1.   For the purposes of this Decision, the following definitions shall apply:

2.   The definitions in Regulation (EC) No 767/2008 shall also apply.

1.   Member States shall designate the authorities referred to in Article 2(1)(e) which are authorised to access VIS data pursuant to this Decision.

2.   Every Member State shall keep a list of the designated authorities. By 2 December 2008 every Member State shall notify in a declaration to the Commission and the General Secretariat of the Council their designated authorities and may at any time amend or replace its declaration by another declaration.

3.   Every Member State shall designate the central access point(s) through which the access is done. Member States may designate more than one central access point to reflect their organisational and administrative structure in fulfilment of their constitutional or legal requirements. By 2 December 2008 every Member State shall notify in a declaration to the Commission and the General Secretariat of the Council their central access point(s) and may at any time amend or replace its declaration by another declaration.

4.   The Commission shall publish the declarations referred to in paragraphs 2 and 3 in the Official Journal of the European Union.

5.   At national level, each Member State shall keep a list of the operating units within the designated authorities that are authorised to access the VIS through the central access point(s).

6.   Only duly empowered staff of the operational units as well as the central access point(s) shall be authorised to access the VIS in accordance with Article 4.

1.   Where the conditions of Article 5 are fulfilled the operating units referred to in Article 3(5) shall submit a reasoned written or electronic request to the central access points referred to in Article 3(3) to access the VIS. Upon receipt of a request for access the central access point(s) shall verify whether the conditions for access referred to in Article 5 are fulfilled. If all conditions for access are fulfilled, the duly authorised staff of the central access point(s) shall process the requests. The VIS data accessed shall be transmitted to the operating units referred to in Article 3(5) in such a way as not to compromise the security of the data.

2.   In an exceptional case of urgency, the central access point(s) may receive written, electronic or oral requests. In such cases, the central access point(s) shall process the request immediately and only verify ex-post whether all the conditions of Article 5 are fulfilled, including whether an exceptional case of urgency existed. The ex-post verification shall take place without undue delay after the processing of the request.

1.   Access to the VIS for consultation by designated authorities shall take place within the scope of their powers and if the following conditions are met:

2.   Consultation of the VIS shall be limited to searching with any of the following VIS data in the application file:

3.   Consultation of the VIS shall, in the event of a hit, give access to all of the data listed in paragraph 2 as well as to:

1.   Access to the VIS for consultation by designated authorities of a Member State in respect of which Regulation (EC) No 767/2008 has not yet been put into effect shall take place within the scope of their powers and

2.   A Member State in respect of which Regulation (EC) No 767/2008 has not yet been put into effect shall make its visa information available to Member States to which Regulation (EC) No 767/2008 applies, on the basis of a duly reasoned written or electronic request, subject to compliance with the conditions laid down in Article 5(1).

3.   Article 8(1) and (3) to (6), Article 9(1), Article 10(1) and (3), Article 12, Article 13(1) and (3) shall apply accordingly.

1.   Access to the VIS for consultation by Europol shall take place within the limits of its mandate and:

2.   Article 5(2) and (3) shall apply accordingly.

3.   Europol shall designate a specialised unit for the purpose of this Decision with duly empowered Europol officials to act as the central access point to access the VIS for consultation.

4.   Processing of information obtained by Europol from access to the VIS shall be subject to the consent of the Member State which has entered that data in the VIS. Such consent shall be obtained via the Europol national unit of that Member State.

1.   The processing of personal data consulted under this Decision shall be subject to the following rules and to the national law of the consulting Member State. With regard to the processing of personal data consulted under this Decision, each Member State shall ensure an adequate data protection level in its national law which at least corresponds to that resulting from the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data and, for those Member States which have ratified it, the Additional Protocol of 8 November 2001 to that Convention, and shall take into account Recommendation No R (87)15 of 17 September 1987 of the Committee of Ministers of the Council of Europe Regulating the Use of Personal Data in the Police Sector.

2.   The processing of personal data by Europol pursuant to this Decision shall be in accordance with the Europol Convention and the rules adopted in implementation thereof and supervised by the independent joint supervisory body established by Article 24 of the Convention.

3.   Personal data obtained pursuant to this Decision from the VIS shall only be processed for the purposes of the prevention, detection, investigation and prosecution of terrorist offences or other serious criminal offences.

4.   Personal data obtained pursuant to this Decision from the VIS shall not be transferred or made available to a third country or to an international organisation. However, in an exceptional case of urgency such data may be transferred or made available to a third country or an international organisation, exclusively for the purposes of the prevention and detection of terrorist offences and of other serious criminal offences and under the conditions set out in Article 5(1) of this Decision, subject to the consent of the Member State having entered the data into the VIS and in accordance with the national law of the Member State transferring the data or making them available. In accordance with national law, Member States shall ensure that records are kept of such transfers and make them available to national data protection authorities on request. The transfer of data by the Member State that entered the data in the VIS according to Regulation (EC) No 767/2008 shall be subject to the national law of that Member State.

5.   The competent body or bodies which, in accordance with national law, are charged with the supervision of the processing of personal data by the authorities designated under this Decision shall monitor the lawfulness of the processing of personal data pursuant to this Decision. The Member States shall ensure that these bodies have sufficient resources to fulfil the tasks entrusted to them under this Decision.

6.   The bodies referred to in paragraph 5 shall ensure that at least every four years an audit of the processing of personal data pursuant to this Decision is carried out, where applicable according to international auditing standards.

7.   Member States and Europol shall allow the competent body or bodies referred to in paragraphs 2 and 5 to obtain the necessary information to enable them to carry out their tasks in accordance with this Article.

8.   Before being authorised to process data stored in the VIS, the staff of the authorities having a right to access the VIS shall receive appropriate training about data security and data protection rules and shall be informed of any relevant criminal offences and penalties.

1.   The Member State responsible shall ensure the security of the data during transmission to the designated authorities and when received by them.

2.   Each Member State shall adopt the necessary security measures with respect to data to be retrieved from the VIS pursuant to this Decision and to be subsequently stored, in particular in order to:

1.   Any person who, or Member State which, has suffered damage as a result of an unlawful processing operation or any act incompatible with this Decision shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That Member State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event giving rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Decision causes damage to the VIS, that Member State shall be held liable for such damage, unless and insofar as another Member State failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.

1.   Data retrieved from the VIS may be kept in national files only when necessary in an individual case in accordance with the purposes set out in this Decision and in accordance with the relevant legal provisions including those concerning data protection and for no longer than necessary in the individual case.

2.   Paragraph 1 shall not prejudice the provisions of national law of a Member State concerning the entry by its designated authorities in their national files of data which that Member State entered in the VIS according to Regulation (EC) No 767/2008.

3.   Any use of data which does not comply with paragraphs 1 and 2 shall be considered a misuse under the national law of each Member State.

1.   The right of persons to have access to data relating to them obtained from the VIS pursuant to this Decision shall be exercised in accordance with the law of the Member State in which they invoke that right.

2.   If national law so provides, the national supervisory authority shall decide whether information is to be communicated and by what procedures.

3.   A Member State other than that which has entered the data into the VIS according to Regulation (EC) No 767/2008 may communicate information concerning such data only if it first gives the Member State entering the data an opportunity to state its position.

4.   Information shall not be communicated to the data subject if this is indispensable for the performance of a lawful task in connection with the data or for the protection of the rights and freedoms of third parties.

5.   Any person has the right to have factually inaccurate data relating to him corrected or unlawfully stored data relating to him deleted. If the designated authorities receive such a request or if they have any other evidence to suggest that data processed in the VIS is inaccurate they shall immediately inform the visa authority of the Member State which has entered the data in the VIS, which shall check the data concerned and, if necessary, correct or delete it immediately, pursuant to Article 24 of Regulation (EC) No 767/2008.

6.   The individual concerned shall be informed as soon as possible and in any event not later than 60 days from the date on which he applies for access or sooner if national law so provides.

7.   The individual concerned shall be informed about the follow-up given to the exercise of his rights of correction and deletion as soon as possible and in any event not later than three months from the date on which he applies for correction or deletion or sooner if national law so provides.

8.   In each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to or the right of correction or deletion of data relating to him, provided for in this Article.

1.   Each Member State and Europol shall ensure that all data processing operations resulting from access to the VIS for consultation pursuant to this Decision are recorded for the purposes of checking whether the search is admissible or not, for the purpose of monitoring the lawfulness of data processing, for self-monitoring, ensuring the proper functioning of the system, data integrity and security.

Those records shall show:

2.   Records containing personal data shall be used only for the data protection monitoring of the legality of data processing as well as to ensure data security. Only records containing data of a non-personal nature may be used for the monitoring and evaluation referred to in Article 17.

3.   These records shall be protected by appropriate measures against unauthorised access and abuse and deleted after a period of one year after the retention period referred to in Article 23(1) of Regulation (EC) No 767/2008 has expired, unless they are required for monitoring procedures referred to in paragraph 2 of this Article which have already begun.

1.   The Management Authority referred to in Regulation (EC) No 767/2008 shall ensure that systems are in place to monitor the functioning of the VIS pursuant to this Decision against objectives, in terms of output, cost-effectiveness, security and quality of service.

2.   For the purpose of technical maintenance, the Management Authority shall have access to the necessary information relating to the processing operations performed in the VIS.

3.   Two years after the VIS is brought into operation and every two years thereafter, the Management Authority shall submit a report to the European Parliament, the Council and the Commission on the technical functioning of the VIS pursuant to this Decision. That report shall include information on the performance of the VIS against quantitative indicators predefined by the Commission, and in particular on the need and use made of Article 4(2).

4.   Three years after the VIS is brought into operation and every four years thereafter, the Commission shall produce an overall evaluation of the VIS pursuant to this Decision. This evaluation shall include an examination of the results achieved against objectives and an assessment of the continuing validity of the underlying rationale behind this Decision, the application of this Decision in respect of the VIS, the security of the VIS and any implications for future operations. The Commission shall transmit the evaluation reports to the European Parliament and the Council.

5.   The Member States and Europol shall provide to the Management Authority and the Commission the information necessary to draft the reports referred to in paragraph 3 and 4. This information shall not jeopardise working methods nor include information that reveals sources, staff members or investigations of the designated authorities.

6.   The Management Authority shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 4.

7.   During the transitional period before the Management Authority takes up its responsibilities, the Commission shall be responsible for producing and submitting the reports referred to in paragraph 3.

1.   This Decision shall enter into force on the 20th day following its publication in the Official Journal of the European Union.

2.   This Decision shall take effect from a date to be determined by the Council once the Commission has informed the Council that Regulation (EC) No 767/2008 has entered into force and is fully applicable.