|
Nationalities and place of birth |
Any nationalities held Aliases nationality Place of birth (country of birth) Aliases place of birth (country of birth) |
Nationality Nationalities |
Current Nationality Place of birth |
Nationality Nationalities Place of birth (town and country) |
Current nationality Nationalities Nationality at birth Place and country of birth |
Identity data of the data-category ‘nationalities and place of birth’ shall be considered similar where there are:
|
(a) |
known transliteration in nationalities or place of birth; |
|
(b) |
cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system; |
|
(c) |
known cases where nationalities/countries/cities changed their denomination. |