REGULATION (EU) 2017/2226 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 30 November 2017

establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty of the Functioning of the European Union, and in particular, Article 77(2)(b) and (d) and Article 87(2)(a) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

1.   This Regulation establishes an ‘Entry/Exit System’ (EES) for:

2.   For the purposes of the prevention, detection and investigation of terrorist offences or of other serious criminal offences, this Regulation also lays down the conditions under which Member States’ designated authorities and Europol may obtain access to the EES for consultation.

Article 2

Scope

1.   This Regulation applies to:

2.   This Regulation also applies to third-country nationals whose entry for a short stay to the territory of the Member States is refused in accordance with Article 14 of Regulation (EU) 2016/399.

3.   This Regulation does not apply to:

4.   The provisions of this Regulation regarding the calculation of the duration of the authorised stay and the generation of alerts to Member States when the authorised stay has expired do not apply to third-country nationals who:

Article 3

Definitions

1.   For the purposes of this Regulation, the following definitions apply:

2.   The terms defined in Article 4 of Regulation (EU) 2016/679 shall have the same meaning in this Regulation in so far as personal data are processed by the authorities of Member States for the purposes laid down in Article 6(1) of this Regulation.

3.   The terms defined in Article 3 of Directive (EU) 2016/680 shall have the same meaning in this Regulation in so far as personal data are processed by the authorities of the Member States for the purposes laid down in Article 6(2) of this Regulation.

Article 4

Borders at which the EES is operated and use of the EES at those borders

1.   The EES shall be operated at the external borders.

2.   The Member States which apply the Schengen acquis in full shall introduce the EES at their internal borders with Member States which do not yet apply the Schengen acquis in full but operate the EES.

3.   The Member States which apply the Schengen acquis in full and the Member States which do not yet apply the Schengen acquis in full but operate the EES shall introduce the EES at their internal borders with the Member States which do not yet apply the Schengen acquis in full and do not operate the EES.

4.   Member States which do not yet apply the Schengen acquis in full but operate the EES shall introduce the EES at their internal borders as defined under points (b) and (c) of Article 2(1) of Regulation (EU) 2016/399.

5.   By way of derogation from the third and fourth subparagraphs of Article 23(2) and from Article 27, a Member State which does not yet apply the Schengen acquis in full but operates the EES shall introduce the EES without biometric functionalities at its internal land borders with a Member State which does not yet apply the Schengen acquis in full but operates the EES. Where, at those internal borders, a third-country national has not yet been registered in the EES, that third-country national’s individual file shall be created without recording biometric data. Biometric data shall be added at the next border crossing point where the EES is operated with biometric functionalities.

Article 5

Set-up of the EES

eu-LISA shall develop the EES and ensure its operational management, including the functionalities for processing biometric data as referred to in point (d) of Article 16(1) and points (b) and (c) of Article 17(1), as well as the adequate security of the EES.

Article 6

Objectives of the EES

1.   By recording and storing data in the EES and by providing Member States with access to such data, the objectives of the EES shall be to:

2.   By granting access to designated authorities in accordance with the conditions set out in this Regulation, the objectives of the EES shall be to:

3.   The EES shall, where relevant, support Member States in operating their national facilitation programmes established in accordance with Article 8d of Regulation (EU) 2016/399, in order to facilitate border crossing for third-country nationals, by:

Article 7

Technical architecture of the EES

1.   The EES shall be composed of:

2.   The EES Central System shall be hosted by eu-LISA in its technical sites. It shall provide the functionalities laid down in this Regulation in accordance with the conditions of availability, quality and speed pursuant to Article 37(3).

3.   Without prejudice to Commission Decision 2008/602/EC (38), certain hardware and software components of the Communication Infrastructure of the EES shall be shared with the communication infrastructure of the VIS referred to in Article 1(2) of Decision 2004/512/EC. Logical separation of VIS data and EES data shall be ensured.

Article 8

Interoperability with the VIS

1.   eu-LISA shall establish a Secure Communication Channel between the EES Central System and the VIS Central System to enable interoperability between the EES and the VIS. Direct consultation between the EES and the VIS shall only be possible where provided for by both this Regulation and Regulation (EC) No 767/2008. The retrieval of visa-related data from the VIS, their importation into the EES and the updating of data from the VIS in the EES shall be an automated process once the operation in question is launched by the authority concerned.

2.   Interoperability shall enable the border authorities using the EES to consult the VIS from the EES in order to:

3.   Interoperability shall enable the visa authorities using the VIS to consult the EES from the VIS in order to:

4.   For the operation of the EES web service referred to in Article 13, the separate read-only database referred to in Article 13(5) shall be updated on a daily basis by the VIS via a one-way extraction of the minimum necessary subset of VIS data.

Article 9

Access to the EES for entering, amending, erasing and consulting data

1.   Access to the EES for entering, amending, erasing and consulting the data referred to in Article 14 and Articles 16 to 20 shall be reserved exclusively for the duly authorised staff of the national authorities of each Member State which are competent for the purposes laid down in Articles 23 to 35. That access shall be limited to the extent necessary for the performance of the tasks of those national authorities in accordance with those purposes and shall be proportionate to the objectives pursued.

2.   Each Member State shall designate the competent national authorities which shall be border authorities, visa authorities and immigration authorities for the purposes of this Regulation. The duly authorised staff of the competent national authorities shall have access to the EES to enter, amend, erase or consult data. Each Member State shall communicate a list of those competent national authorities to eu-LISA without delay. That list shall specify for which purpose each authority is to have access to the data stored in the EES.

3.   The authorities entitled to consult or access the EES data in order to prevent, detect and investigate terrorist offences or other serious criminal offences shall be designated in accordance with Chapter IV.

Article 10

General principles

1.   Each competent authority authorised to access the EES shall ensure that the use of the EES is necessary, appropriate and proportionate.

2.   Each competent authority shall ensure that the use of the EES, including the capturing of biometric data, is in accordance with the safeguards laid down in the Convention for the Protection of Human Rights and Fundamental Freedoms, in the Charter of Fundamental Rights of the European Union and in the United Nations Convention on the Rights of the Child. In particular, when capturing a child’s data, the best interests of the child shall be a primary consideration.

Article 11

Automated calculator and obligation to inform third-country nationals on the remaining authorised stay

1.   The EES shall include an automated calculator that indicates the maximum duration of authorised stay for third-country nationals registered in the EES.

The automated calculator shall not apply to third-country nationals:

2.   The automated calculator shall inform the competent authorities:

3.   The border authorities shall inform the third-country national of the maximum duration of authorised stay, which shall take into account the number of entries and the length of stay authorised by the visa in accordance with Article 8(9) of Regulation (EU) 2016/399. That information shall be provided either by the border guard at the moment of the border checks or by means of equipment installed at the border crossing point enabling the third-country national to consult the web service as referred to in Article 13(1) and (2) of this Regulation.

4.   For third-country nationals subject to a visa requirement staying on the basis of a short-stay visa or a national short-stay visa in a Member State which does not yet apply the Schengen acquis in full but operates the EES, the automated calculator shall not indicate the authorised stay based on the short-stay visa or the national short-stay visa.

In the case referred to in the first subparagraph, the automated calculator shall only verify:

5.   For the purpose of verifying whether third-country nationals holding a short-stay visa issued for one or two entries have already used the number of entries authorised by their short-stay visa, the automated calculator shall only take into account entries into the territory of Member States which apply the Schengen acquis in full. That verification shall not be carried out, however, at the entry into the territory of Member States which do not yet apply the Schengen acquis in full but operate the EES.

6.   The automated calculator shall also apply to short stays based on a short-stay visa with limited territorial validity issued pursuant to point (b) of Article 25(1) of Regulation (EC) No 810/2009. In that case, the automated calculator shall take into account the authorised stay as defined by such a visa, irrespective of whether the cumulative stay of the third-country national concerned exceeds 90 days in any 180-day period.

Article 12

Information mechanism

1.   The EES shall include a mechanism that shall automatically identify which entry/exit records do not have exit data immediately following the date of expiry of an authorised stay and automatically identify records for which the maximum duration of authorised stay was exceeded.

2.   For third-country nationals who cross a border on the basis of a valid Facilitated Transit Document issued in accordance with Council Regulation (EC) No 693/2003 (39) (FTD), the EES shall include a mechanism which shall automatically identify which entry/exit records do not have exit data immediately following the time of expiry of authorised stay and automatically identify records for which the maximum duration of authorised stay has been exceeded.

3.   A list generated by the EES containing the data referred to in Articles 16 and 17 of all persons identified as overstayers shall be available to the competent national authorities designated in accordance with Article 9(2) in order to enable those authorities to adopt appropriate measures.

Article 13

Web service

1.   In order to enable third-country nationals to verify at any moment the remaining authorised stay, a secure internet access to a web service hosted by eu-LISA in its technical sites shall allow third-country nationals to provide the data required pursuant to point (b) of Article 16(1) together with their intended date of entry or exit, or both. On that basis, the web service shall provide third-country nationals with an OK/NOT OK answer, as well as the information on the remaining authorised stay.

2.   By way of derogation from paragraph 1, for an intended stay in a Member State which does not yet apply the Schengen acquis in full but operates the EES, the web service shall not provide any information on the authorised stay based on a short-stay visa or a national short-stay visa.

In the case referred to in the first subparagraph, the web service shall enable third-country nationals to verify the compliance with the overall limit of 90 days in any 180-day period and to receive information on the remaining authorised stay under that limit. This information shall be provided for stays in the 180-day period preceding the consultation of the web service or their intended date of entry or exit, or both.

3.   In order to fulfil their obligation under point (b) of Article 26(1) of the Convention implementing the Schengen Agreement, carriers shall use the web service to verify whether third-country nationals holding a short-stay visa issued for one or two entries have already used the number of entries authorised by their visa. Carriers shall provide the data listed under points (a), (b) and (c) of Article 16(1) of this Regulation. On that basis, the web service shall provide carriers with an OK/NOT OK answer. Carriers may store the information sent and the answer received in accordance with the applicable law. Carriers shall establish an authentication scheme to ensure that only authorised staff may access the web service. It shall not be possible to regard the OK/NOT OK answer as a decision to authorise or refuse entry in accordance with Regulation (EU) 2016/399.

4.   For the purpose of implementing Article 26(2) of the Convention implementing the Schengen Agreement or for the purpose of resolving any potential dispute arising from Article 26 of the Convention implementing the Schengen Agreement, eu-LISA shall keep logs of all data processing operations carried out within the web service by carriers. Those logs shall show the date and time of each operation, the data used for interrogation, the data transmitted by the web service and the name of the carrier in question.

Logs shall be stored for a period of two years. Logs shall be protected by appropriate measures against unauthorised access.

5.   The web service shall make use of a separate read-only database updated on a daily basis via a one-way extraction of the minimum necessary subset of EES and VIS data. eu-LISA shall be responsible for the security of the web service, for the security of the personal data it contains and for the process of extracting the personal data into the separate read-only database.

6.   The web service shall not enable carriers to verify whether third-country nationals holding a national short-stay visa issued for one or two entries have already used the number of entries authorised by that visa.

7.   The Commission shall adopt implementing acts concerning the detailed rules on the conditions for the operation of the web service and the data protection and security rules applicable to the web service. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

CHAPTER II

ENTRY AND USE OF DATA BY COMPETENT AUTHORITIES

Article 14

Procedures for entering data in the EES

1.   Border authorities shall verify, in accordance with Article 23, whether a previous individual file has been created in the EES for the third-country national as well as his or her identity. Where a third-country national uses a self-service system for the pre-enrolment of data or for the carrying out of border checks, the verification shall be carried out through the self-service system.

2.   Where a previous individual file has been created for the third-country national, the border authority shall, where necessary:

The records referred to in point (b) of the first subparagraph of this paragraph shall be linked to the individual file of the third-country national concerned.

Where applicable, the data referred to in Article 19(1), (2), (4) and (5) shall be added to the entry/exit record of the third-country national concerned. The travel documents and identities used legitimately by a third-country national shall be added to the third-country national’s individual file.

Where a previous individual file is recorded and the third-country national presents a valid travel document which differs from the one that was previously recorded, the data referred to in point (d) of Article 16(1) and point (b) of Article 17(1) shall also be updated in accordance with Article 15.

3.   Where it is necessary to enter or update the entry/exit record data of a visa holder, the border authorities may retrieve from the VIS and import into the EES the data provided for in points (c) to (f) of Article 16(2) of this Regulation in accordance with Article 8 of this Regulation and Article 18a of Regulation (EC) No 767/2008.

4.   In the absence of a previous registration of a third-country national in the EES, the border authority shall create an individual file of that third-country national by entering the data referred to in Articles 16(1) and (6), 17(1) and 18(1) as applicable.

5.   Where a third-country national uses a self-service system for the pre-enrolment of data, Article 8a of Regulation (EU) 2016/399 shall apply. In that case, the third-country national may pre-enrol the individual file data or, if applicable, the data in the entry/exit record that need to be updated. The data shall be confirmed by the border authorities when the decision to authorise or to refuse entry has been taken in accordance with Regulation (EU) 2016/399. The data listed in points (c) to (f) of Article 16(2) of this Regulation may be retrieved from the VIS and imported into the EES.

6.   Where a third-country national uses a self-service system for the carrying out of the border checks, Article 8b of Regulation (EU) 2016/399 shall apply. In that case, the verification referred to in paragraph 1 of this Article shall be carried out through the self-service system.

7.   Where a third-country national uses an e-gate for crossing the external borders or the internal borders where controls have not yet been lifted, Article 8b of Regulation (EU) 2016/399 shall apply. In that case, the corresponding registration of the entry/exit record and the linking of that record to the individual file concerned shall be carried out through the e-gate.

8.   Without prejudice to Article 20 of this Regulation and Article 12(3) of Regulation (EU) 2016/399, where the short stay of a third-country national who is present on the territory of a Member State starts directly after a stay based on a residence permit or a long-stay visa and no previous individual file has been created, that third-country national may request the competent authorities referred to in Article 9(2) of this Regulation to create an individual file and an entry/exit record by entering the data referred to in Articles 16(1), (2) and (6) and 17(1) of this Regulation. Instead of the data referred to in point (a) of Article 16(2) of this Regulation, those competent authorities shall insert the date of the start of the short stay and, instead of the data referred to in point (b) of Article 16(2) of this Regulation, they shall insert the name of the authority that inserted those data.

Article 15

Facial image of third-country nationals

1.   Where it is necessary to create an individual file or to update the facial image referred to in point (d) of Article 16(1) and point (b) of Article 17(1), the facial image shall be taken live.

2.   By way of derogation from paragraph 1, in exceptional cases where the quality and resolution specifications set for the enrolment of the live facial image in the EES cannot be met, the facial image may be extracted electronically from the chip of the electronic Machine Readable Travel Document (eMRTD). In such cases, the facial image shall only be inserted into the individual file after electronic verification that the facial image recorded in the chip of the eMRTD corresponds to the live facial image of the third-country national concerned.

3.   Each Member State shall transmit once a year a report on the application of paragraph 2 to the Commission. That report shall include the number of third-country nationals concerned, as well as an explanation of the exceptional cases faced.

4.   The facial image of third-country nationals shall have sufficient image resolution and quality to be used in automated biometric matching.

5.   Within a period of two years following the start of operations of the EES, the Commission shall produce a report on the quality standards of facial images stored in the VIS and on whether they are such that they enable biometric matching with a view to using facial images stored in the VIS at borders and within the territory of the Member States for the verification of the identity of third-country nationals subject to a visa requirement, without storing such facial images in the EES. The Commission shall transmit that report to the European Parliament and to the Council. That report shall be accompanied, where considered appropriate by the Commission, by legislative proposals, including proposals to amend this Regulation, Regulation (EC) No 767/2008, or both, as regards the use of the facial images of third-country nationals stored in the VIS for the purposes referred to in this paragraph.

Article 16

Personal data of third-country nationals subject to a visa requirement

1.   At the borders at which the EES is operated, the border authority shall create the individual file of a third-country national subject to a visa requirement by entering the following data:

2.   On each entry of a third-country national subject to a visa requirement at a border at which the EES is operated, the following data shall be entered in an entry/exit record:

The entry/exit record referred to in the first subparagraph shall be linked to the individual file of that third-country national using the individual reference number created by the EES upon creation of that individual file.

3.   On each exit of a third-country national subject to a visa requirement at a border at which the EES is operated, the following data shall be entered in the entry/exit record:

Where that third-country national uses a visa other than the visa recorded in the last entry record, the data of the entry/exit record listed in points (d) to (g) of paragraph 2 shall be updated accordingly.

The entry/exit record referred to in the first subparagraph shall be linked to the individual file of that third-country national.

4.   Where there is no exit data immediately following the date of expiry of the authorised stay, the entry/exit record shall be identified with a flag by the EES and the data of the third-country national subject to a visa requirement, who has been identified as an overstayer, shall be entered into the list referred to in Article 12.

5.   In order to enter or update the entry/exit record of a third-country national subject to a visa requirement, the data provided for in points (c) to (f) of paragraph 2 of this Article may be retrieved from the VIS and imported into the EES by the border authority in accordance with Article 18a of Regulation (EC) No 767/2008.

6.   Where a third-country national benefits from the national facilitation programme of a Member State in accordance with Article 8d of Regulation (EU) 2016/399, the Member State concerned shall insert a notification in the individual file of that third-country national specifying the national facilitation programme of the Member State concerned.

7.   The specific provisions set out in Annex II shall apply to third-country nationals who cross the border on the basis of a valid FTD.

Article 17

Personal data of visa-exempt third-country nationals

1.   The border authority shall create the individual file of visa-exempt third-country nationals by entering the following:

2.   For visa-exempt third-country nationals, points (a), (b) and (c) of Article 16(2), points (a) and (b) of Article 16(3) and Article 16(4) shall apply mutatis mutandis.

3.   Children under the age of 12 shall be exempt from the requirement to give fingerprints.

4.   Persons for whom fingerprinting is physically impossible shall be exempt from the requirement to give fingerprints.

However, where the physical impossibility is of a temporary nature, that fact shall be recorded in the EES and the person shall be required to give the fingerprints on exit or at the subsequent entry. This information shall be deleted from the EES once the fingerprints have been given. The border authorities shall be entitled to request further clarification on the grounds for the temporary impossibility to give fingerprints. Member States shall ensure that appropriate procedures guaranteeing the dignity of the person are in place in the event of difficulties encountered in the capturing of fingerprints.

5.   Where the person concerned is exempt from the requirement to give fingerprints pursuant to paragraphs 3 or 4, the specific data field shall be marked as ‘not applicable’.

Article 18

Personal data of third-country nationals who have been refused entry

1.   Where a decision has been taken by the border authority, in accordance with Article 14 of and Annex V to Regulation (EU) 2016/399, to refuse the entry of a third-country national for a short stay on the territory of the Member States and where no previous file is recorded in the EES for that third-country national, the border authority shall create an individual file in which it shall enter:

2.   Where the third-country national is refused entry on the basis of a reason corresponding to point B, D or H of Part B of Annex V to Regulation (EU) 2016/399 and where no previous file with biometric data is recorded in the EES for that third-country national, the border authority shall create an individual file in which it shall enter the alphanumeric data required pursuant to Article 16(1) or Article 17(1) of this Regulation, as appropriate, as well as the following data:

3.   By way of derogation from paragraph 2 of this Article, where the reason corresponding to point H of Part B of Annex V to Regulation (EU) 2016/399 applies and the biometric data of the third-country national are recorded in the SIS alert that results in the refusal of entry, the biometric data of the third-country national shall not be entered in the EES.

4.   Where the third-country national is refused entry on the basis of a reason corresponding to point I of Part B of Annex V to Regulation (EU) 2016/399 and where no previous file with biometric data is recorded in the EES for that third-country national, the biometric data shall only be entered in the EES where the entry is refused because the third-country national is considered to be a threat to internal security, including, where appropriate, elements of public policy.

5.   Where a third-country national is refused entry on the basis of a reason corresponding to point J of Part B of Annex V to Regulation (EU) 2016/399, the border authority shall create the individual file of that third-country national without adding biometric data. If the third-country national possesses an eMRTD, the facial image shall be extracted from that eMRTD.

6.   Where a decision has been taken by the border authority, in accordance with Article 14 of and Annex V to Regulation (EU) 2016/399, to refuse the entry of a third-country national for a short stay to the territory of the Member States, the following data shall be entered in a separate refusal of entry record:

In addition, for third-country nationals subject to a visa requirement, the data provided for in points (d) to (g) of Article 16(2) of this Regulation shall be entered in the refusal of entry record.

In order to create or update the refusal of entry record of third-country nationals subject to a visa requirement, the data provided for in points (d), (e) and (f) of Article 16(2) of this Regulation may be retrieved from the VIS and imported into the EES by the competent border authority in accordance with Article 18a of Regulation (EC) No 767/2008.

7.   The refusal of entry record provided for in paragraph 6 shall be linked to the individual file of the third-country national concerned.

Article 19

Data to be added where an authorisation for short stay is revoked, annulled or extended

1.   Where a decision has been taken to revoke or annul an authorisation for short stay or a visa or to extend the duration of an authorised stay or visa, the competent authority that has taken such a decision shall add the following data to the latest relevant entry/exit record:

2.   Where the duration of authorised stay has been extended in accordance with Article 20(2) of the Convention implementing the Schengen Agreement, the competent authority that extended the authorised stay shall add the data regarding the period of extension of the authorised stay to the latest relevant entry/exit record and, where applicable, an indication that the authorised stay was extended in accordance with point (b) of Article 20(2) of the Convention implementing the Schengen Agreement.

3.   Where a decision has been taken to annul, revoke or extend a visa, the visa authority which has taken the decision shall immediately retrieve the data provided for in paragraph 1 of this Article from the VIS and import them directly into the EES in accordance with Articles 13 and 14 of Regulation (EC) No 767/2008.

4.   The entry/exit record shall indicate the grounds for revocation or annulment of the short stay, which shall be:

5.   The entry/exit record shall indicate the grounds for extending the duration of an authorised stay.

6.   When a person has departed or has been removed from the territory of the Member States pursuant to a decision as referred to in paragraph 4 of this Article, the competent authority shall enter the data in accordance with Article 14(2) in the related entry/exit record of that specific entry.

Article 20

Data to be added in case of rebuttal of the presumption that a third-country national does not fulfil the conditions of duration of authorised stay

Without prejudice to Article 22, where no individual file has been created in the EES for a third-country national present on the territory of a Member State or where there is no last relevant entry/exit record for such a third-country national, the competent authorities may presume that the third-country national does not fulfil or no longer fulfils the conditions relating to duration of authorised stay within the territory of the Member States.

In the case referred to in the first paragraph of this Article, Article 12 of Regulation (EU) 2016/399 shall apply and, if the presumption is rebutted in accordance with Article 12(3) of that Regulation, the competent authorities shall:

Article 21

Fall-back procedures where it is technically impossible to enter data or in the event of failure of the EES

1.   Where it is technically impossible to enter data in the EES Central System or in the event of a failure of the EES Central System, the data referred to in Articles 16 to 20 shall be temporarily stored in the NUI. Where that is not possible, the data shall be temporarily stored locally in an electronic format. In both cases, the data shall be entered in the EES Central System as soon as the technical impossibility or failure has been remedied. The Member States shall take the appropriate measures and deploy the required infrastructure, equipment and resources to ensure that such temporary local storage may be carried out at any time and for any of their border crossing points.

2.   Without prejudice to the obligation to carry out border checks under Regulation (EU) 2016/399, the border authority, in the exceptional situation where it is technically impossible to enter data in both the EES Central System and in the NUI and it is technically impossible to temporarily store the data locally in an electronic format, shall manually store the data referred to in Articles 16 to 20 of this Regulation, with the exception of biometric data, and shall affix an entry or exit stamp in the travel document of the third-country national. That data shall be entered in the EES Central System as soon as technically possible.

Member States shall inform the Commission of the stamping of travel documents in the event of the exceptional situations referred to in the first subparagraph of this paragraph. The Commission shall adopt implementing acts concerning the detailed rules on the information to be provided to the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

3.   The EES shall indicate that data referred to in Articles 16 to 20 were entered as a result of a fall-back procedure and that the individual file created pursuant to paragraph 2 of this Article is missing biometric data. The biometric data shall be entered in the EES at the next border crossing.

Article 22

Transitional period and transitional measures

1.   For a period of 180 days after the EES has started operations, in order to verify, on entry and exit, that third-country nationals admitted for a short stay have not exceeded the maximum duration of authorised stay and, where relevant, to verify on entry that third-country nationals have not exceeded the number of entries authorised by the short-stay visa issued for one or two entries, the competent border authorities shall take into account the stays in the territory of the Member States during the 180 days preceding the entry or the exit by checking the stamps in the travel documents in addition to the entry/exit data recorded in the EES.

2.   Where a third-country national has entered the territory of the Member States before the EES has started operations and exits it after the EES has started operations, an individual file shall be created on exit and the date of entry as stamped in the passport shall be entered in the entry/exit record in accordance with Article 16(2). This rule shall not be limited to the 180 days after the EES has started operations as referred to in paragraph 1 of this Article. In case of a discrepancy between the entry stamp and the EES data, the stamp shall prevail.

Article 23

Use of data for verification at the borders at which the EES is operated

1.   Border authorities shall have access to the EES for verifying the identity and previous registration of the third-country national, for updating the EES data where necessary and for consulting the data to the extent required for the carrying out of border checks.

2.   While performing the tasks referred to in paragraph 1 of this Article, the border authorities shall have access to search with the data referred to in points (a), (b) and (c) of Article 16(1) and point (a) of Article 17(1).

In addition, for the purposes of consulting the VIS for verification in accordance with Article 18 of Regulation (EC) No 767/2008, for third-country nationals who are subject to a visa requirement, the border authorities shall launch a search in the VIS directly from the EES using the same alphanumeric data or, where applicable, consult the VIS in accordance with Article 18(2a) of Regulation (EC) No 767/2008.

If the search in the EES with the data set out in the first subparagraph of this paragraph indicates that data on the third-country national are recorded in the EES, the border authorities shall compare the live facial image of the third-country national with the facial image referred to in point (d) of Article 16(1) and point (b) of Article 17(1) of this Regulation or the border authorities shall, in the case of visa-exempt third-country nationals, proceed to a verification of fingerprints against the EES and, in the case of third-country nationals subject to a visa requirement, proceed to a verification of fingerprints directly against the VIS in accordance with Article 18 of Regulation (EC) No 767/2008. For the verification of fingerprints against the VIS for visa holders, the border authorities may launch the search in the VIS directly from the EES as provided in Article 18(6) of that Regulation.

If the verification of the facial image fails, the verification shall be carried out using fingerprints and vice versa.

3.   If the search with the data set out in paragraph 2 indicates that data on the third-country national are recorded in the EES, the border authority shall be given access to consult the data of the individual file of that third-country national and the entry/exit record or records or refusal of entry record or records linked to it.

4.   Where the search with the alphanumeric data set out in paragraph 2 of this Article indicates that data on the third-country national are not recorded in the EES, where a verification of the third-country national pursuant to paragraph 2 of this Article fails or where there are doubts as to the identity of the third-country national, the border authorities shall have access to data for identification in accordance with Article 27 of this Regulation.

In addition to the identification referred to in first subparagraph of this paragraph, the following provisions shall apply:

5.   For third-country nationals whose data are already recorded in the EES but whose individual file was created in the EES by a Member State which does not yet apply the Schengen acquis in full but operates the EES and whose data were entered in the EES on the basis of a national short-stay visa, the border authorities shall consult the VIS in accordance with point (a) of the second subparagraph of paragraph 4 when, for the first time after the creation of the individual file, the third-country national intends to cross the border of a Member State which applies the Schengen acquis in full and operates the EES.

CHAPTER III

USE OF THE EES BY OTHER AUTHORITIES

Article 24

Use of the EES for examining and deciding on visas

1.   Visa authorities shall consult the EES for examining visa applications and adopting decisions relating to those applications, including decisions to annul, revoke or extend the period of validity of an issued visa, in accordance with Regulation (EC) No 810/2009.

In addition, visa authorities of a Member State which does not yet apply the Schengen acquis in full but operates the EES shall consult the EES when examining national short-stay visa applications and adopting decisions relating to those applications, including decisions to annul, revoke or extend the period of validity of an issued national short-stay visa.

2.   Visa authorities shall be given access to search the EES directly from the VIS with one or several of the following data:

3.   If the search with the data set out in paragraph 2 indicates that data on the third-country national are recorded in the EES, visa authorities shall be given access to consult the data of the individual file of that third-country national and the entry/exit records, as well as any refusal of entry records linked to that individual file. Visa authorities shall be given access to consult the automated calculator in order to check the maximum remaining duration of an authorised stay. Visa authorities shall also be given access to consult the EES and the automated calculator when examining and taking decisions on new visa applications, so as to automatically establish the maximum duration of authorised stay.

4.   Visa authorities of a Member State which does not yet apply the Schengen acquis in full but operates the EES shall be given access to search the EES with one or several of the data set out in paragraph 2. If the search indicates that data on the third-country national are recorded in the EES, they shall be given access to consult the data of the individual file of that third-country national and the entry/exit records, as well as any refusal of entry records linked to that individual file. Visa authorities of a Member State which does not yet apply the Schengen acquis in full but operates the EES shall be given access to consult the automated calculator in order to establish the maximum remaining duration of an authorised stay. Visa authorities shall also be given access to consult the EES and the automated calculator when examining and taking decisions on new visa applications, so as to establish the maximum duration of authorised stay.

Article 25

Use of the EES for examining applications for access to national facilitation programmes

1.   The competent authorities referred to in Article 8d of Regulation (EU) 2016/399 shall consult the EES for the purposes of the examination of applications for access to national facilitation programmes referred to in that Article and the adoption of decisions relating to those applications, including decisions to refuse, revoke or extend the period of validity of access to the national facilitation programmes in accordance with that Article.

2.   The competent authorities shall be given access to search with one or several of the following:

3.   If the search with the data set out in paragraph 2 indicates that data on the third-country national are recorded in the EES, the competent authority shall be given access to consult the data of the individual file of that third-country national and the entry/exit records, as well as any refusal of entry records linked to that individual file.

Article 26

Access to data for verification within the territory of the Member States

1.   For the purpose of verifying the identity of the third-country national, or checking or verifying whether the conditions for entry to, or stay on, the territory of the Member States are fulfilled, or both, the immigration authorities of the Member States shall have access to search with the data referred to in points (a), (b) and (c) of Article 16(1) and point (a) of Article 17(1).

If the search indicates that data on the third-country national are recorded in the EES, the immigration authorities may:

2.   If the search with the data set out in paragraph 1 indicates that data on the third-country national are recorded in the EES, the immigration authorities shall be given access to consult the automated calculator, the data of the individual file of that third-country national, the entry/exit record or records and any refusal of entry record linked to that individual file.

3.   Where the search with the data set out in paragraph 1 of this Article indicates that data on the third-country national are not recorded in the EES, where verification of the third-country national fails or where there are doubts as to the identity of the third-country national, the immigration authorities shall have access to data for identification in accordance with Article 27.

Article 27

Access to data for identification

1.   The border authorities or immigration authorities shall have access to search with the fingerprint data or the fingerprint data combined with the facial image, for the sole purpose of identifying any third-country national who may have been registered previously in the EES under a different identity or who does not fulfil or no longer fulfils the conditions for entry to, or for stay on, the territory of the Member States.

Where the search with the fingerprint data or with the fingerprint data combined with the facial image indicates that data on that third-country national are not recorded in the EES, access to data for identification shall be carried out in the VIS in accordance with Article 20 of Regulation (EC) No 767/2008. At borders at which the EES is operated, prior to any identification against the VIS, the competent authorities shall first access the VIS in accordance with Articles 18 or 19a of Regulation (EC) No 767/2008.

Where the fingerprints of that third-country national cannot be used or the search with the fingerprint data or with the fingerprint data combined with the facial image has failed, the search shall be carried out with all or some of the data referred to in points (a), (b) and (c) of Article 16(1) and point (a) of Article 17(1).

2.   If the search with the data set out in paragraph 1 indicates that data on the third-country national are recorded in the EES, the competent authority shall be given access to consult the data of the individual file and the entry/exit records and refusal of entry records linked to it.

Article 28

Keeping of data retrieved from the EES

Data retrieved from the EES pursuant to this Chapter may be kept in national files only where necessary in an individual case, in accordance with the purpose for which they were retrieved and with relevant Union law, in particular on data protection, and for no longer than strictly necessary in that individual case.

CHAPTER IV

PROCEDURE AND CONDITIONS FOR ACCESS TO THE EES FOR LAW ENFORCEMENT PURPOSES

Article 29

Member States’ designated authorities

1.   Member States shall designate the authorities which are entitled to consult the EES data in order to prevent, detect and investigate terrorist offences or other serious criminal offences.

2.   Each Member State shall keep a list of the designated authorities. Each Member State shall notify eu-LISA and the Commission of its designated authorities and may at any time amend or replace its notification.

3.   Each Member State shall designate a central access point which shall have access to the EES. The central access point shall verify that the conditions to request access to the EES laid down in Article 32 are fulfilled.

The designated authority and the central access point may be part of the same organisation if permitted under national law, but the central access point shall act fully independently of the designated authorities when performing its tasks under this Regulation. The central access point shall be separate from the designated authorities and shall not receive instructions from them as regards the outcome of the verification which it shall carry out independently.

Member States may designate more than one central access point to reflect their organisational and administrative structures in the fulfilment of their constitutional or legal requirements.

4.   Member States shall notify eu-LISA and the Commission of their central access points and may at any time amend or replace their notifications.

5.   At national level, each Member State shall keep a list of the operating units within the designated authorities that are authorised to request access to EES data through the central access points.

6.   Only duly empowered staff of the central access points shall be authorised to access the EES in accordance with Articles 31 and 32.

Article 30

Europol

1.   Europol shall designate one of its operating units as the ‘Europol designated authority’ and shall authorise it to request access to the EES through the Europol central access point referred to in paragraph 2 in order to support and strengthen action by Member States in preventing, detecting and investigating terrorist offences or other serious criminal offences.

2.   Europol shall designate a specialised unit with duly empowered Europol officials as the Europol central access point. The Europol central access point shall verify that the conditions to request access to the EES laid down in Article 33 are fulfilled.

The Europol central access point shall act independently when performing its tasks under this Regulation and shall not receive instructions from the Europol designated authority as regards the outcome of the verification.

Article 31

Procedure for access to the EES for law enforcement purposes

1.   An operating unit as referred to in Article 29(5) shall submit a reasoned electronic or written request to a central access point as referred to in Article 29(3) for access to EES data. Upon receipt of a request for access, such a central access point shall verify whether the conditions for access referred to in Article 32 are fulfilled. If the conditions for access are fulfilled, such a central access point shall process the request. The EES data accessed shall be transmitted to an operating unit as referred to in Article 29(5) in such a way that the security of the data is not compromised.

2.   In a case of urgency, where there is a need to prevent an imminent danger to the life of a person associated with a terrorist offence or another serious criminal offence, a central access point as referred to in Article 29(3) shall process the request immediately and shall only verify ex post whether all the conditions referred to in Article 32 are fulfilled, including whether a case of urgency actually existed. The ex post verification shall take place without undue delay and in any event no later than seven working days after the processing of the request.

3.   Where an ex post verification determines that the access to EES data was not justified, all the authorities that accessed such data shall erase the information accessed from the EES and shall inform the relevant central access point of the Member State in which the request was made of the erasure.

Article 32

Conditions for access to EES data by designated authorities

1.   Designated authorities may access the EES for consultation where all of the following conditions are met:

2.   Access to the EES as a tool for the purpose of identifying an unknown suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence shall be allowed where, in addition to the conditions listed in paragraph 1, the following conditions are met:

However, the additional conditions in points (a) and (b) of the first subparagraph shall not apply where there are reasonable grounds to believe that a comparison with the systems of the other Member States would not lead to the verification of the identity of the data subject or in a case of urgency where there is a need to prevent an imminent danger to the life of a person associated with a terrorist offence or another serious criminal offence. Those reasonable grounds shall be included in the electronic or written request sent by the operating unit of the designated authority to the central access point.

A request for consultation of the VIS on the same data subject may be submitted in parallel to a request for consultation of the EES in accordance with the conditions laid down in Council Decision 2008/633/JHA (41).

3.   Access to the EES as a tool to consult the travel history or the periods of stay on the territory of the Member States of a known suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence shall be allowed when the conditions listed in paragraph 1 are met.

4.   Consultation of the EES for the purpose of identification as referred to in paragraph 2 shall be limited to searching in the individual file with any of the following EES data:

Consultation of the EES, in the event of a hit, shall give access to any other data taken from the individual file as listed in Article 16(1) and (6), Article 17(1) and Article 18(1).

5.   Consultation of the EES for the travel history of the third-country national concerned shall be limited to searching with one or several of the following EES data in the individual file, in the entry/exit records or in the refusal of entry records:

Consultation of the EES shall, in the event of a hit, give access to the data listed in the first subparagraph as well as to any other data taken from the individual file, the entry/exit records and refusal of entry records, including data related to the revocation or extension of an authorisation for short stay in accordance with Article 19.

Article 33

Procedure and conditions for access to EES data by Europol

1.   Europol shall have access to consult the EES where all the following conditions are met:

2.   Access to the EES as a tool for the purpose of identifying an unknown suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence shall be allowed where the conditions listed in paragraph 1 are met and the consultation, as a matter of priority, of the data stored in the databases that are technically and legally accessible by Europol has not made it possible to identify the person in question.

A request for consultation of the VIS on the same data subject may be submitted in parallel to a request for consultation of the EES in accordance with the conditions laid down in Decision 2008/633/JHA.

3.   The conditions laid down in Article 32(3), (4) and (5) shall apply accordingly.

4.   The Europol designated authority may submit a reasoned electronic request for the consultation of all EES data or a specific set of EES data to the Europol central access point referred to in Article 30(2). Upon receipt of a request for access, the Europol central access point shall verify whether the conditions for access set out in paragraphs 1 and 2 of this Article are fulfilled. If all conditions for access are fulfilled, the duly authorised staff of the Europol central access point shall process the requests. The EES data accessed shall be transmitted to the Europol designated authority in such a way that the security of the data is not compromised.

5.   Europol shall only process information obtained from a consultation of EES data subject to the authorisation of the Member State of origin. That authorisation shall be obtained via the Europol national unit of that Member State.

CHAPTER V

RETENTION AND AMENDMENT OF THE DATA

Article 34

Data retention period

1.   Each entry/exit record or refusal of entry record linked to an individual file shall be stored in the EES Central System for three years following the date of the exit record or of the refusal of entry record, as applicable.

2.   Each individual file together with the linked entry/exit record or records or refusal of entry records shall be stored in the EES Central System for three years and one day following the date of the last exit record or of the refusal of entry record if there is no entry record within three years from the date of the last exit record or refusal of entry record.

3.   If there is no exit record following the date of expiry of the period of authorised stay, the data shall be stored for a period of five years following the date of expiry of the period of authorised stay. The EES shall automatically inform the Member States three months in advance of the scheduled erasure of data on overstayers in order to enable them to adopt the appropriate measures.

4.   By way of derogation from paragraph 1, each entry/exit record registered for third-country nationals who have the status referred to in point (b) of Article 2(1) shall be stored in the EES for a maximum of one year after the exit of such third-country nationals. If there is no exit record the data shall be stored for a period of five years from the date of the last entry record.

5.   Upon expiry of the retention period referred to in paragraphs 1 to 4, the data in question shall automatically be erased from the EES Central System.

Article 35

Amendment of data and advance data erasure

1.   The Member State responsible shall have the right to amend data which it has entered in the EES by rectifying, completing or erasing the data.

2.   If the Member State responsible has evidence to suggest that data recorded in the EES are factually inaccurate or incomplete or that data were processed in the EES in breach of this Regulation, it shall check the data concerned and shall, if necessary, rectify or complete them in, or erase them from, the EES without delay and, where applicable, from the list of identified persons referred to in Article 12(3). The data may also be checked and rectified, completed or erased at the request of the person concerned in accordance with Article 52.

3.   By way of derogation from paragraphs 1 and 2 of this Article, where a Member State other than the Member State responsible has evidence to suggest that data recorded in the EES are factually inaccurate or incomplete or that data were processed in the EES in breach of this Regulation, it shall check the data concerned, provided it is possible to do so without consulting the Member State responsible and shall, if necessary, rectify or complete them in, or erase them from, the EES without delay and, where applicable, from the list of identified persons referred to in Article 12(3). Where it is not possible to check the data without consulting the Member State responsible, it shall contact the authorities of the Member State responsible within seven days, following which the Member State responsible shall check the accuracy of the data and the lawfulness of their processing within one month. The data may also be checked and rectified, completed or erased at the request of the third-country national concerned in accordance with Article 52.

4.   Where a Member State has evidence to suggest that visa-related data recorded in the EES are factually inaccurate or incomplete or that such data were processed in the EES in breach of this Regulation, it shall first check the accuracy of those data against the VIS and shall, if necessary, rectify or complete them in, or erase them from, the EES. Where the data recorded in the VIS are the same as those recorded in the EES, it shall inform the Member State responsible for entering those data in the VIS immediately through the infrastructure of the VIS in accordance with Article 24(2) of Regulation (EC) No 767/2008. The Member State responsible for entering the data in the VIS shall check those data and shall, if necessary, immediately rectify or complete them in, or erase them from, the VIS and inform the Member State concerned which shall, if necessary, rectify or complete them in, or erase them from, the EES without delay and, where applicable, the list of identified persons referred to in Article 12(3).

5.   The data of identified persons referred to in Article 12 shall be erased without delay from the list referred to in that Article and shall be rectified or completed in the EES where the third-country national concerned provides evidence, in accordance with the national law of the Member State responsible or of the Member State to which the request has been made, that he or she was forced to exceed the duration of authorised stay due to unforeseeable and serious events, that he or she has acquired a legal right to stay or in case of errors. Without prejudice to any available administrative or non-judicial remedy, that third-country national shall have access to an effective judicial remedy to ensure the data are rectified, completed or erased.

6.   Where a third-country national has acquired the nationality of a Member State or has fallen under the scope of Article 2(3) before the expiry of the applicable period referred to in Article 34, the individual file and the entry/exit records linked to that individual file in accordance with Articles 16 and 17 and the refusal of entry records linked to that individual file in accordance with Article 18 shall, without delay, and in any event not later than five working days from the date on which that third-country national has acquired the nationality of a Member State or has fallen under the scope of Article 2(3) before the expiry of the period referred to in Article 34, be erased from the EES, as well as, where applicable, from the list of identified persons referred to in Article 12(3), by:

Where a third-country national has acquired the nationality of Andorra, Monaco or San Marino or where a third-country national is in a possession of a passport issued by the Vatican City State, he or she shall inform the competent authorities of the Member State he or she next enters of that change. That Member State shall erase his or her data without delay from the EES. The third-country national in question shall have access to an effective judicial remedy to ensure that the data are erased.

7.   The EES Central System shall immediately inform all Member States of the erasure of EES data and where applicable from the list of identified persons referred to in Article 12(3).

8.   Where a Member State other than the Member State responsible has rectified, completed or erased data in accordance with this Regulation, that Member State shall become the Member State responsible for the rectification, completion or erasure. The EES shall record all rectifications, completions and erasures of data.

CHAPTER VI

DEVELOPMENT, OPERATION AND RESPONSIBILITIES

Article 36

Adoption of implementing acts by the Commission prior to development

The Commission shall adopt the implementing acts necessary for the development and technical implementation of the EES Central System, the NUIs, the Communication Infrastructure, the web service referred to in Article 13 and the data repository referred to in Article 63(2), in particular measures for:

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

For the adoption of the implementing acts set out in point (i) of the first paragraph of this Article, the Committee set up by Article 68 of this Regulation shall consult the VIS Committee set up by Article 49 of Regulation (EC) No 767/2008.

Article 37

Development and operational management

1.   eu-LISA shall be responsible for the development of the EES Central System, the NUIs, the Communication Infrastructure and the Secure Communication Channel between the EES Central System and the VIS Central System. eu-LISA shall also be responsible for the development of the web service referred to in Article 13 and the data repository referred to in Article 63(2) in accordance with the detailed rules referred to in Articles 13(7) and 63(2) and the specifications and conditions adopted pursuant to points (h) and (j) of the first paragraph of Article 36.

eu-LISA shall define the design of the physical architecture of the EES including its Communication Infrastructure, as well as the technical specifications and their evolution regarding the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 of this Regulation and the data repository referred to in Article 63(2) of this Regulation. Those technical specifications shall be adopted by eu-LISA’s Management Board, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the VIS deriving from the establishment of interoperability with the EES as well as from the implementation of the amendments to Regulation (EC) No 767/2008 set out in Article 61 of this Regulation.

eu-LISA shall develop and implement the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to Article 63(2) as soon as possible after the adoption by the Commission of the measures provided for in Article 36.

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

When developing, and when implementing, the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to in Article 63(2), the tasks of eu–LISA shall also be to:

2.   During the designing and development phase, a Programme Management Board composed of a maximum of ten members shall be established. It shall be composed of seven members appointed by eu-LISA’s Management Board from among its members or alternate members, the Chair of the EES Advisory Group referred to in Article 69, a member representing eu-LISA appointed by its Executive Director and one member appointed by the Commission. The members appointed by eu-LISA’s Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA and which comply with the conditions set out in Article 66(2).

The Programme Management Board shall meet regularly and at least three times per quarter. It shall ensure the adequate management of the design and development phase of the EES and ensure the consistency between central and national EES projects.

The Programme Management Board shall submit written reports every month to eu-LISA’s Management Board on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of eu-LISA’s Management Board.

eu-LISA’s Management Board shall establish the rules of procedure of the Programme Management Board which shall include in particular rules on:

The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.

All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA and Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. eu-LISA shall provide the Programme Management Board with a secretariat.

During the designing and development phase, the EES Advisory Group referred to in Article 69 shall be composed of national EES project managers and chaired by eu-LISA. It shall meet regularly and at least three times per quarter until the start of operations of the EES. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow-up on the state of preparation of the Member States.

3.   eu-LISA shall be responsible for the operational management of the EES Central System, the NUIs and the Secure Communication Channel between the EES Central System and the VIS Central System. It shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to Article 63(2). eu-LISA shall also be responsible for the operational management of the Communication Infrastructure between the EES Central System and the NUIs, for the web-service referred to in Article 13 and the data repository referred to Article 63(2).

Operational management of the EES shall consist of all the tasks necessary to keep the EES functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the EES functions at a satisfactory level of operational quality, in particular as regards the response time for interrogation of the EES Central System by border authorities, in accordance with the technical specifications.

4.   Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (42), eu-LISA shall ensure that those members of its staff who are required to work with EES data or with data stored in the EES apply appropriate rules of professional secrecy or other equivalent duties of confidentiality. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 38

Responsibilities of Member States and Europol

1.   Each Member State shall be responsible for:

2.   Each Member State shall designate a national authority, which shall provide the competent authorities referred to in Article 9(2) with access to the EES. Each Member State shall connect that national authority to the NUI. Each Member State shall connect their respective central access points referred to in Article 29 to the NUI.

3.   Each Member State shall use automated procedures for processing EES data.

4.   Member States shall ensure that the technical performance of the border control infrastructure, its availability, the duration of the border checks and the data quality are closely monitored in order to ensure that they meet the overall requirements for the proper functioning of the EES and an efficient border check procedure.

5.   Before being authorised to process data stored in the EES, the staff of the authorities having a right to access the EES shall be given appropriate training on, in particular, data security and data protection rules, as well as on relevant fundamental rights.

6.   Member States shall not process the data in or from the EES for purposes other than those laid down in this Regulation.

7.   Europol shall assume the responsibilities provided for in point (d) of paragraph 1 and in paragraphs 3, 5 and 6. It shall connect, and be responsible for the connection of, the Europol central access point to the EES.

Article 39

Responsibility for data processing

1.   In relation to the processing of personal data in the EES, each Member State shall designate the authority which is to be considered as controller in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 and which shall have central responsibility for the processing of data by that Member State. Each Member State shall communicate the details of that authority to the Commission.

Each Member State shall ensure that the data collected and recorded in the EES is processed lawfully and, in particular, that only duly authorised staff have access to the data for the performance of their tasks. The Member State responsible shall ensure, in particular, that the data are:

2.   eu-LISA shall ensure that the EES is operated in accordance with this Regulation and the implementing acts referred to in Article 36. In particular, eu-LISA shall:

3.   eu-LISA shall inform the European Parliament, the Council and the Commission, as well as the European Data Protection Supervisor, of the measures it takes pursuant to paragraph 2 in view of the start of operations of the EES.

Article 40

Keeping of data in national files and national entry/exit systems

1.   A Member State may keep the alphanumeric data which that Member State entered in the EES, in accordance with the purposes of the EES, in its national entry/exit system or equivalent national files, in full respect of Union law.

2.   The data shall not be kept in the national entry/exit systems or equivalent national files for longer than they are kept in the EES.

3.   Any use of data which does not comply with paragraph 1 shall be considered a misuse under the national law of each Member State as well as under Union law.

4.   This Article shall not be construed as requiring any technical adaptation of the EES. Member States may keep data in accordance with this Article at their own cost and risk and using their own technical means.

Article 41

Communication of data to third countries, international organisations and private entities

1.   Data stored in the EES shall not be transferred or made available to any third country, to any international organisation or to any private entity.

2.   By way of derogation from paragraph 1 of this Article, the data referred to in Article 16(1) and points (a), (b) and (c) of Article 17(1) of this Regulation may be transferred by border authorities or immigration authorities to a third country or to an international organisation listed in the Annex I to this Regulation in individual cases, if necessary in order to prove the identity of third-country nationals for the sole purpose of return, only where one of the following conditions is satisfied:

3.   The data referred to in Article 16(1) and points (a), (b) and (c) of Article 17(1) of this Regulation may be transferred in accordance with paragraph 2 of this Article only where all of the following conditions are satisfied:

4.   Transfers of personal data to third countries or to international organisations pursuant to paragraph 2 shall not prejudice the rights of applicants for and beneficiaries of international protection, in particular as regards non-refoulement.

5.   Personal data obtained from the EES Central System by a Member State or by Europol for law enforcement purposes shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. The prohibition shall also apply where those data are further processed at national level or between Member States pursuant to Directive (EU) 2016/680.

6.   By way of derogation from paragraph 5 of this Article, the data referred to in points (a), (b) and (c) of Article 16(1), points (a) and (b) of Article 16(2), points (a) and (b) of Article 16(3) and point (a) of Article 17(1) may be transferred by the designated authority to a third country in individual cases, only where all of the following conditions are met:

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.

Article 42

Conditions for communication of data to a Member State which does not yet operate the EES and to a Member State to which this Regulation does not apply

1.   The data referred to in points (a), (b) and (c) of Article 16(1), points (a) and (b) of Article 16(2), points (a) and (b) of Article 16(3) and point (a) of Article 17(1) may be transferred by a designated authority to a Member State which does not yet operate the EES and to a Member State to which this Regulation does not apply, in individual cases, only where all of the following conditions are met:

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.

2.   Where data is provided pursuant to this Article, the same conditions as provided for in Article 43(1), Article 45(1) and (3), Article 48 and Article 58(4) shall apply mutatis mutandis.

Article 43

Data security

1.   The Member State responsible shall ensure the security of the data before and during the transmission to the NUI. Each Member State shall ensure the security of the data it receives from the EES.

2.   Each Member State shall, in relation to its national border infrastructure, adopt the necessary measures, including a security plan and a business continuity and disaster recovery plan, in order to:

3.   As regards the operation of the EES, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 2, including the adoption of a security plan and a business continuity and disaster recovery plan. eu-LISA shall also ensure reliability by making sure that necessary technical measures are put in place to ensure that personal data can be restored in the event of corruption due to a malfunctioning of the EES.

4.   eu-LISA and the Member States shall cooperate in order to ensure a harmonised data security approach based on a security risk management process encompassing the entire EES.

Article 44

Security incidents

1.   Any event that has or may have an impact on the security of the EES and may cause damage or loss to data stored in the EES shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the EES Central System, eu-LISA shall notify the Commission and the European Data Protection Supervisor.

4.   Information regarding a security incident that has or may have an impact on the operation of the EES or on the availability, integrity and confidentiality of the data shall be provided to the Member States and reported in compliance with the incident management plan to be provided by eu-LISA.

5.   The Member States concerned and eu-LISA shall cooperate in the event of a security incident.

Article 45

Liability

1.   Any person or Member State that has suffered material or immaterial damage as a result of an unlawful processing operation or any act not compliant with this Regulation shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That Member State shall be exempted from liability, in whole or in part, if it proves that it is not in any way responsible for the event which gave rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to the EES, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in the EES failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.

Article 46

Keeping of logs by eu-LISA and Member States

1.   eu-LISA shall keep logs of all data processing operations within the EES. Those logs shall include the following:

2.   For the consultations listed in Article 8, a log of each data processing operation carried out within the EES and the VIS shall be kept in accordance with this Article and Article 34 of Regulation (EC) No 767/2008. eu-LISA shall ensure, in particular, that the relevant log of the concerned data processing operations is kept when the competent authorities launch a data processing operation directly from one system to the other.

3.   In addition to paragraphs 1 and 2, each Member State shall keep logs of the staff duly authorised to process the EES data.

4.   Such logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 43. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after the retention period referred to in Article 34 has expired, unless they are required for monitoring procedures which have already begun.

Article 47

Self-monitoring

Member States shall ensure that each authority entitled to access EES data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authorities.

Article 48

Penalties

Member States shall take the necessary measures to ensure that any use of data entered in the EES in a manner contrary to this Regulation is punishable by effective, proportionate and disuasive penalties in accordance with national law, Article 84 of Regulation (EU) 2016/679 and Article 57 of Directive (EU) 2016/680.

Article 49

Data Protection

1.   Regulation (EC) No 45/2001 shall apply to the processing of personal data by eu-LISA on the basis of this Regulation.

2.   Regulation (EU) 2016/679 shall apply to the processing of personal data by national authorities on the basis of this Regulation, with the exception of processing for the purposes referred to in Article 1(2) of this Regulation.

3.   Directive (EU) 2016/680 shall apply to the processing of personal data by Member States’ designated authorities on the basis of this Regulation for the purposes referred to in Article 1(2) of this Regulation.

4.   Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol on the basis of this Regulation.

CHAPTER VII

RIGHTS AND SUPERVISION ON DATA PROTECTION

Article 50

Right of information

1.   Without prejudice to the right of information in Article 13 of Regulation (EU) 2016/679, third-country nationals whose data are to be recorded in the EES shall be informed by the Member State responsible of the following:

2.   The information provided in paragraph 1 of this Article shall be provided in writing, by any appropriate means, in a concise, transparent, intelligible and easily accessible form, and it shall be made available, using clear and plain language, in a linguistic version the person concerned understands or is reasonably expected to understand, in order to ensure that third-country nationals are informed of their rights, at the time when the individual file of the person concerned is being created in accordance with Article 16, 17 or 18.

3.   The Commission shall also set up a website containing the information referred to paragraph 1.

4.   The Commission shall adopt implementing acts drawing up the information referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

5.   The Commission shall provide the information referred to in paragraph 1 of this Article in a template. The template shall be drawn up in such a manner as to enable Member States to complete it with additional Member State specific information. That Member State specific information shall include at least the rights of the data subject, the possibility of assistance by the supervisory authorities, as well as contact details of the office of the controller and of the data protection officer and the supervisory authorities. The Commission shall adopt implementing acts concerning the specifications and conditions for the website referred to in paragraph 3 of this Article. Those implementing acts shall be adopted prior to the start of operations of the EES in accordance with the examination procedure referred to in Article 68(2).

Article 51

Information campaign

The Commission shall, in cooperation with the supervisory authorities and the European Data Protection Supervisor, accompany the start of operations of the EES with an information campaign informing the public and, in particular, third-country nationals, about the objectives of the EES, the data stored in the EES, the authorities having access and the rights of persons concerned. Such information campaigns shall be conducted regularly.

Article 52

Right of access to, rectification, completion and erasure of personal data, and of restriction of the processing thereof

1.   The requests of third-country nationals in relation to the rights set out in Articles 15 to 18 of Regulation (EU) 2016/679 may be addressed to the competent authority of any Member State.

The Member State responsible or the Member State to which the request has been made shall reply to such requests within 45 days of receipt of the request.

2.   If a request for rectification, completion or erasure of personal data or restriction of the processing thereof is made to a Member State other than the Member State responsible, the authorities of the Member State to which the request has been made shall check the accuracy of the data and the lawfulness of the data processing in the EES within 30 days of the receipt of the request where that check can be done without consulting the Member State responsible. Otherwise, the Member State to which the request has been made shall contact the authorities of the Member State responsible within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing within 30 days of such contact.

3.   In the event that data recorded in the EES are factually inaccurate, incomplete or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall rectify, complete or erase the personal data or restrict the processing of personal data in accordance with Article 35. The Member State responsible or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without delay that it has taken action to rectify, complete or erase the personal data of that person or to restrict the processing of such personal data.

In the event that visa-related data recorded in the EES are factually incorrect, incomplete or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall first check the accuracy of these data against the VIS and shall, if necessary, amend them in the EES. Should the data recorded in the VIS be the same as in the EES, the Member State responsible or, where applicable, the Member State to which the request has been made, shall contact the authorities of the Member State which is responsible for entering these data in the VIS within seven days. The Member State which is responsible for entering the data in the VIS shall check the accuracy of the visa-related data and the lawfulness of their processing in the EES within 30 days of such contact and inform the Member State responsible or the Member State to which the request has been made which shall, if necessary, rectify or complete the personal data of the person concerned or restrict the processing of such data in, or erase such data from, the EES without delay and, where applicable, from the list of identified persons referred to in Article 12(3).

4.   If the Member State responsible or, where applicable, the Member State to which the request has been made does not agree that data recorded in the EES are factually inaccurate, incomplete or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the third-country national concerned without delay why it is not prepared to rectify, complete or erase the personal data relating to him or her or restrict the processing of such data.

5.   The Member State which has adopted the administrative decision pursuant to paragraph 4 of this Article shall also provide the third-country national concerned with information explaining the steps which he or she can take if he or she does not accept the explanation. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance that is available in accordance with the laws, regulations and procedures of that Member State, including from the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679.

6.   Any request made pursuant to paragraphs 1 and 2 shall contain the minimum information necessary to identify the third-country national concerned. Fingerprints may be requested for this purpose only in duly justified cases and where there are substantive doubts as to the identity of the applicant. That information shall be used exclusively to enable that third-country national to exercise the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7.   Whenever a person makes a request in accordance with paragraph 1 of this Article, the competent authority of the Member State responsible or of the Member State to whom the request has been made shall keep a record in the form of a written document that such a request was made. That document shall contain information on how that request was dealt with and by which authority. The competent authority shall make that document available to the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679, within seven days.

Article 53

Cooperation to enforce the rights on data protection

1.   The competent authorities of the Member States shall cooperate actively to enforce the rights laid down in Article 52.

2.   In each Member State, the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall, upon request, assist and advise the data subject in exercising his or her right to rectify, complete or erase personal data relating to him or her or to restrict the processing of such data in accordance with Regulation (EU) 2016/679.

In order to achieve the aims referred to in the first subparagraph, the supervisory authority of the Member State responsible which transmitted the data and the supervisory authority of the Member State to which the request has been made shall cooperate with each other.

Article 54

Remedies

1.   Without prejudice to Articles 77 and 79 of Regulation (EU) 2016/679, in each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to, or right of rectification, completion or erasure of, data relating to him or her provided for in Article 52 and Article 53(2) of this Regulation. The right to bring such an action or complaint shall also apply in cases where requests for access, rectification, completion or erasure were not responded to within the deadlines provided for in Article 52 or were never dealt with by the data controller.

2.   The assistance of the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall remain available throughout the proceedings.

Article 55

Supervision by the supervisory authority

1.   Each Member State shall ensure that the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 independently monitors the lawfulness of the processing of personal data referred to in Chapters II, III, V and VI of this Regulation by the Member State concerned, including their transmission to and from the EES.

2.   The supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall ensure that an audit of the data processing operations in the national border infrastructure is carried out in accordance with relevant international auditing standards at least every three years from the start of operations of the EES. The results of the audit may be taken into account in the evaluations conducted under the mechanism established by Council Regulation (EU) No 1053/2013 (43). The supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall publish annually the number of requests for rectification, completion or erasure, or restriction of processing of data, the action subsequently taken and the number of rectifications, completions, erasures and restrictions of processing made in response to requests by the persons concerned.

3.   Member States shall ensure that their supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 has sufficient resources to fulfil the tasks entrusted to it under this Regulation and has access to advice from persons with sufficient knowledge of biometric data.

4.   Member States shall supply any information requested by the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 and shall, in particular, provide it with information on the activities carried out in accordance with Article 38, Article 39(1) and Article 43. Member States shall grant the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 access to their logs pursuant to Article 46 and allow it access at all times to all their EES related premises.

Article 56

Supervision by the European Data Protection Supervisor

1.   The European Data Protection Supervisor shall be responsible for monitoring the personal data processing activities of eu-LISA concerning the EES and for ensuring that such activities are carried out in accordance with Regulation (EC) No 45/2001 and with this Regulation.

2.   The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to eu-LISA and to the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.   eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 46 and allow him or her access to all its premises at any time.

Article 57

Cooperation between supervisory authorities sssand the European Data Protection Supervisor

1.   The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and shall ensure coordinated supervision of the EES and the national border infrastructures.

2.   The supervisory authorities and the European Data Protection Supervisor shall exchange relevant information, assist each other in carrying out audits and inspections, examine any difficulties concerning the interpretation or application of this Regulation, assess problems in the exercise of independent supervision or in the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.   For the purpose of paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board established by Regulation (EU) 2016/679 (the ‘European Data Protection Board’). The costs of those meetings shall be borne and their organisation shall be undertaken by that Board. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.   A joint report of activities shall be sent by the European Data Protection Board to the European Parliament, to the Council, to the Commission and to eu-LISA every two years. That report shall include a chapter on each Member State prepared by the supervisory authorities of that Member State.

Article 58

Protection of personal data accessed in accordance with Chapter IV

1.   Each Member State shall ensure that the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 are also applicable to the access to the EES by its national authorities in line with Article 1(2) of this Regulation, including in relation to the rights of the persons whose data are so accessed.

2.   The supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680 shall monitor the lawfulness of the access to personal data by the Member States in accordance with Chapter IV of this Regulation, including their transmission to and from the EES. Article 55(3) and (4) of this Regulation shall apply accordingly.

3.   The processing of personal data by Europol pursuant to this Regulation shall be carried out in accordance with Regulation (EU) 2016/794 and shall be supervised by the European Data Protection Supervisor.

4.   Personal data accessed in the EES in accordance with Chapter IV shall only be processed for the purposes of the prevention, detection or investigation of the specific case for which the data have been requested by a Member State or by Europol.

5.   The EES Central System, the designated authorities, the central access points and Europol shall keep records of the searches for the purpose of enabling the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680 and the European Data Protection Supervisor to monitor the compliance of data processing with Union and national data protection rules. With the exception of that purpose, personal data, as well as the records of searches, shall be erased from all national and Europol files after 30 days, unless those data and records are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol.

Article 59

Logging and documentation

1.   Each Member State and Europol shall ensure that all data processing operations resulting from requests to access to EES data in accordance with Chapter IV are logged or documented for the purposes of checking the admissibility of the request, monitoring the lawfulness of the data processing and data integrity and security, and self-monitoring.

2.   The log or documentation shall show, in all cases:

3.   Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs which do not contain personal data may be used for the monitoring and evaluation referred to in Article 72 of this Regulation. The supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, which is responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security, shall have access to these logs at its request for the purpose of fulfilling its duties.

CHAPTER VIII

AMENDMENTS TO OTHER UNION INSTRUMENTS

Article 60

Amendment to the Convention implementing the Schengen Agreement

Article 20 of the Convention implementing the Schengen Agreement is amended as follows:

Article 61

Amendments to Regulation (EC) No 767/2008

Regulation (EC) No 767/2008 is amended as follows:

Article 62

Amendments to Regulation (EU) No 1077/2011

Regulation (EU) No 1077/2011 is amended as follows:

CHAPTER IX

FINAL PROVISIONS

Article 63

Use of data for reporting and statistics

1.   The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data, solely for the purposes of reporting and statistics without allowing for individual identification and in accordance with the safeguards related to non-discrimination referred to in Article 10(2):

The duly authorised staff of the European Border and Coast Guard Agency established by Regulation (EU) 2016/1624 of the European Parliament and of the Council (44) shall have access to consult the data referred to in the first subparagraph of this paragraph for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 11 and 13 of that Regulation.

2.   For the purpose of paragraph 1 of this Article, eu-LISA shall establish, implement and host a data repository at a central level in its technical sites containing the data referred to in paragraph 1 of this Article. That data repository shall not allow for the identification of individuals, but it shall allow the authorities listed in paragraph 1 of this Article to obtain customisable reports and statistics on the entries and exits, refusals of entry and overstays of third-country nationals, to enhance the efficiency of border checks, to help consulates processing the visa applications and to support evidence-based Union migration policymaking. That data repository shall also contain daily statistics on the data referred to in paragraph 4. Access to that data repository shall be granted by means of secured access through TESTA with control of access and specific user profiles solely for the purpose of reporting and statistics. Detailed rules on the operation of that data repository and the data protection and security rules applicable to it shall be adopted in accordance with the examination procedure referred to in Article 68(2).

3.   The procedures put in place by eu-LISA to monitor the development and the functioning of the EES referred to in Article 72(1) shall include the possibility to produce regular statistics for ensuring that monitoring.

4.   Every quarter, eu-LISA shall publish statistics on the EES showing in particular the number, nationality, age, sex, duration of stay and border crossing point of entry of overstayers, of third-country nationals who were refused entry, including the grounds for refusal, and of third-country nationals whose authorisation for stay was revoked or extended, as well as the number of third-country nationals exempt from the requirement to give fingerprints.

5.   At the end of each year, statistical data shall be compiled in an annual report for that year. The statistics shall contain a breakdown of data for each Member State. The report shall be published and transmitted to the European Parliament, to the Council, to the Commission, to the European Border and Coast Guard Agency, to the European Data Protection Supervisor and to the national supervisory authorities.

6.   At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation as well as the statistics pursuant to paragraph 3.

Article 64

Costs

1.   The costs incurred in connection with the establishment and operation of the EES Central System, the Communication Infrastructure, the NUI, the web service and the data repository referred to in Article 63(2) shall be borne by the general budget of the Union.

2.   Costs incurred in connection with the integration of the existing national border infrastructure and its connection to the NUI as well as in connection with hosting the NUI shall be borne by the general budget of the Union.

The following costs shall be excluded:

3.   The costs incurred by the central access points referred to in Articles 29 and 30 shall be borne, respectively, by each Member State and Europol. The costs for the connection of those central access points to the NUI and to the EES shall be borne by each Member State and Europol, respectively.

4.   Each Member State and Europol shall set up and maintain at their expense the technical infrastructure necessary to implement Chapter IV and shall be responsible for bearing the costs resulting from access to the EES for that purpose.

Article 65

Notifications

1.   Member States shall notify the Commission of the authority which is to be considered as controller as referred to in Article 39.

2.   Member States shall notify the Commission and eu-LISA of the competent authorities referred to in Article 9(2) which have access to enter, rectify, complete, erase, consult or search data. Three months after the EES has started operations in accordance with Article 66, eu-LISA shall publish a consolidated list of those authorities in the Official Journal of the European Union. Member States shall also notify without delay any changes thereto. In the event of such changes, eu-LISA shall publish once a year an updated consolidated version of that information.

3.   Member States shall notify the Commission and eu-LISA of their designated authorities and of their central access points referred to in Article 29 and shall notify without delay any amendments thereto.

4.   Europol shall notify the Commission and eu-LISA of the authority it designates and its central access point referred to in Article 30 and shall notify without delay any amendments thereto.

5.   eu-LISA shall notify the Commission of the successful completion of the test referred to in point (b) of Article 66(1).

6.   The Commission shall publish the information referred to in paragraphs 1, 3 and 4 in the Official Journal of the European Union. In the event of changes thereto, the Commission shall publish once a year an updated consolidated version of that information. The Commission shall maintain a continuously updated public website containing that information.

Article 66

Start of operations

1.   The Commission shall decide the date from which the EES is to start operations, after the following conditions are met:

2.   The EES shall be operated by:

3.   A Member State which is not covered by paragraph 2 shall be connected to the EES as soon as the conditions referred to in points (b), (c) and (d) of paragraph 1 and point (b) of paragraph 2 are met. The Commission shall decide the date from which the EES is to start its operations in those Member States.

4.   The Commission shall inform the European Parliament and the Council of the results of the test carried out pursuant to point (b) of paragraph 1.

5.   The Commission decision referred to in paragraphs 1 and 3 shall be published in the Official Journal of the European Union.

6.   The Member States and Europol shall start using the EES from the date determined by the Commission in accordance with paragraph 1 or, where applicable, with paragraph 3.

Article 67

Ceuta and Melilla

This Regulation shall not affect the special rules applying to the cities of Ceuta and Melilla, as defined in the Declaration of the Kingdom of Spain on the cities of Ceuta and Melilla in the Final Act to the Agreement on the Accession of the Kingdom of Spain to the Convention implementing the Schengen Agreement of 14 June 1985.

Article 68

Committee procedure

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 69

Advisory Group

An Advisory Group shall be established by eu-LISA in order to provide it with the expertise related to the EES, in particular in the context of the preparation of its annual work programme and its annual activity report. During the design and development phase of the EES, Article 37(2) shall apply.

Article 70

Training

eu-LISA shall perform tasks related to provision of training on the technical use of the EES in accordance with Regulation (EU) No 1077/2011.

Article 71

Practical handbook

The Commission shall, in close cooperation with the Member States, eu-LISA and other relevant agencies, make available a practical handbook for the implementation and management of the EES. The practical handbook shall provide technical and operational guidelines, recommendations and best practices. The Commission shall adopt the practical handbook in the form of a recommendation.

Article 72

Monitoring and evaluation

1.   eu-LISA shall ensure that procedures are in place to monitor the development of the EES in light of objectives relating to planning and costs and to monitor the functioning of the EES in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.   By 30 June 2018, and every six months thereafter during the development phase of the EES, eu-LISA shall submit a report to the European Parliament and to the Council on the state of play of the development of the EES Central System, the Uniform Interfaces and the Communication Infrastructure between the EES Central System and the Uniform Interfaces. That report shall contain detailed information about the costs incurred and information as to any risks which may impact the overall costs of the EES to be borne by the general budget of the Union in accordance with Article 64(1) and the first subparagraph of Article 64(2). Following the development of the EES, eu-LISA shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved, as well as justifying any divergences.

3.   For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the EES.

4.   Two years after the start of operations of the EES and every two years thereafter, eu-LISA shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning of EES, including the security thereof.

5.   Three years after the start of operations of the EES and every four years thereafter, the Commission shall produce an overall evaluation of the EES. This overall evaluation shall include:

The evaluations shall include any necessary recommendations. The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007 (45).

Those evaluations shall also include an assessment of the use made of the provisions referred to in Article 60 both in terms of frequency — number of third-country nationals making use of these provisions per Member State, their nationality and average duration of their stay — and practical implications, and shall take into account any related developments in the Union’s visa policy. The first evaluation report may include options in view of phasing out the provisions referred to in Article 60 and replacing them with a Union instrument. It shall be accompanied, where appropriate, by a legislative proposal amending the provisions referred to in Article 60.

6.   The Member States and Europol shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 4 and 5 according to the quantitative indicators predefined by the Commission, eu-LISA, or both. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

7.   eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 5.

8.   While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to EES data for law enforcement purposes containing information and statistics on:

A technical solution shall be made available to Member States in order to facilitate the collection of the data listed in the first subparagraph of this paragraph for the purpose of generating statistics referred to in this paragraph. The Commission shall adopt implementing acts concerning the specifications of the technical solution. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

Member States’ and Europol’s annual reports shall be transmitted to the Commission by 30 June of the subsequent year.

Article 73

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from the date decided by the Commission in accordance with Article 66(1) thereof, with the exception of the following provisions, which shall apply from 29 December 2017: Articles 5, 36, 37, 38, 43, 51 of this Regulation; point (5) of Article 61 of this Regulation, as regards Article 17a(5) of Regulation (EC) No 767/2008; point (10) of Article 61 of this Regulation, as regards Article 26(3a) of Regulation (EC) No 767/2008; and Articles 62, 64, 65, 66, 68, 69 and 70 and Article 72(2) of this Regulation.

(1)  OJ C 487, 28.12.2016, p. 66.

(2)  Position of the European Parliament of 25 October 2017 (not yet published in the Official Journal) and decision of the Council of 20 November 2017.

(3)  Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS) (OJ L 213, 15.6.2004, p. 5).

(4)  Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4).

(5)  Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).

(6)  Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p. 1).

(7)  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

(8)  Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combatting terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

(9)  Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).

(10)  Regulation (EU) 2016/794 of the European Parliament and of the Council 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).

(11)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).

(12)  Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 1).

(13)  Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).

(14)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(15)  Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(16)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(17)  OJ L 239, 22.9.2000, p. 19.

(18)  Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).

(19)  Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (OJ L 131, 1.6.2000, p. 43).

(20)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

(21)  OJ L 176, 10.7.1999, p. 36.

(22)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

(23)  OJ L 53, 27.2.2008, p. 52.

(24)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).

(25)  Council Decision 2008/149/JHA of 28 January 2008 on the conclusion on behalf of the European Union of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 50).

(26)  OJ L 160, 18.6.2011, p. 21.

(27)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(28)  Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis relating in particular to judicial cooperation in criminal matters and police cooperation (OJ L 160, 18.6.2011, p. 1).

(29)  Council Decision 2010/365/EU of 29 June 2010 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 166, 1.7.2010, p. 17).

(30)  Council Decision (EU) 2017/733 of 25 April 2017 on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Croatia (OJ L 108, 26.4.2017, p. 31).

(31)  Council Decision (EU) 2017/1908 of 12 October 2017 on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania (OJ L 269, 19.10.2017, p. 39).

(32)  Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ L 157, 15.6.2002, p. 1).

(33)  Directive 2014/66/EU of the European Parliament and of the Council of 15 May 2014 on the conditions of entry and residence of third-country nationals in the framework of an intra- corporate transfer (OJ L 157, 27.5.2014, p. 1).

(34)  Directive (EU) 2016/801 of the European Parliament and of the Council of 11 May 2016 on the conditions of entry and residence of third-country nationals for the purposes of research, studies, training, voluntary service, pupil exchange schemes or educational projects and au pairing (OJ L 132, 21.5.2016, p. 21).

(35)  Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

(36)  Council Regulation (EC) No 377/2004 of 19 February 2004 on the creation of an immigration liaison officers network (OJ L 64, 2.3.2004, p. 1).

(37)  Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1).

(38)  Commission Decision 2008/602/EC of 17 June 2008 laying down the physical architecture and requirements of the national interfaces and of the communication infrastructure between the central VIS and the national interfaces for the development phase (OJ L 194, 23.7.2008, p. 3).

(39)  Council Regulation (EC) No 693/2003 of 14 April 2003 establishing a specific Facilitated Transit Document (FTD), a Facilitated Rail Transit Document (FRTD) and amending the Common Consular Instructions and the Common Manual (OJ L 99, 17.4.2003, p. 8).

(40)  Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98).

(41)  Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (OJ L 218, 13.8.2008, p. 129).

(42)  OJ L 56, 4.3.1968, p. 1.

(43)  Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).

(44)  Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1).

(45)  Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).