Council Regulation (EC) No 2725/2000

of 11 December 2000

concerning the establishment of "Eurodac" for the comparison of fingerprints for the effective application of the Dublin Convention

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, and in particular Article 63 point (1)(a) thereof,

Having regard to the proposal from the Commission,

Having regard to the opinion of the European Parliament(1),

Whereas:

(1) Member States have ratified the Geneva Convention of 28 July 1951, as amended by the New York Protocol of 31 January 1967, relating to the Status of Refugees.

(2) Member States have concluded the Convention determining the State responsible for examining applications for asylum lodged in one of the Member States of the European Communities, signed in Dublin on 15 June 1990 (hereinafter referred to as "the Dublin Convention")(2).

(3) For the purposes of applying the Dublin Convention, it is necessary to establish the identity of applicants for asylum and of persons apprehended in connection with the unlawful crossing of the external borders of the Community. It is also desirable, in order effectively to apply the Dublin Convention, and in particular points (c) and (e) of Article 10(1) thereof, to allow each Member State to check whether an alien found illegally present on its territory has applied for asylum in another Member State.

(4) Fingerprints constitute an important element in establishing the exact identity of such persons. It is necessary to set up a system for the comparison of their fingerprint data.

(5) To this end, it is necessary to set up a system known as "Eurodac", consisting of a Central Unit, to be established within the Commission and which will operate a computerised central database of fingerprint data, as well as of the electronic means of transmission between the Member States and the central database.

(6) It is also necessary to require the Member States promptly to take fingerprints of every applicant for asylum and of every alien who is apprehended in connection with the irregular crossing of an external border of a Member State, if they are at least 14 years of age.

(7) It is necessary to lay down precise rules on the transmission of such fingerprint data to the Central Unit, the recording of such fingerprint data and other relevant data in the central database, their storage, their comparison with other fingerprint data, the transmission of the results of such comparison and the blocking and erasure of the recorded data. Such rules may be different for, and should be specifically adapted to, the situation of different categories of aliens.

(8) Aliens who have requested asylum in one Member State may have the option of requesting asylum in another Member State for many years to come. Therefore, the maximum period during which fingerprint data should be kept by the Central Unit should be of considerable length. Given that most aliens who have stayed in the Community for several years will have obtained a settled status or even citizenship of a Member State after that period, a period of ten years should be considered a reasonable period for the conservation of fingerprint data.

(9) The conservation period should be shorter in certain special situations where there is no need to keep fingerprint data for that length of time. Fingerprint data should be erased immediately once aliens obtain citizenship of a Member State.

(10) It is necessary to lay down clearly the respective responsibilities of the Commission, in respect of the Central Unit, and of the Member States, as regards data use, data security, access to, and correction of, recorded data.

(11) While the non-contractual liability of the Community in connection with the operation of the Eurodac system will be governed by the relevant provisions of the Treaty, it is necessary to lay down specific rules for the non-contractual liability of the Member States in connection with the operation of the system.

(12) In accordance with the principle of subsidiarity as set out in Article 5 of the Treaty, the objective of the proposed measures, namely the creation within the Commission of a system for the comparison of fingerprint data to assist the implementation of the Community's asylum policy, cannot, by its very nature, be sufficiently achieved by the Member States and can therefore be better achieved by the Community. In accordance with the principle of proportionality as set out in the said Article, this Regulation does not go beyond what is necessary to achieve that objective.

(13) Since the Member States alone are responsible for identifying and classifying the results of comparisons transmitted by the Central Unit as well as for the blocking of data relating to persons admitted and recognised as refugees and since this responsibility concerns the particularly sensitive area of the processing of personal data and could affect the exercise of individual freedoms, there are specific grounds for the Council reserving for itself the exercise of certain implementing powers, relating in particular to the adoption of measures ensuring the safety and reliability of such data.

(14) The measures necessary for the implementation of other measures of this Regulation should be adopted in accordance with Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission(3).

(15) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(4) applies to the processing of personal data by the Member States within the framework of the Eurodac system.

(16) By virtue of Article 286 of the Treaty, Directive 95/46/EC also applies to Community institutions and bodies. Since the Central Unit will be established within the Commission, that Directive will apply to the processing of personal data by that Unit.

(17) The principles set out in Directive 95/46/EC regarding the protection of the rights and freedoms of individuals, notably their right to privacy, with regard to the processing of personal data should be supplemented or clarified, in particular as far as certain sectors are concerned.

(18) It is appropriate to monitor and evaluate the performance of Eurodac.

(19) Member States should provide for a system of penalties to sanction the use of data recorded in the central database contrary to the purpose of Eurodac.

(20) The United Kingdom and Ireland, in accordance with Article 3 of the Protocol on the position of the United Kingdom and Ireland annexed to the Treaty on European Union and the Treaty establishing the European Community, have given notice of their wish to take part in the adoption and application of this Regulation.

(21) Denmark, in accordance with Articles 1 and 2 of the Protocol on the position of Denmark annexed to the said Treaties, is not participating in the adoption of this Regulation and is therefore not bound by it nor subject to its application.

(22) It is appropriate to restrict the territorial scope of this Regulation so as to align it on the territorial scope of the Dublin Convention.

(23) This Regulation should serve as legal basis for the implementing rules which, with a view to its rapid application, are required for the establishment of the necessary technical arrangements by the Member States and the Commission. The Commission should be charged with verifying that those conditions are fulfilled,

HAS ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Purpose of "Eurodac"

1. A system known as "Eurodac" is hereby established, the purpose of which shall be to assist in determining which Member State is to be responsible pursuant to the Dublin Convention for examining an application for asylum lodged in a Member State, and otherwise to facilitate the application of the Dublin Convention under the conditions set out in this Regulation.

2. Eurodac shall consist of:

(a) the Central Unit referred to in Article 3;

(b) a computerised central database in which the data referred to in Article 5(1), Article 8(2) and Article 11(2) are processed for the purpose of comparing the fingerprint data of applicants for asylum and of the categories of aliens referred to in Article 8(1) and Article 11(1);

(c) means of data transmission between the Member States and the central database.

The rules governing Eurodac shall also apply to operations effected by the Member States as from the transmission of data to the Central Unit until use is made of the results of the comparison.

3. Without prejudice to the use of data intended for Eurodac by the Member State of origin in databases set up under the latter's national law, fingerprint data and other personal data may be processed in Eurodac only for the purposes set out in Article 15(1) of the Dublin Convention.

Article 2

Definitions

1. For the purposes of this Regulation:

(a) "the Dublin Convention" means the Convention determining the State responsible for examining applications for asylum lodged in one of the Member States of the European Communities, signed at Dublin on 15 June 1990;

(b) an "applicant for asylum" means an alien who has made an application for asylum or on whose behalf such an application has been made;

(c) "Member State of origin" means:

(i) in relation to an applicant for asylum, the Member State which transmits the personal data to the Central Unit and receives the results of the comparison;

(ii) in relation to a person covered by Article 8, the Member State which transmits the personal data to the Central Unit;

(iii) in relation to a person covered by Article 11, the Member State which transmits such data to the Central Unit and receives the results of the comparison;

(d) "refugee" means a person who has been recognised as a refugee in accordance with the Geneva Convention on Refugees of 28 July 1951, as amended by the New York Protocol of 31 January 1967;

(e) "hit" shall mean the existence of a match or matches established by the Central Unit by comparison between fingerprint data recorded in the databank and those transmitted by a Member State with regard to a person, without prejudice to the requirement that Member States shall immediately check the results of the comparison pursuant to Article 4(6).

2. The terms defined in Article 2 of Directive 95/46/EC shall have the same meaning in this Regulation.

3. Unless stated otherwise, the terms defined in Article 1 of the Dublin Convention shall have the same meaning in this Regulation.

Article 3

Central Unit

1. A Central Unit shall be established within the Commission which shall be responsible for operating the central database referred to in Article 1(2)(b) on behalf of the Member States. The Central Unit shall be equipped with a computerised fingerprint recognition system.

2. Data on applicants for asylum, persons covered by Article 8 and persons covered by Article 11 which are processed at the Central Unit shall be processed on behalf of the Member State of origin under the conditions set out in this Regulation.

3. The Central Unit shall draw up statistics on its work every quarter, indicating:

(a) the number of data sets transmitted on applicants for asylum and the persons referred to in Articles 8(1) and 11(1);

(b) the number of hits for applicants for asylum who have lodged an application for asylum in another Member State;

(c) the number of hits for persons referred to in Article 8(1) who have subsequently lodged an application for asylum;

(d) the number of hits for persons referred to in Article 11(1) who had previously lodged an application for asylum in another Member State;

(e) the number of fingerprint data which the Central Unit had to request a second time from the Member States of origin because the fingerprint data originally transmitted did not lend themselves to comparison using the computerised fingerprint recognition system.

At the end of each year, statistical data shall be established in the form of a compilation of the quarterly statistics drawn up since the beginning of Eurodac's activities, including an indication of the number of persons for whom hits have been recorded under (b), (c) and (d).

The statistics shall contain a breakdown of data for each Member State.

4. Pursuant to the procedure laid down in Article 23(2), the Central Unit may be charged with carrying out certain other statistical tasks on the basis of the data processed at the Central Unit.

CHAPTER II

APPLICANTS FOR ASYLUM

Article 4

Collection, transmission and comparison of fingerprints

1. Each Member State shall promptly take the fingerprints of all fingers of every applicant for asylum of at least 14 years of age and shall promptly transmit the data referred to in points (a) to (f) of Article 5(1) to the Central Unit. The procedure for taking fingerprints shall be determined in accordance with the national practice of the Member State concerned and in accordance with the safeguards laid down in the European Convention on Human Rights and in the United Nations Convention on the Rights of the Child.

2. The data referred to in Article 5(1) shall be immediately recorded in the central database by the Central Unit, or, provided that the technical conditions for such purposes are met, directly by the Member State of origin.

3. Fingerprint data within the meaning of point (b) of Article 5(1), transmitted by any Member State, shall be compared by the Central Unit with the fingerprint data transmitted by other Member States and already stored in the central database.

4. The Central Unit shall ensure, on the request of a Member State, that the comparison referred to in paragraph 3 covers the fingerprint data previously transmitted by that Member State, in addition to the data from other Member States.

5. The Central Unit shall forthwith transmit the hit or the negative result of the comparison to the Member State of origin. Where there is a hit, it shall transmit for all data sets corresponding to the hit, the data referred to in Article 5(1), although in the case of the data referred to in Article 5(1)(b), only insofar as they were the basis for the hit.

Direct transmission to the Member State of origin of the result of the comparison shall be permissible where the technical conditions for such purpose are met.

6. The results of the comparison shall be immediately checked in the Member State of origin. Final identification shall be made by the Member State of origin in cooperation with the Member States concerned, pursuant to Article 15 of the Dublin Convention.

Information received from the Central Unit relating to other data found to be unreliable shall be erased or destroyed as soon as the unreliability of the data is established.

7. The implementing rules setting out the procedures necessary for the application of paragraphs 1 to 6 shall be adopted in accordance with the procedure laid down in Article 22(1).

Article 5

Recording of data

1. Only the following data shall be recorded in the central database:

(a) Member State of origin, place and date of the application for asylum;

(b) fingerprint data;

(c) sex;

(d) reference number used by the Member State of origin;

(e) date on which the fingerprints were taken;

(f) date on which the data were transmitted to the Central Unit;

(g) date on which the data were entered in the central database;

(h) details in respect of the recipient(s) of the data transmitted and the date(s) of transmission(s).

2. After recording the data in the central database, the Central Unit shall destroy the media used for transmitting the data, unless the Member State of origin has requested their return.

Article 6

Data storage

Each set of data, as referred to in Article 5(1), shall be stored in the central database for ten years from the date on which the fingerprints were taken.

Upon expiry of this period, the Central Unit shall automatically erase the data from the central database.

Article 7

Advance data erasure

Data relating to a person who has acquired citizenship of any Member State before expiry of the period referred to in Article 6 shall be erased from the central database, in accordance with Article 15(3) as soon as the Member State of origin becomes aware that the person has acquired such citizenship.

CHAPTER III

ALIENS APPREHENDED IN CONNECTION WITH THE IRREGULAR CROSSING OF AN EXTERNAL BORDER

Article 8

Collection and transmission of fingerprint data

1. Each Member State shall, in accordance with the safeguards laid down in the European Convention on Human Rights and in the United Nations Convention on the Rights of the Child, promptly take the fingerprints of all fingers of every alien of at least 14 years of age who is apprehended by the competent control authorities in connection with the irregular crossing by land, sea or air of the border of that Member State having come from a third country and who is not turned back.

2. The Member State concerned shall promptly transmit to the Central Unit the following data in relation to any alien, as referred to in paragraph 1, who is not turned back:

(a) Member State of origin, place and date of the apprehension;

(b) fingerprint data;

(c) sex;

(d) reference number used by the Member State of origin;

(e) date on which the fingerprints were taken;

(f) date on which the data were transmitted to the Central Unit.

Article 9

Recording of data

1. The data referred to in Article 5(1)(g) and in Article 8(2) shall be recorded in the central database.

Without prejudice to Article 3(3), data transmitted to the Central Unit pursuant to Article 8(2) shall be recorded for the sole purpose of comparison with data on applicants for asylum transmitted subsequently to the Central Unit.

The Central Unit shall not compare data transmitted to it pursuant to Article 8(2) with any data previously recorded in the central database, nor with data subsequently transmitted to the Central Unit pursuant to Article 8(2).

2. The procedures provided for in Article 4(1), second sentence, Article 4(2) and Article 5(2) as well as the provisions laid down pursuant to Article 4(7) shall apply. As regards the comparison of data on applicants for asylum subsequently transmitted to the Central Unit with the data referred to in paragraph 1, the procedures provided for in Article 4(3), (5) and (6) shall apply.

Article 10

Storage of data

1. Each set of data relating to an alien as referred to in Article 8(1) shall be stored in the central database for two years from the date on which the fingerprints of the alien were taken. Upon expiry of this period, the Central Unit shall automatically erase the data from the central database.

2. The data relating to an alien as referred to in Article 8(1) shall be erased from the central database in accordance with Article 15(3) immediately, if the Member State of origin becomes aware of one of the following circumstances before the two-year period mentioned in paragraph 1 has expired:

(a) the alien has been issued with a residence permit;

(b) the alien has left the territory of the Member States;

(c) the alien has acquired the citizenship of any Member State.

CHAPTER IV

ALIENS FOUND ILLEGALLY PRESENT IN A MEMBER STATE

Article 11

Comparison of fingerprint data

1. With a view to checking whether an alien found illegally present within its territory has previously lodged an application for asylum in another Member State, each Member State may transmit to the Central Unit any fingerprint data relating to fingerprints which it may have taken of any such alien of at least 14 years of age together with the reference number used by that Member State.

As a general rule there are grounds for checking whether the alien has previously lodged an application for asylum in another Member State where:

(a) the alien declares that he/she has lodged an application for asylum but without indicating the Member State in which he/she made the application;

(b) the alien does not request asylum but objects to being returned to his/her country of origin by claiming that he/she would be in danger, or

(c) the alien otherwise seeks to prevent his/her removal by refusing to cooperate in establishing his/her identity, in particular by showing no, or false, identity papers.

2. Where Member States take part in the procedure referred to in paragraph 1, they shall transmit to the Central Unit the fingerprint data relating to all or at least the index fingers, and, if those are missing, the prints of all other fingers, of aliens referred to in paragraph 1.

3. The fingerprint data of an alien as referred to in paragraph 1 shall be transmitted to the Central Unit solely for the purpose of comparison with the fingerprint data of applicants for asylum transmitted by other Member States and already recorded in the central database.

The fingerprint data of such an alien shall not be recorded in the central database, nor shall they be compared with the data transmitted to the Central Unit pursuant to Article 8(2).

4. As regards the comparison of fingerprint data transmitted under this Article with the fingerprint data of applicants for asylum transmitted by other Member States which have already been stored in the Central Unit, the procedures provided for in Article 4(3), (5) and (6) as well as the provisions laid down pursuant to Article 4(7) shall apply.

5. Once the results of the comparison have been transmitted to the Member State of origin, the Central Unit shall forthwith:

(a) erase the fingerprint data and other data transmitted to it under paragraph 1; and

(b) destroy the media used by the Member State of origin for transmitting the data to the Central Unit, unless the Member State of origin has requested their return.

CHAPTER V

RECOGNISED REFUGEES

Article 12

Blocking of data

1. Data relating to an applicant for asylum which have been recorded pursuant to Article 4(2) shall be blocked in the central database if that person is recognised and admitted as a refugee in a Member State. Such blocking shall be carried out by the Central Unit on the instructions of the Member State of origin.

As long as a decision pursuant to paragraph 2 has not been adopted, hits concerning persons who have been recognised and admitted as refugees in a Member State shall not be transmitted. The Central Unit shall return a negative result to the requesting Member State.

2. Five years after Eurodac starts operations, and on the basis of reliable statistics compiled by the Central Unit on persons who have lodged an application for asylum in a Member State after having been recognised and admitted as refugees in another Member State, a decision shall be taken in accordance with the relevant provisions of the Treaty, as to whether the data relating to persons who have been recognised and admitted as refugees in a Member State should:

(a) be stored in accordance with Article 6 for the purpose of the comparison provided for in Article 4(3); or

(b) be erased in advance once a person has been recognised and admitted as a refugee.

3. In the case referred to in paragraph 2(a), the data blocked pursuant to paragraph 1 shall be unblocked and the procedure referred to in paragraph 1 shall no longer apply.

4. In the case referred to in paragraph 2(b):

(a) data which have been blocked in accordance with paragraph 1 shall be erased immediately by the Central Unit; and

(b) data relating to persons who are subsequently recognised and admitted as refugees shall be erased in accordance with Article 15(3), as soon as the Member State of origin becomes aware that the person has been recognised and admitted as a refugee in a Member State.

5. The implementing rules concerning the procedure for the blocking of data referred to in paragraph 1 and the compilation of statistics referred to in paragraph 2 shall be adopted in accordance with the procedure laid down in Article 22(1).

CHAPTER VI

DATA USE, DATA PROTECTION AND LIABILITY

Article 13

Responsibility for data use

1. The Member State of origin shall be responsible for ensuring that:

(a) fingerprints are taken lawfully;

(b) fingerprint data and the other data referred to in Article 5(1), Article 8(2) and Article 11(2) are lawfully transmitted to the Central Unit;

(c) data are accurate and up-to-date when they are transmitted to the Central Unit;

(d) without prejudice to the responsibilities of the Commission, data in the central database are lawfully recorded, stored, corrected and erased;

(e) the results of fingerprint data comparisons transmitted by the Central Unit are lawfully used.

2. In accordance with Article 14, the Member State of origin shall ensure the security of the data referred to in paragraph 1 before and during transmission to the Central Unit as well as the security of the data it receives from the Central Unit.

3. The Member State of origin shall be responsible for the final identification of the data pursuant to Article 4(6).

4. The Commission shall ensure that the Central Unit is operated in accordance with the provisions of this Regulation and its implementing rules. In particular, the Commission shall:

(a) adopt measures ensuring that persons working in the Central Unit use the data recorded in the central database only in accordance with the purpose of Eurodac as laid down in Article 1(1);

(b) ensure that persons working in the Central Unit comply with all requests from Member States made pursuant to this Regulation in relation to recording, comparison, correction and erasure of data for which they are responsible;

(c) take the necessary measures to ensure the security of the Central Unit in accordance with Article 14;

(d) ensure that only persons authorised to work in the Central Unit have access to data recorded in the central database, without prejudice to Article 20 and the powers of the independent supervisory body which will be established under Article 286(2) of the Treaty.

The Commission shall inform the European Parliament and the Council of the measures it takes pursuant to the first subparagraph.

Article 14

Security

1. The Member State of origin shall take the necessary measures to:

(a) prevent any unauthorised person from having access to national installations in which the Member State carries out operations in accordance with the aim of Eurodac (checks at the entrance to the installation);

(b) prevent data and data media in Eurodac from being read, copied, modified or erased by unauthorised persons (control of data media);

(c) guarantee that it is possible to check and establish a posteriori what data have been recorded in Eurodac, when and by whom (control of data recording);

(d) prevent the unauthorised recording of data in Eurodac and any unauthorised modification or erasure of data recorded in Eurodac (control of data entry);

(e) guarantee that, in using Eurodac, authorised persons have access only to data which are within their competence (control of access);

(f) guarantee that it is possible to check and establish to which authorities data recorded in Eurodac may be transmitted by data transmission equipment (control of transmission);

(g) prevent the unauthorised reading, copying, modification or erasure of data during both the direct transmission of data to or from the central database and the transport of data media to or from the Central Unit (control of transport).

2. As regards the operation of the Central Unit, the Commission shall be responsible for applying the measures mentioned under paragraph 1.

Article 15

Access to, and correction or erasure of, data recorded in Eurodac

1. The Member State of origin shall have access to data which it has transmitted and which are recorded in the central database in accordance with the provisions of this Regulation.

No Member State may conduct searches in the data transmitted by another Member State, nor may it receive such data apart from data resulting from the comparison referred to in Article 4(5).

2. The authorities of Member States which, pursuant to paragraph 1, have access to data recorded in the central database shall be those designated by each Member State. Each Member State shall communicate to the Commission a list of those authorities.

3. Only the Member State of origin shall have the right to amend the data which it has transmitted to the Central Unit by correcting or supplementing such data, or to erase them, without prejudice to erasure carried out in pursuance of Article 6, Article 10(1) or Article 12(4)(a).

Where the Member State of origin records data directly in the central database, it may amend or erase the data directly.

Where the Member State of origin does not record data directly in the central database, the Central Unit shall amend or erase the data at the request of that Member State.

4. If a Member State or the Central Unit has evidence to suggest that data recorded in the central database are factually inaccurate, it shall advise the Member State of origin as soon as possible.

If a Member State has evidence to suggest that data were recorded in the central database contrary to this Regulation, it shall similarly advise the Member State of origin as soon as possible. The latter shall check the data concerned and, if necessary, amend or erase them without delay.

5. The Central Unit shall not transfer or make available to the authorities of any third country data recorded in the central database, unless it is specifically authorised to do so in the framework of a Community agreement on the criteria and mechanisms for determining the State responsible for examining an application for asylum.

Article 16

Keeping of records by the Central Unit

1. The Central Unit shall keep records of all data processing operations within the Central Unit. These records shall show the purpose of access, the date and time, the data transmitted, the data used for interrogation and the name of both the unit putting in or retrieving the data and the persons responsible.

2. Such records may be used only for the data-protection monitoring of the admissibility of data processing as well as to ensure data security pursuant to Article 14. The records must be protected by appropriate measures against unauthorised access and erased after a period of one year, if they are not required for monitoring procedures which have already begun.

Article 17

Liability

1. Any person who, or Member State which, has suffered damage as a result of an unlawful processing operation or any act incompatible with the provisions laid down in this Regulation shall be entitled to receive compensation from the Member State responsible for the damage suffered. That State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event giving rise to the damage.

2. If failure of a Member State to comply with its obligations under this Regulation causes damage to the central database, that Member State shall be held liable for such damage, unless and insofar as the Commission failed to take reasonable steps to prevent the damage from occurring or to minimise its impact.

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.

Article 18

Rights of the data subject

1. A person covered by this Regulation shall be informed by the Member State of origin of the following:

(a) the identity of the controller and of his representative, if any;

(b) the purpose for which the data will be processed within Eurodac;

(c) the recipients of the data;

(d) in relation to a person covered by Article 4 or Article 8, the obligation to have his/her fingerprints taken;

(e) the existence of the right of access to, and the right to rectify, the data concerning him/her.

In relation to a person covered by Article 4 or Article 8, the information referred to in the first subparagraph shall be provided when his/her fingerprints are taken.

In relation to a person covered by Article 11, the information referred to in the first subparagraph shall be provided no later than the time when the data relating to the person are transmitted to the Central Unit. This obligation shall not apply where the provision of such information proves impossible or would involve a disproportionate effort.

2. In each Member State any data subject may, in accordance with the laws, regulations and procedures of that State, exercise the rights provided for in Article 12 of Directive 95/46/EC.

Without prejudice to the obligation to provide other information in accordance with point (a) of Article 12 of Directive 95/46/EC, the data subject shall have the right to obtain communication of the data relating to him/her recorded in the central database and of the Member State which transmitted them to the Central Unit. Such access to data may be granted only by a Member State.

3. In each Member State, any person may request that data which are factually inaccurate be corrected or that data recorded unlawfully be erased. The correction and erasure shall be carried out without excessive delay by the Member State which transmitted the data, in accordance with its laws, regulations and procedures.

4. If the rights of correction and erasure are exercised in a Member State, other than that, or those, which transmitted the data, the authorities of that Member State shall contact the authorities of the Member State, or States, in question so that the latter may check the accuracy of the data and the lawfulness of their transmission and recording in the central database.

5. If it emerges that data recorded in the central database are factually inaccurate or have been recorded unlawfully, the Member State which transmitted them shall correct or erase the data in accordance with Article 15(3). That Member State shall confirm in writing to the data subject without excessive delay that it has taken action to correct or erase data relating to him/her.

6. If the Member State which transmitted the data does not agree that data recorded in the central database are factually inaccurate or have been recorded unlawfully, it shall explain in writing to the data subject without excessive delay why it is not prepared to correct or erase the data.

That Member State shall also provide the data subject with information explaining the steps which he/she can take if he/she does not accept the explanation provided. This shall include information on how to bring an action or, if appropriate, a complaint before the competent authorities or courts of that Member State and any financial or other assistance that is available in accordance with the laws, regulations and procedures of that Member State.

7. Any request under paragraphs 2 and 3 shall contain all the necessary particulars to identify the data subject, including fingerprints. Such data shall be used exclusively to permit the exercise of the rights referred to in paragraphs 2 and 3 and shall be destroyed immediately afterwards.

8. The competent authorities of the Member States shall cooperate actively to enforce promptly the rights laid down in paragraphs 3, 4 and 5.

9. In each Member State, the national supervisory authority shall assist the data subject in accordance with Article 28(4) of Directive 95/46/EC in exercising his/her rights.

10. The national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State in which the data subject is present shall assist and, where requested, advise him/her in exercising his/her right to correct or erase data. Both national supervisory authorities shall cooperate to this end. Requests for such assistance may be made to the national supervisory authority of the Member State in which the data subject is present, which shall transmit the requests to the authority of the Member State which transmitted the data. The data subject may also apply for assistance and advice to the joint supervisory authority set up by Article 20.

11. In each Member State any person may, in accordance with the laws, regulations and procedures of that State, bring an action or, if appropriate, a complaint before the competent authorities or courts of the State if he/she is refused the right of access provided for in paragraph 2.

12. Any person may, in accordance with the laws, regulations and procedures of the Member State which transmitted the data, bring an action or, if appropriate, a complaint before the competent authorities or courts of that State concerning the data relating to him/her recorded in the central database, in order to exercise his/her rights under paragraph 3. The obligation of the national supervisory authorities to assist and, where requested, advise the data subject, in accordance with paragraph 10, shall subsist throughout the proceedings.

Article 19

National supervisory authority

1. Each Member State shall provide that the national supervisory authority or authorities designated pursuant to Article 28(1) of Directive 95/46/EC shall monitor independently, in accordance with its respective national law, the lawfulness of the processing, in accordance with this Regulation, of personal data by the Member State in question, including their transmission to the Central Unit.

2. Each Member State shall ensure that its national supervisory authority has access to advice from persons with sufficient knowledge of fingerprint data.

Article 20

Joint supervisory authority

1. An independent joint supervisory authority shall be set up, consisting of a maximum of two representatives from the supervisory authorities of each Member State. Each delegation shall have one vote.

2. The joint supervisory authority shall have the task of monitoring the activities of the Central Unit to ensure that the rights of data subjects are not violated by the processing or use of the data held by the Central Unit. In addition, it shall monitor the lawfulness of the transmission of personal data to the Member States by the Central Unit.

3. The joint supervisory authority shall be responsible for the examination of implementation problems in connection with the operation of Eurodac, for the examination of possible difficulties during checks by the national supervisory authorities and for drawing up recommendations for common solutions to existing problems.

4. In the performance of its duties, the joint supervisory authority shall, if necessary, be actively supported by the national supervisory authorities.

5. The joint supervisory authority shall have access to advice from persons with sufficient knowledge of fingerprint data.

6. The Commission shall assist the joint supervisory authority in the performance of its tasks. In particular, it shall supply information requested by the joint supervisory body, give it access to all documents and paper files as well as access to the data stored in the system and allow it access to all its premises, at all times.

7. The joint supervisory authority shall unanimously adopt its rules of procedure. It shall be assisted by a secretariat, the tasks of which shall be defined in the rules of procedure.

8. Reports drawn up by the joint supervisory authority shall be made public and shall be forwarded to the bodies to which the national supervisory authorities submit their reports, as well as to the European Parliament, the Council and the Commission for information. In addition, the joint supervisory authority may submit comments or proposals for improvement regarding its remit to the European Parliament, the Council and the Commission at any time.

9. In the performance of their duties, the members of the joint supervisory authority shall not receive instructions from any government or body.

10. The joint supervisory authority shall be consulted on that part of the draft operating budget of the Eurodac Central Unit which concerns it. Its opinion shall be annexed to the draft budget in question.

11. The joint supervisory authority shall be disbanded upon the establishment of the independent supervisory body referred to in Article 286(2) of the Treaty. The independent supervisory body shall replace the joint supervisory authority and shall exercise all the powers conferred on it by virtue of the act under which that body is established.

CHAPTER VII

FINAL PROVISIONS

Article 21

Costs

1. The costs incurred in connection with the establishment and operation of the Central Unit shall be borne by the general budget of the European Union.

2. The costs incurred by national units and the costs for their connection to the central database shall be borne by each Member State.

3. The costs of transmission of data from the Member State of origin and of the findings of the comparison to that State shall be borne by the State in question.

Article 22

Implementing rules

1. The Council shall adopt, acting by the majority laid down in Article 205(2) of the Treaty, the implementing provisions necessary for

- laying down the procedure referred to in Article 4(7),

- laying down the procedure for the blocking of the data referred to in Article 12(1),

- drawing up the statistics referred to in Article 12(2).

In cases where these implementing provisions have implications for the operational expenses to be borne by the Member States, the Council shall act unanimously.

2. The measures referred to in Article 3(4) shall be adopted in accordance with the procedure referred to in Article 23(2).

Article 23

Committee

1. The Commission shall be assisted by a committee.

2. In the cases where reference is made to this paragraph, Articles 5 and 7 of Decision 1999/468/EC shall apply.

The period laid down in Article 5(6) of Decision 1999/468/EC shall be set at three months.

3. The committee shall adopt its rules of procedure.

Article 24

Annual report: Monitoring and evaluation

1. The Commission shall submit to the European Parliament and the Council an annual report on the activities of the Central Unit. The annual report shall include information on the management and performance of Eurodac against pre-defined quantitative indicators for the objectives referred to in paragraph 2.

2. The Commission shall ensure that systems are in place to monitor the functioning of the Central Unit against objectives, in terms of outputs, cost-effectiveness and quality of service.

3. The Commission shall regularly evaluate the operation of the Central Unit in order to establish whether its objectives have been attained cost-effectively and with a view to providing guidelines for improving the efficiency of future operations.

4. One year after Eurodac starts operations, the Commission shall produce an evaluation report on the Central Unit, focusing on the level of demand compared with expectation and on operational and management issues in the light of experience, with a view to identifying possible short-term improvements to operational practice.

5. Three years after Eurodac starts operations and every six years thereafter, the Commission shall produce an overall evaluation of Eurodac, examining results achieved against objectives and assessing the continuing validity of the underlying rationale and any implications for future operations.

Article 25

Penalties

Member States shall ensure that use of data recorded in the central database contrary to the purpose of Eurodac as laid down in Article 1(1) shall be subject to appropriate penalties.

Article 26

Territorial scope

The provisions of this Regulation shall not be applicable to any territory to which the Dublin Convention does not apply.

Article 27

Entry into force and applicability

1. This Regulation shall enter into force on the day of its publication in the Official Journal of the European Communities.

2. This Regulation shall apply, and Eurodac shall start operations, from the date which the Commission shall publish in the Official Journal of the European Communities, when the following conditions are met:

(a) each Member State has notified the Commission that it has made the necessary technical arrangements to transmit data to the Central Unit in accordance with the implementing rules adopted under Article 4(7) and to comply with the implementing rules adopted under Article 12(5); and

(b) the Commission has made the necessary technical arrangements for the Central Unit to begin operations in accordance with the implementing rules adopted under Article 4(7) and Article 12(5).

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaty establishing the European Community.

Done at Brussels, 11 December 2000.

For the Council

The President

H. Védrine

(1) OJ C 189, 7.7.2000, p. 105 and p. 227 and opinion delivered on 21 September 2000 (not yet published in the Official Journal).

(2) OJ C 254, 19.8.1997, p. 1.

(3) OJ L 184, 17.7.1999, p. 23.

(4) OJ L 281, 23.11.1995, p. 31.