EUROPEAN COMMISSION

Brussels, 8.12.2021

COM(2021) 784 final

2021/0410(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on automated data exchange for police cooperation (“Prüm II”), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, 2019/817 and 2019/818 of the European Parliament and of the Council

{SEC(2021) 421 final} - {SWD(2021) 378 final} - {SWD(2021) 379 final}

EXPLANATORY MEMORANDUM

CONTEXT OF THE PROPOSAL

•Reasons for the proposal

•Objectives of the proposal

The general objective of this proposal results from the Treaty-based goal of contributing to the internal security of the European Union. Among measures to do so, the collection, storage, processing, analysis and exchange of relevant information is listed. 9 The general objective of this instrument is thus to improve, streamline and facilitate the exchange of information for the purpose of the prevention, detection and investigation of criminal and terrorist offences between Member States’ law enforcement authorities, but also with Europol as the EU criminal information hub.

The specific policy objectives of this proposal are to:

(a)Provide a technical solution for efficient automated exchange of data between law enforcement authorities to make them aware of relevant data that is available in the national database of another Member State;

(b)Ensure that more relevant data (in terms of data categories) from national databases in other Member States is available to all competent law enforcement authorities;

(c)Ensure that relevant data (in terms of sources of data) from Europol’s databases is available to law enforcement authorities;

(d)Provide law enforcement authorities with efficient access to the actual data corresponding to a ‘hit’ that is available in the national database of another Member State.

•Consistency with existing policy provisions in the policy area

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Subsidiarity

The improvement of information exchange among police and law enforcement authorities within the EU cannot be sufficiently achieved by Member States in isolation, owing to the cross-border nature of crime fighting and security issues. Member States must rely on one another in these matters.

Through several implementation projects at EU level, 14  Member States have tried to take action to address the shortcomings of the current Prüm framework. 15  Despite all these actions, many of the shortcomings remained the same as the ones described in the 2012 report on the implementation of the Prüm Decision. 16 This shows the need for EU action as measures implemented by Member States alone have not proved sufficient to address the limitations of the current Prüm framework.

Moreover, common EU level rules, standards and requirements facilitate information exchanges while providing compatibility between different national systems. This in turn allows for a certain level of automation in information exchange workflows that release law enforcement officers from labour-intensive manual activities.

•Proportionality

As explained in full detail in the impact assessment accompanying this proposed Regulation, the policy choices made in this proposal are considered proportionate. This is because they do not go beyond what is necessary to achieve the identified objectives.

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations of existing legislation

• Stakeholder consultations

•Impact assessment

(1)To meet the objective of providing a technical solution for efficient automated exchange of data, a hybrid solution between a decentralised and a centralised approach without data storage at central level should be applied.

(2)To meet the objective of ensuring that more relevant data (in terms of data categories) is available to law enforcement authorities, the exchange of facial images and police records should be introduced.

(3)To meet the objective of ensuring that relevant data from Europol’s databases is available to law enforcement authorities, Member States should be able to check automatically third country-sourced biometric data at Europol as part of the Prüm framework. Europol should also be able to check third country-sourced data against Member States’ national databases.

(4)To meet the objective of providing efficient access to the actual data corresponding to a ‘hit’ that is available in the national database of another Member State or at Europol, the follow-up process should be regulated at EU level with a semi-automated exchange of the actual data corresponding to a ‘hit’.

•Fundamental rights

•Protection of personal data

(1)it must be provided for by law;

(2)it must respect the essence of the rights;

(3)it must genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;

(4)it must be necessary; and

(5)it must be proportional.

This proposal embeds all these data protection rules, as set out in full detail in the impact assessment accompanying this proposed Regulation. The proposal is based on the principles of data protection by design and by default. It includes all appropriate provisions limiting data processing to what is necessary for the specific purpose and granting data access only to those entities that ‘need to know’. Access to data is reserved exclusively for duly authorised staff of Member States’ authorities or EU bodies that are competent for the specific purposes of the revised Prüm framework and limited to the extent that the data are required for the performance of tasks in accordance with these purposes.

The Commission will, at the time of publishing the report assessing the effect given to [Council Recommendation on operational police cooperation] by the Member States referred to under point 9(d) of that Recommendation, decide whether there is a need for EU legislation on cross-border operational police cooperation. Should there be a need for such legislation, the Commission will make a legislative proposal on cross-border operational police cooperation, which will also ensure the alignment of the provisions of Decision 2008/615/JHA and Decision 2008/616/JHA which were not covered under this proposal with Directive 2016/680, in line with the results of the assessment under Article 62(6) of Directive 2016/680. Should there not be a need for EU legislation on cross-border operational police cooperation, the Commission will make a legislative proposal to ensure this same alignment, in line with the results of the assessment under Article 62(6) of Directive 2016/680.

4.BUDGETARY IMPLICATIONS

This legislative initiative would have an impact on the budget and staff needs of eu-LISA and Europol.

For eu-LISA, it is estimated that an additional budget of around EUR 16 million and around 10 additional posts would be needed for the overall MFF period to ensure that eu-LISA has the necessary resources to enforce the tasks attributed to the Agency in this proposed Regulation. The budget allocated to eu-LISA will be offset against the BMVI.

For Europol, it is estimated that an additional budget of around EUR 7 million and around 5 additional posts would be needed for the overall MFF period to ensure that Europol has the necessary resources to enforce the tasks attributed to the Agency in this proposed Regulation. The budget allocated to Europol will be offset against the ISF.

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Detailed explanation of the specific provisions of the proposal

Chapter 1 sets out the general provisions for this Regulation with its subject matter, purpose and scope. It provides a list of definitions and recalls that the processing of personal data for the purposes of this Regulation shall respect the principle of non-discrimination and other fundamental rights.

Chapter 2 sets out the provisions for the exchange of the categories of data under this Regulation, namely the exchange of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. The principles for the exchange, the automated search of data, the rules for requests and answers are detailed in a separate section for each category of data respectively. Chapter 2 also contains common provisions for the exchange of data, the setting up of national contact points and implementing measure.

Chapter 3 sets out the details for the new (technical) architecture for the exchange of data. The first section of this chapter includes provisions describing the central router, the use of the router and the launching of queries. Implementing acts will be needed to specify the technical procedures for these queries. This section also includes provisions on the interoperability between the router and the Common Identity Repository for the purposes of law enforcement access, the keeping of logs of all data processing operations in the router, the quality check and the notification procedures in case of technical impossibility to use the router. A second section provides details on the use of the European Police Records Index System (EPRIS) for the exchange of police records. This section also includes provisions on the keeping of logs of all data processing operations in EPRIS, and the notification procedures in case of technical impossibility to use EPRIS.

Chapter 4 sets out the processes for exchange of data following a match. It includes a provision on the automated exchange of core data, with data limited to what is necessary to enable the identification of the individual concerned, and a provision on the exchange of data at any stage of the process under this Regulation which is not explicitly described under this Regulation.

Chapter 5 contains provisions on the access by Member States to third country-sourced biometric data stored by Europol and on the access by Europol to data stored in Member States’ databases.

Chapter 6 on data protection contains provisions ensuring that data under this Regulation are processed lawfully and appropriately, in line with the provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. 27 It explains who the data processor will be for the processing of data pursuant to this Regulation. It sets out measures required from eu-LISA and Member States’ authorities to ensure the security of data processing, the appropriate handling of security incidents and the monitoring of compliance with the measures in this Regulation. The chapter also sets out the provisions relating to supervision and audit in relation to data protection. It underlines the principle that data processed under this Regulation shall not be transferred or made available to any third country or international organisation in an automated manner.

Chapter 7 details the responsibilities of Member States, Europol, and eu-LISA respectively in the implementation of the measures in this Regulation.

Chapter 8 concerns amendments to other existing instruments, namely Decisions 2008/615/JHA and 2008/616/JHA, Regulation (EU) 2018/1726, Regulation (EU) 2019/817 and Regulation (EU) 2019/818.

Chapter 9 on final provisions sets out the details relating to reporting and statistics, costs, notifications, transitional provisions and derogations. It also sets out the requirements for the start of operations of the measures proposed under this Regulation. The chapter also provides for the setting up of a committee and the adoption of a practical handbook to support implementation and management of this Regulation. It also includes a provision on monitoring and evaluation and a provision on the entry into force and applicability of this Regulation. Notably, this Regulation replaces Articles 2 to 6 and Sections 2 and 3 of Chapter 2 of Council Decision 2008/615/JHA and Chapters 2 to 5 and Articles 18, 20 and 21 of Council Decision 2008/616/JHA which will consequently be deleted from those Council Decisions from the date of application of this Regulation. The effect of those amendments will be that the replaced and deleted provisions no longer apply to any Member State.

2021/0410 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on automated data exchange for police cooperation (“Prüm II”), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, 2019/817 and 2019/818 of the European Parliament and of the Council

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2), Article 87(2), point (a), and Article 88(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee 28 ,

Having regard to the opinion of the Committee of the Regions 29 ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective should be achieved by means of, among others, appropriate measures to prevent and combat crime, including organised crime and terrorism.

(2)That objective requires that law enforcement authorities exchange data, in an efficient and timely manner, in order to effectively fight crime.

(3)The objective of this Regulation is therefore to improve, streamline and facilitate the exchange of criminal information between Member States’ law enforcement authorities, but also with the European Union Agency for Law Enforcement Cooperation established by Regulation (EU) No 2016/794 of the European Parliament and of the Council 30 (Europol) as the Union criminal information hub.

(4)Council Decisions 2008/615/JHA 31 and 2008/616/JHA 32  laying down rules for the exchange of information between authorities responsible for the prevention and investigation of criminal offences by providing for the automated transfer of DNA profiles, dactyloscopic data and certain vehicle registration data, have proven important for tackling terrorism and cross-border crime.

(5)This Regulation should lay down the conditions and procedures for the automated transfer of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. This should be without prejudice to the processing of any of these data in the Schengen Information System (SIS) or the exchange of supplementary information related to them via the SIRENE bureaux or to the rights of individuals whose data is processed therein.

(6)The processing of personal data and the exchange of personal data for the purposes of this Regulation should not result in discrimination against persons on any grounds. It should fully respect human dignity and integrity and other fundamental rights, including the right to respect for one's private life and to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union.

(7)By providing for the automated search or comparison of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records, the purpose of this Regulation is also to allow for the search of missing persons and unidentified human remains. This should be without prejudice to the entry of SIS alerts on missing persons and the exchange of supplementary information on such alerts under Regulation (EU) 2018/1862 of the European Parliament and of the Council. 33

(8)The Directive (EU) …/… [on information exchange between law enforcement authorities of Member States] provides a coherent Union legal framework to ensure that law enforcement authorities have equivalent access to information held by other Member States when they need it to fight crime and terrorism. To enhance information exchange, that Directive formalises and clarifies the procedures for information sharing between Member States, in particular for investigative purposes, including the role of the ‘Single Point of Contact’ for such exchanges, and making full use of Europol’s information exchange channel SIENA. Any exchange of information beyond what is provided for in this Regulation should be regulated by Directive (EU) …/… [on information exchange between law enforcement authorities of Member States].

(9)For the automated searching of vehicle registration data, Member States should use the European Vehicle and Driving Licence Information System (Eucaris) set up by the Treaty concerning a European Vehicle and Driving Licence Information System (EUCARIS) designed for this purpose. Eucaris should connect all participating Member States in a network. There is no central component needed for the communication to be established as each Member State communicates directly to the other connected Member States.

(10)The identification of a criminal is essential for a successful criminal investigation and prosecution. The automated searching of facial images of suspects and convicted criminals should provide for additional information for successfully identifying criminals and fighting crime.

(11)The automated search or comparison of biometric data (DNA profiles, dactyloscopic data and facial images) between authorities responsible for the prevention, detection and investigation of criminal offences under this Regulation should only concern data contained in databases established for the prevention, detection and investigation of criminal offences.

(12)Participation in the exchange of police records should remain voluntary. Where Member States decide to participate, in the spirit of reciprocity, it should not be possible for them to query other Member States’ databases if they do not make their own data available for queries by other Member States.

(13)In recent years, Europol has received a large amount of biometric data of suspected and convicted terrorists and criminals from several third countries. Including third country-sourced data stored at Europol in the Prüm framework and thus making this data available to law enforcement authorities is necessary for better prevention and investigation of criminal offences. It also contributes to building synergies between different law enforcement tools.

(14)Europol should be able to search Member States’ databases under the Prüm framework with data received from third countries in order to establish cross-border links between criminal cases. Being able to use Prüm data, next to other databases available to Europol, should allow establishing more complete and informed analysis on the criminal investigations and should allow Europol to provide better support to Member States’ law enforcement authorities. In case of a match between data used for the search and data held in Member States’ databases, Member States may supply Europol with the information necessary for it to fulfil its tasks.

(15)Decisions 2008/615/JHA and 2008/616/JHA provide for a network of bilateral connections between the national databases of Member States. As a consequence of this technical architecture, each Member State should establish at least 26 connections, that means a connection with each Member State, per data category. The router and the European Police Records Index System (EPRIS) established by this Regulation should simplify the technical architecture of the Prüm framework and serve as connecting points between all Member States. The router should require a single connection per Member State in relation to biometric data and EPRIS should require a single connection per Member State in relation to police records. 

(16)The router should be connected to the European Search Portal established by Article 6 of Regulation (EU) 2019/817 of the European Parliament and of the Council 34 and Article 6 of Regulation (EU) 2019/818 of the European Parliament and of the Council 35  to allow Member States’ authorities and Europol to launch queries to national databases under this Regulation simultaneously to queries to the Common Identity Repository established by Article 17 of Regulation (EU) 2019/817 and Article 17 of Regulation (EU) 2019/818 for law enforcement purposes.

(17)In case of a match between the data used for the search or comparison and data held in the national database of the requested Member State(s), and upon confirmation of this match by the requesting Member State, the requested Member State should return a limited set of core data via the router within 24 hours. The deadline would ensure fast communication exchange between Member States’ authorities. Member States should retain control over the release of this limited set of core data. A certain degree of human intervention should be maintained at key points in the process, including for the decision to release personal data to the requesting Member State in order to ensure that there would be no automated exchange of core data.

(18)Any exchange between Member States’ authorities or with Europol at any stage of one of the processes described under this Regulation, which is not explicitly described in this Regulation, should take place via SIENA to ensure that a common, secure and reliable channel of communication is used by all Member States.

(19)The universal message format (UMF) standard should be used in the development of the router and EPRIS. Any automated exchange of data in accordance with this Regulation should use the UMF standard. Member States’ authorities and Europol are encouraged to use the UMF standard also in relation to any further exchange of data between them in the context of the Prüm II framework. The UMF standard should serve as a standard for structured, cross-border information exchange between information systems, authorities or organisations in the field of Justice and Home Affairs. 

(20)Only non-classified information should be exchanged via the Prüm II framework.

(21)Certain aspects of the Prüm II framework cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical arrangements and specifications for automated searching procedures, the standards for data exchange and the data elements to be exchanged. In order to ensure uniform conditions for the implementation of this Regulation implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council. 36  

(22)As this Regulation provides for the establishment of the new Prüm framework, relevant provisions of Decisions 2008/615/JHA and 2008/616/JHA should be deleted. Those Decisions should therefore be amended accordingly.

(23)As the router should be developed and managed by the European Union Agency for the Operational Management of Large-Scale Information Systems in the Area of Freedom, Security and Justice established by Regulation (EU) 2018/1726 of the European Parliament and of the Council 37 (eu-LISA), it is therefore necessary to amend Regulation (EU) 2018/1726 by adding that to the tasks of eu-LISA. In order to allow for the router to be connected to the European Search Portal to carry out simultaneous searches of the router and the Common Identity Repository it is therefore necessary to amend Regulation (EU) 2019/817. In order to allow for the router to be connected to the European Search Portal to carry out simultaneous searches of the router and the Common Identity Repository and in order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is therefore necessary to amend Regulation (EU) 2019/818. Those Regulations should therefore be amended accordingly.

(24)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(25)[In accordance with Article 3 of the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Ireland has notified its wish to take part in the adoption and application of this Regulation.] OR [In accordance with Articles 1 and 2 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.]

(26)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council 38 and delivered an opinion on [XX] 39 .

HAVE ADOPTED THIS REGULATION:

CHAPTER 1

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation establishes a framework for the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences (Prüm II).

This Regulation lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data, facial images, police records and certain vehicle registration data and the rules regarding the exchange of core data following a match.

Article 2

Purpose

The purpose of Prüm II shall be to step up cross-border cooperation in matters covered by Part III, Title V, Chapter 5 of the Treaty on the Functioning of the European Union, particularly the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences.

The purpose of Prüm II shall also be to allow for the search for missing persons and unidentified human remains by authorities responsible for the prevention, detection and investigation of criminal offences.

Article 3

Scope

This Regulation applies to the national databases used for the automated transfer of the categories of DNA profiles, dactyloscopic data, facial images, police records and certain vehicle registration data.

Article 4

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)‘loci’ means the particular molecular structure at the various DNA locations;

(2)‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the non-coding part of an analysed human DNA sample, the particular molecular structure at the various DNA locations;

(3)‘non-coding part of DNA’ means chromosome regions not genetically expressed, i.e. not known to provide for any functional properties of an organism;

(4)‘DNA reference data’ means DNA profile and the reference number referred to in Article 9;

(5)‘reference DNA profile’ means the DNA profile of an identified person;

(6)‘unidentified DNA profile’ means the DNA profile obtained from traces collected during the investigation of criminal offences and belonging to a person not yet identified;

(7)‘dactyloscopic data’ means fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images (coded minutiae), when they are stored and dealt with in an automated database;

(8)‘dactyloscopic reference data’ means dactyloscopic data and the reference number referred to in Article 14;

(9)‘individual case’ means a single investigation file; 

(10)‘facial image’ means digital image of the face;

(11)‘biometric data’ means DNA profiles, dactyloscopic data or facial images;

(12)‘match’ means the existence of a correspondence as a result of an automated comparison between personal data recorded or being recorded in an information system or database;

(13)‘candidate’ means data with which a match occurred;

(14)‘requesting Member State’ means the Member State which is conducting a search through Prüm II;

(15)‘requested Member State’ means the Member State in which databases the search is conducted through Prüm II by the requesting Member State;

(16)‘police records’ means any information available in the national register or registers recording data of competent authorities, for the prevention, detection and investigation of criminal offences;

(17)‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; 

(18)‘Europol data’ means any personal data processed by Europol in accordance with Regulation (EU) 2016/794;

(19)‘supervisory authority’ means an independent public authority established by a Member State pursuant to Article 41 of Directive (EU) 2016/680 of the European Parliament and of the Council 40 ;

(20)‘SIENA’ means the secure information exchange network application, managed by Europol, aimed at facilitating the exchange of information between Member States and Europol; 

(21)‘significant incident’ means any incident unless it has a limited impact and is likely to be already well understood in terms of method or technology;

(22)‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incident;

(23)‘significant vulnerability’ means a vulnerability that will likely lead to a significant incident if it is exploited;

(24)‘incident’ means an incident within the meaning of Article 4(5) of Directive (EU) …/… of the European Parliament and of the Council 41 [proposal NIS 2]. 

CHAPTER 2

EXCHANGE OF DATA

SECTION 1

DNA profiles

Article 5

Establishment of national DNA analysis files

1. Member States shall open and keep national DNA analysis files for the investigation of criminal offences.

Processing of data kept in those files, under this Regulation, shall be carried out in accordance with this Regulation, in compliance with the national law of the Member States applicable to the processing of those data.

2. Member States shall ensure the availability of DNA reference data from their national DNA analysis files as referred to in paragraph 1.

DNA reference data shall not contain any data from which an individual can be directly identified.

DNA reference data which is not attributed to any individual (unidentified DNA profiles) shall be recognisable as such.

Article 6

Automated searching of DNA profiles

1. Member States shall allow national contact points referred to in Article 29 and Europol access to the DNA reference data in their DNA analysis files, to conduct automated searches by comparing DNA profiles for the investigation of criminal offences.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. Should an automated search show that a supplied DNA profile matches DNA profiles entered in the requested Member State's searched file, the national contact point of the requesting Member State shall receive in an automated way the DNA reference data with which a match has been found.

If there is no match, the requesting Member State shall be notified about it in an automated manner.

3. The national contact point of the requesting Member State shall confirm a match of DNA profiles data with DNA reference data held by the requested Member State following the automated supply of the DNA reference data required for confirming a match.

Article 7

Automated comparison of unidentified DNA profiles

1. Member States may, via their national contact points, compare the DNA profiles of their unidentified DNA profiles with all DNA profiles from other national DNA analysis files for the investigation of criminal offences. Profiles shall be supplied and compared in an automated manner.

2. Should a requested Member State, as a result of the comparison referred to in paragraph 1, find that any DNA profiles supplied match any of those in its DNA analysis files, it shall, without delay, supply the national contact point of the requesting Member State with the DNA reference data with which a match has been found.

3. The confirmation of a match of DNA profiles with DNA reference data held by the requested Member State shall be carried out by the national contact point of the requesting Member State following the automated supply of the DNA reference data required for confirming a match.

Article 8

Reporting about DNA analysis files

Each Member State shall inform the Commission and eu-LISA of the national DNA analysis files, to which Articles 5 to 7 apply, in accordance with Article 73.

Article 9

Reference numbers for DNA profiles

The reference numbers for DNA profiles shall be the combination of the following:

(a)a reference number allowing Member States, in case of a match, to retrieve further data and other information in their databases referred to in Article 5 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the DNA profile;

(c)a code to indicate the type of DNA profile (reference DNA profiles or unidentified DNA profiles).

Article 10

Principles of DNA reference data exchange

1. Appropriate measures shall be taken to ensure confidentiality and integrity for DNA reference data being sent to other Member States, including their encryption.

2. Member States shall take the necessary measures to guarantee the integrity of the DNA profiles made available or sent for comparison to the other Member States and to ensure that those measures comply with the relevant international standards for DNA data exchange.

3. The Commission shall adopt implementing acts to specify the relevant international standards that are to be used by Member States for DNA reference data exchange. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 11

Rules for requests and answers regarding DNA profiles

1. A request for an automated search or comparison shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)DNA profiles and their reference numbers referred to in Article 9;

(d)the types of DNA profiles transmitted (unidentified DNA profiles or reference DNA profiles).

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches ;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the DNA profiles from the requesting and requested Member States;

(f)the type of DNA profiles transmitted (unidentified DNA profiles or reference DNA profiles);

(g)the matching DNA profiles.

3. Automated notification of a match shall only be provided if the automated search or comparison has resulted in a match of a minimum number of loci. The Commission shall adopt implementing acts to specify this minimum number of loci, in accordance with the procedure referred to in Article 76(2).

4. Where a search or comparison with unidentified DNA profiles results in a match, each requested Member State with matching data may insert a marking in its national database indicating that there has been a match for that DNA profile following another Member State's search or comparison.

5. Member States shall ensure that requests are consistent with declarations sent pursuant to Article 8. Those declarations shall be reproduced in the practical handbook referred to in Article 78.

SECTION 2

Dactyloscopic data

Article 12

Dactyloscopic reference data

1. Member States shall ensure the availability of dactyloscopic reference data from the file for the national automated fingerprint identification systems established for the prevention, detection and investigation of criminal offences.

2. Dactyloscopic reference data shall not contain any data from which an individual can be directly identified.

3. Dactyloscopic reference data which is not attributed to any individual (unidentified dactyloscopic data) shall be recognisable as such.

Article 13

Automated searching of dactyloscopic data

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the dactyloscopic reference data in the automated fingerprint identification systems which they have established for that purpose, to conduct automated searches by comparing dactyloscopic reference data.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The national contact point of the requesting Member State shall confirm a match of dactyloscopic data with dactyloscopic reference data held by the requested Member State following the automated supply of the dactyloscopic reference data required for confirming a match.

Article 14

Reference numbers for dactyloscopic data

The reference numbers for dactyloscopic data shall be the combination of the following:

(a)a reference number allowing Member States, in the case of a match, to retrieve further data and other information in their databases referred to in Article 12 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the dactyloscopic data.

Article 15

Principles for the exchange of dactyloscopic data

1. The digitalisation of dactyloscopic data and their transmission to the other Member States shall be carried out in accordance with a uniform data format. The Commission shall adopt implementing acts to specify the uniform data format in accordance with the procedure referred to in Article 76(2).

2. Each Member State shall ensure that the dactyloscopic data it transmits are of sufficient quality for a comparison by the automated fingerprint identification systems.

3. Member States shall take appropriate measures to ensure the confidentiality and integrity of dactyloscopic data being sent to other Member States, including their encryption.

4. The Commission shall adopt implementing acts to specify the relevant existing standards for dactyloscopic data exchange that are to be used by Member States. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 16

Search capacities for dactyloscopic data

1. Each Member State shall ensure that its search requests do not exceed the search capacities specified by the requested Member State.

Member States shall inform the Commission and eu-LISA in accordance with Article 79(8) and (10) about their maximum search capacities per day for dactyloscopic data of identified persons and for dactyloscopic data of persons not yet identified.

2. The Commission shall adopt implementing acts to specify the maximum numbers of candidates accepted for comparison per transmission in accordance with the procedure referred to in Article 76(2).

Article 17

Rules for requests and answers regarding dactyloscopic data

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the dactyloscopic data and their reference numbers referred to in Article 14.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the dactyloscopic data from the requesting and requested Member States;

(f)the matching dactyloscopic data.

SECTION 3

Vehicle registration data

Article 18

Automated searching of vehicle registration data

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the following national vehicle registration data, to conduct automated searches in individual cases:

(a)data relating to owners or operators;

(b)data relating to vehicles.

2. Searches may be conducted only with a full chassis number or a full registration number.

3. Searches may be conducted only in compliance with the national law of the requesting Member State.

Article 19

Principles of automated searching of vehicle registration data

1. For automated searching of vehicle registration data Member States shall use the European Vehicle and Driving Licence Information System (Eucaris).

2. The information exchanged via Eucaris shall be transmitted in encrypted form.

3. The Commission shall adopt implementing acts to specify the data elements of the vehicle registration data to be exchanged. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 20

Keeping of logs

1. Each Member State shall keep logs of queries that the staff of its authorities duly authorised to exchange vehicle registration data make as well as logs of queries requested by other Member States. Europol shall keep logs of queries that its duly authorised staff make.

Each Member State and Europol shall keep logs of all data processing operations concerning vehicle registration data. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases to which a request for a query was sent; 

(e)the national databases that provided a positive answer.

2. The logs referred to in paragraph 1 may be used only for the collection of statistics and data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

3. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

SECTION 4

Facial images

Article 21

Facial images

1. Member States shall ensure the availability of facial images from their national databases established for the prevention, detection and investigation of criminal offences. Those data shall only include facial images and the reference number referred to in Article 23, and shall indicate whether the facial images are attributed to an individual or not.

Member States shall not make available in this context any data from which an individual can be directly identified.

2. Facial images which are not attributed to any individual (unidentified facial images) must be recognisable as such.

Article 22

Automated searching of facial images

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to facial images stored in their national databases, to conduct automated searches.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The requesting Member State shall receive a list composed of matches concerning likely candidates. That Member State shall review the list to determine the existence of a confirmed match.

3. A minimum quality standard shall be established to allow for search and comparison of facial images. The Commission shall adopt implementing acts to specify that minimum quality standard. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 23

Reference numbers for facial images

The reference numbers for facial images shall be the combination of the following:

(a)a reference number allowing Member States, in case of a match, to retrieve further data and other information in their databases referred to in Article 21 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the facial images.

Article 24

Rules for requests and answers regarding facial images

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the facial images and their reference numbers referred to in Article 23.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the facial images from the requesting and requested Member States;

(f)the matching facial images.

SECTION 5

Police records

Article 25

Police records

1. Member States may decide to participate in the automated exchange of police records. Member States participating in the automated exchange of police records shall ensure the availability of biographical data of suspects and criminals from their national police records indexes established for the investigation of criminal offences. This set of data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)alias(es);

(d)date of birth;

(e)nationality or nationalities;

(f)place and country of birth;

(g)gender.

2. The data referred to in paragraph 1, points (a), (b), (c), (e) and (f) shall be pseudonymised.

Article 26

Automated searching of police records

1. For the investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to data from their national police records indexes, to conduct automated searches.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The requesting Member State shall receive the list of matches with an indication of the quality of the matches.

The requesting Member State shall also be informed about the Member State whose database contains data that resulted in the match.

Article 27

Reference numbers for police records

The reference numbers for police records shall be the combination of the following:

(a)a reference number allowing Member States, in the case of a match, to retrieve personal data and other information in their indexes referred to in Article 25 in order to supply it to one, several or all of the Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the police records.

Article 28

Rules for requests and answers regarding police records

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the police records and their reference numbers referred to in Article 27.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States; 

(e)the reference numbers of the police records from the requested Member States.

SECTION 6

Common provisions

Article 29

National contact points

Each Member State shall designate a national contact point.

The national contact points shall be responsible for supplying the data referred to in Articles 6, 7, 13, 18, 22 and 26.

Article 30

Implementing measures

The Commission shall adopt implementing acts to specify the technical arrangements for the procedures set out in Articles 6, 7, 13, 18, 22 and 26. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 31

Technical specifications

Member States and Europol shall observe common technical specifications in connection with all requests and answers related to searches and comparisons of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. The Commission shall adopt implementing acts to specify these technical specifications in accordance with the procedure referred to in Article 76(2).

Article 32

Availability of automated data exchange at national level

1. Member States shall take all necessary measures to ensure that automated searching or comparison of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records is possible 24 hours a day and seven days a week.

2. National contact points shall immediately inform each other, the Commission, Europol and eu-LISA of the technical fault causing unavailability of the automated data exchange.

National contact points shall agree on temporary alternative information exchange arrangements in accordance with the applicable Union law and national legislation.

3. National contact points shall re-establish the automated data exchange without delay.

Article 33

Justification for the processing of data

1. Each Member State shall keep a justification of the queries that its competent authorities make.

Europol shall keep a justification of the queries it makes.

2. The justification referred to in paragraph 1 shall include:

(a)the purpose of the query, including a reference to the specific case or investigation;

(b)an indication on whether the query concerns a suspect or a perpetrator of a criminal offence;

(c)an indication on whether the query aims to identify an unknown person or obtain more data on a known person.

3. The justifications referred to in paragraph 2 shall only be used for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those justifications shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the justification.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to those justifications for self-monitoring as referred to in Article 56.

Article 34

Use of the universal message format

1. The universal message format (UMF) standard shall be used in the development of the router referred to in Article 35 and EPRIS.

2. Any automated exchange of data in accordance with this Regulation shall use the UMF standard.

CHAPTER 3

ARCHITECTURE

SECTION 1

Router

Article 35

The router

1. A router is established for the purposes of facilitating the establishment of connections between Member States and with Europol for querying with, retrieving and scoring biometric data in accordance with this Regulation.

2. The router shall be composed of:

(a)a central infrastructure, including a search tool enabling the simultaneous querying of Member States’ databases referred to in Articles 5, 12 and 21 as well as of Europol data;

(b)a secure communication channel between the central infrastructure Member States and Union agencies that are entitled to use the router;

(c)a secure communication infrastructure between the central infrastructure and the European Search Portal for the purposes of Article 39.

Article 36

Use of the router

The use of the router shall be reserved to the Member States’ authorities that have access to the exchange of DNA profiles, dactyloscopic data and facial images, and Europol in accordance with this Regulation and Regulation (EU) 2016/794.

Article 37

Queries

1. The router users referred to in Article 36 shall request a query by submitting biometric data to the router. The router shall dispatch the request for a query to the Member States’ databases and Europol data simultaneously with the data submitted by the user and in accordance with their access rights.

2. On receiving the request for a query from the router, each requested Member State and Europol shall launch a query of their databases in an automated manner and without delay.

3. Any matches resulting from the query in each Member States’ databases and Europol data shall be sent back in an automated manner to the router.

4. The router shall rank the replies in accordance with the score of the correspondence between the biometric data used for querying and the biometric data stored in the Member States’ databases and Europol data.

5. The list of matching biometric data and their scores shall be returned to the router user by the router.

6. The Commission shall adopt implementing acts to specify the technical procedure for the router to query Member States’ databases and Europol data, the format of the router replies and the technical rules for scoring the correspondence between biometric data. These implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 38

Quality check

The requested Member State shall check the quality of the transmitted data by means of a fully automated procedure.

Should the data be unsuitable for an automated comparison, the requested Member State shall inform the requesting Member State about it via the router without delay.

Article 39

Interoperability between the router and the Common Identity Repository for the purposes of law enforcement access

1. The router users referred to in Article 36 may launch a query to Member States’ databases and Europol data simultaneously with a query to the Common Identity Repository where the relevant conditions under Union law are fulfilled and in accordance with their access rights. For this purpose, the router shall query the Common Identity Repository via the European Search Portal.

2. Queries to the Common Identity Repository for law enforcement purposes shall be carried out in accordance with Article 22 of Regulation (EU) 2019/817 and Article 22 of Regulation (EU) 2019/818. Any result from the queries shall be transmitted via the European Search Portal.

Only designated authorities defined in Article 4, point 20, of Regulation (EU) 2019/817 and Article 4, point 20, of Regulation (EU) 2019/818 may launch these simultaneous queries.

Simultaneous queries of the Member States’ databases and Europol data and the Common Identity Repository may only be launched in cases where it is likely that data on a suspect, perpetrator or victim of a terrorist offence or other serious criminal offences as defined respectively in Article 4, points 21 and 22, of Regulation (EU) 2019/817 and Article 4, points 21 and 22, of Regulation (EU) 2019/818 are stored in the Common Identity Repository.

Article 40

Keeping of logs

1. eu-LISA shall keep logs of all data processing operations in the router. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases or Europol data to which a request for a query was sent;

(e)the national databases or Europol data that provided an answer; 

(f)where applicable, the fact that there was a simultaneous query to the Common Identity Repository. 

2. Each Member State shall keep logs of queries that its competent authorities and the staff of those authorities duly authorised to use the router make as well as logs of queries requested by other Member States.

Europol shall keep logs of queries that its duly authorised staff make.

3. The logs referred to in paragraphs 1 and 2 may be used only for the collection of statistics and data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

Article 41

Notification procedures in case of technical impossibility to use the router

1. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the router, the router users shall be notified in an automated manner by eu-LISA. eu-LISA shall take measures to address the technical impossibility to use the router without delay.

2. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the national infrastructure in a Member State, that Member State shall notify the other Member States, eu-LISA and the Commission in an automated manner. Member States shall take measures to address the technical impossibility to use the router without delay.

3. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the infrastructure of Europol, Europol shall notify the Member States, eu-LISA and the Commission in an automated manner. Europol shall take measures to address the technical impossibility to use the router without delay.

SECTION 2

EPRIS

Article 42

EPRIS

1. For the automated searching of police records referred to in Article 26, Member States and Europol shall use the European Police Records Index System (EPRIS).

2. EPRIS shall be composed of:

(a)a central infrastructure, including a search tool enabling the simultaneous querying of Member States’ databases;

(b)a secure communication channel between the EPRIS central infrastructure, Member States and Europol.

Article 43

Use of EPRIS

1. For the purposes of searching police records via EPRIS, the following sets of data shall be used:

(a)first name(s);

(b)family name(s);

(c)date of birth.

2. Where available, the following sets of data may also be used:

(a)alias(es);

(b)nationality or nationalities;

(c)place and country of birth;

(d)gender.

3. The data referred to in points (a) and (b) of paragraph 1 and in points (a), (b) and (c) of paragraph 2 used for queries shall be pseudonymised.

Article 44

Queries

1. Member States and Europol shall request a query by submitting the data referred to in Article 43.

EPRIS shall dispatch the request for a query to the Member States’ databases with the data submitted by the requesting Member State and in accordance with this Regulation.

2. On receiving the request for a query from EPRIS, each requested Member State shall launch a query of their national police records index in an automated manner and without delay.

3. Any matches resulting from the query in each Member State’s database shall be sent back in an automated manner to EPRIS.

4. The list of matches shall be returned to the requesting Member State by EPRIS. The list of matches shall indicate the quality of the match as well as the Member State whose database contains data that resulted in the match.

5. Upon reception of the list of matches, the requesting Member State shall decide the matches for which a follow-up is necessary and send a reasoned follow-up request containing any additional relevant information to the requested Member State(s) via SIENA.

6. The requested Member State(s) shall process such requests without delay to decide whether to share the data stored in their database.

Upon confirmation, the requested Member State(s) shall share the data referred to in Article 43 where available. This exchange of information shall take place via SIENA.

7. The Commission shall adopt implementing acts to specify the technical procedure for EPRIS to query Member States’ databases and the format of the replies. These implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 45

Keeping of logs

1. Europol shall keep logs of all data processing operations in EPRIS. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases to which a request for a query was sent;

(e)the national databases that provided an answer.

2. Each Member State shall keep logs of the requests for queries that its competent authorities and the staff of those authorities duly authorised to use EPRIS make. Europol shall keep logs of requests for queries that its duly authorised staff make.

3. The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation.

If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

Article 46

Notification procedures in case of technical impossibility to use EPRIS

1. Where it is technically impossible to use EPRIS to query one or several national databases because of a failure of the infrastructure of Europol, Member States shall be notified in an automated manner by Europol. Europol shall take measures to address the technical impossibility to use EPRIS without delay.

2. Where it is technically impossible to use EPRIS to query one or several national databases because of a failure of the national infrastructure in a Member State, that Member State shall notify Europol and the Commission in an automated manner. Member States shall take measures to address the technical impossibility to use EPRIS without delay.

CHAPTER 4

EXCHANGE OF DATA FOLLOWING A MATCH

Article 47

Exchange of core data

Where the procedures referred to in Articles 6, 7, 13 or 22 show a match between the data used for the search or comparison and data held in the database of the requested Member State(s), and upon confirmation of this match by the requesting Member State, the requested Member State shall return a set of core data via the router within 24 hours. That set of core data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)date of birth;

(d)nationality or nationalities;

(e)place and country of birth;

(f)gender.

Article 48

Use of SIENA

Any exchange which is not explicitly provided for in this Regulation between Member States’ competent authorities or with Europol, at any stage of one of the procedures under this Regulation, shall take place via SIENA.

CHAPTER 5

EUROPOL

Article 49

Access by Member States to third country-sourced biometric data stored by Europol

1. Member States shall, in accordance with Regulation (EU) 2016/794, have access to, and be able to search via the router, biometric data which has been provided to Europol by third countries for the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2016/794.

2. Where this procedure results in a match between the data used for the search and Europol data, the follow-up shall take place in accordance with Regulation (EU) 2016/794.

Article 50

Access by Europol to data stored in Member States’ databases

1. Europol shall, in accordance with Regulation (EU) 2016/794, have access to data, which are stored by Member States in their national databases in accordance with this Regulation.

2. Europol queries performed with biometric data as a search criterion shall be carried out using the router.

3. Europol queries performed with vehicle registration data as a search criterion shall be carried out using Eucaris.

4. Europol queries performed with police records as a search criterion shall be carried out using EPRIS.

5. Europol shall carry out the searches in accordance with paragraph 1 only when carrying out its tasks referred to in Regulation (EU) 2016/794.

6. Where the procedures referred to in Articles 6, 7, 13 or 22 show a match between the data used for the search or comparison and data held in the national database of the requested Member State(s), and upon confirmation of that match by Europol, the requested Member State shall decide whether to return a set of core data via the router within 24 hours. That set of core data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)date of birth;

(d)nationality or nationalities;

(e)place and country of birth;

(f)gender.

7. Europol's use of information obtained from a search made in accordance with paragraph 1 and from the exchange of core data in accordance with paragraph 6 shall be subject to the consent of the Member State in which database the match occurred. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794.

CHAPTER 6

DATA PROTECTION

Article 51

Purpose of the data

1. Processing of personal data by the requesting Member State or Europol shall be permitted solely for the purposes for which the data have been supplied by the requested Member State in accordance with this Regulation. Processing for other purposes shall be permitted solely with the prior authorisation of the requested Member State.

2. Processing of data supplied pursuant to Articles 6, 7, 13, 18 or 22 by the searching or comparing Member State shall be permitted solely in order to:

(a)establish whether the compared DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records match;

(b)prepare and submit a police request for legal assistance if those data match;

(c)logging within the meaning of Articles 40 and 45.

3. The requesting Member State may process the data supplied to it in accordance with Articles 6, 7, 13 or 22 solely where this is necessary for the purposes of this Regulation. The supplied data shall be deleted immediately following data comparison or automated replies to searches unless further processing is necessary by the requesting Member State for the purposes of the prevention, detection and investigation of criminal offences.

4. Data supplied in accordance with Article 18 may be used by the requesting Member State solely where this is necessary for the purposes of this Regulation. The data supplied shall be deleted immediately following automated replies to searches unless further processing is necessary for recording pursuant to Article 20. The requesting Member State shall use the data received in a reply solely for the procedure for which the search was made.

Article 52

Accuracy, relevance and data retention

1. Member States shall ensure the accuracy and current relevance of personal data. Should a requested Member State become aware that incorrect data or data which should not have been supplied have been supplied, this shall be notified without delay to any requesting Member State. All requesting Member States concerned shall be obliged to correct or delete the data accordingly. Moreover, personal data supplied shall be corrected if they are found to be incorrect. If the requesting Member State has reason to believe that the supplied data are incorrect or should be deleted the requested Member State shall be informed.

2. Where a data subject contested the accuracy of data in possession of a Member State, where the accuracy cannot be reliably established by the Member State concerned and where it is requested by the data subject, the data concerned shall be marked with a flag. Where such a flag exists, Member States may remove it only with the permission of the data subject or based on a decision of the competent court or independent data protection authority.

3. Data supplied which should not have been supplied or received shall be deleted. Data which are lawfully supplied and received shall be deleted:

(a)where they are not or no longer necessary for the purpose for which they were supplied;

(b)following the expiry of the maximum period for keeping data laid down under the national law of the requested Member State where the requested Member State informed the requesting Member State of that maximum period at the time of supplying the data.

Where there is reason to believe that the deletion of data would prejudice the interests of the data subject, the data shall be blocked instead of being deleted. Blocked data may be supplied or used solely for the purpose which prevented their deletion.

Article 53

Data processor

1. eu-LISA shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data via the router.

2. Europol shall be the processor for the processing of personal data via EPRIS.

Article 54

Security of processing

1. Europol, eu-LISA and Member States’ authorities shall ensure the security of the processing of personal data that takes place pursuant to this Regulation. Europol, eu-LISA and Member States’ authorities shall cooperate on security-related tasks.

2. Without prejudice to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/794, eu-LISA and Europol shall take the necessary measures to ensure the security of the router and EPRIS respectively as well as their related communication infrastructure.

3. In particular, eu-LISA and Europol shall adopt the necessary measures concerning the router and EPRIS respectively, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing equipment and installations;

(c)prevent the unauthorised reading, copying, modification or removal of data media;

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data;

(e)prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data;

(f)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;

(g)ensure that persons authorised to access the router and EPRIS have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(i)ensure that it is possible to verify and establish what data have been processed in the router and EPRIS, when, by whom and for what purpose;

(j)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the router and EPRIS or during the transport of data media, in particular by means of appropriate encryption techniques;

(k)ensure that, in the event of interruption, installed systems can be restored to normal operation;

(l)ensure reliability by making sure that any faults in the functioning of the router and EPRIS are properly reported;

(m)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.

Article 55

Security incidents

1. Any event that has or may have an impact on the security of the router or EPRIS and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2. Security incidents shall be managed so as to ensure a quick, effective and proper response.

3. Member States shall notify its competent supervisory authorities of any security incidents without undue delay.

Without prejudice to Article 34 of Regulation (EU) 2016/794, Europol shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

In the event of a security incident in relation to the central infrastructure of the router, eu-LISA shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

4. Information regarding a security incident that has or may have an impact on the operation of the router or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

5. Information regarding a security incident that has or may have an impact on the operation of EPRIS or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States without delay and reported in compliance with the incident management plan to be provided by Europol.

Article 56

Self-monitoring

1. Member States and the relevant Union agencies shall ensure that each authority entitled to use Prüm II takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority.

2. The data controllers shall take the necessary measures to monitor the compliance of data processing pursuant to this Regulation, including through frequent verification of the logs referred to in Articles 40 and 45, and cooperate, where necessary, with the supervisory authorities and with the European Data Protection Supervisor.

Article 57

Penalties

Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive.

Article 58

Burden of proof

1. Member States shall take the necessary measures to ensure that persons who consider themselves as having been discriminated against due to the processing or exchange of their personal data do not bear the burden of proof. In cases where a person considers that he or she has been allegedly discriminated against in the context of an automated comparison in the context of this Regulation in front of a court or other competent judicial authority, the Member State authorities having processed the data shall justify why there was no discrimination.

2. Paragraph 1 shall not apply to criminal procedures.

3. Member States shall not take specific measures in the meaning of paragraph 1 to proceedings in which it is for the court or competent judicial body to investigate the facts of the case.

Article 59

Liability

If any failure of a Member State to comply with its obligations under this Regulation causes damage to the router or EPRIS, that Member State shall be liable for such damage, unless and insofar as eu-LISA, Europol or another Member State bound by this Regulation failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

Article 60

Audits by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall ensure that an audit of personal data processing operations by eu-LISA and Europol for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to the Union agency concerned. Europol and eu-LISA shall be given an opportunity to make comments before the reports are adopted.

2. eu-LISA and Europol shall supply information requested by the European Data Protection Supervisor to it, grant the European Data Protection Supervisor access to all the documents it requests and to their logs referred to in Articles 40 and 45 and allow the European Data Protection Supervisor access to all their premises at any time.

Article 61

Cooperation between supervisory authorities and the European Data Protection Supervisor

1. The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and ensure coordinated supervision of the application of this Regulation, in particular if the European Data Protection Supervisor or a supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the Prüm II communication channels.

2. In the cases referred to in paragraph 1 of this Article, coordinated supervision shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

3. The European Data Protection Board shall send a joint report of its activities under this Article to the European Parliament, to the Council, to the Commission, to Europol and to eu-LISA by [2 years after entry into operation of the router and EPRIS] and every two years thereafter. That report shall include a chapter on each Member State prepared by the supervisory authority of the Member State concerned.

Article 62

Communication of personal data to third countries and international organisations

Data processed in accordance with this Regulation shall not be transferred or made available to third countries or to international organisations in an automated manner.

CHAPTER 7

RESPONSIBILITIES

Article 63

Responsibilities of Member States

1. Each Member State shall be responsible for:

(a)the connection to the infrastructure of the router;

(b)the integration of the existing national systems and infrastructures with the router; 

(c)the organisation, management, operation and maintenance of its existing national infrastructure and of its connection to the router;

(d)the connection to the infrastructure of EPRIS;

(e)the integration of the existing national systems and infrastructures with EPRIS;

(f)the organisation, management, operation and maintenance of its existing national infrastructure and of its connection to EPRIS;

(g)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to the router in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(h)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to EPRIS in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(i)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to Eucaris in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(j)the manual confirmation of a match as referred to in Article 6(3), Article 7(3), Article 13(2), Article 22(2) and Article 26(2);

(k)ensuring the availability of the data necessary for the exchange of data in accordance with Article 6, Article 7, Article 13, Article 18, Article 22 and Article 26;

(l)the exchange of information in accordance with Article 6, Article 7, Article 13, Article 18, Article 22 and Article 26;

(m)deleting any data received from a requested Member State within 48 hours following the notification from the requested Member State that the personal data submitted was incorrect, no longer up-to-date or was unlawfully transmitted.

(n)compliance with the data quality requirements established in this Regulation.

2. Each Member State shall be responsible for connecting their competent national authorities to the router, EPRIS and Eucaris.

Article 64

Responsibilities of Europol

1. Europol shall be responsible for the management of, and arrangements for the access by its duly authorised staff to the router, EPRIS and Eucaris in accordance with this Regulation.

2. Europol shall also be responsible for the processing of the queries of Europol data by the router. Europol shall adapt its information systems accordingly.

3. Europol shall be responsible for any technical adaptations in Europol infrastructure required for establishing the connection to the router and to Eucaris.

4. Europol shall be responsible for the development of EPRIS in cooperation with the Member States. EPRIS shall provide the functionalities laid down in Articles 42 to 46.

Europol shall provide the technical management of EPRIS. Technical management of EPRIS shall consist of all the tasks and technical solutions necessary to keep the EPRIS central infrastructure functioning and providing uninterrupted services to Member States 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that EPRIS functions are at a satisfactory level of technical quality, in particular as regards the response time for interrogation of the national databases in accordance with the technical specifications.

5. Europol shall provide training on the technical use of EPRIS.

6. Europol shall be responsible for the procedures referred to in Articles 49 and 50.

Article 65

Responsibilities of eu-LISA during the design and development phase of the router

1. eu-LISA shall ensure that the central infrastructure of the router is operated in accordance with this Regulation.

2. The router shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and performance referred to in Article 66(1).

3. eu-LISA shall be responsible for the development of the router and for any technical adaptations necessary for the operations of the router.

eu-LISA shall not have access to any of the personal data processed through the router.

eu-LISA shall define the design of the physical architecture of the router including its communication infrastructures and the technical specifications and its evolution as regards the central infrastructure and the secure communication infrastructure. This design shall be adopted by the Management Board, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the interoperability components deriving from the establishment of the router as provided for by this Regulation.

eu-LISA shall develop and implement the router as soon as possible after the adoption by the Commission of the measures provided for in Article 37(6).

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination.

4. During the design and development phase, the Interoperability Programme Management Board referred to in Article 54 of Regulation (EU) 2019/817 and in Article 54 of Regulation (EU) 2019/818 shall meet regularly. It shall ensure the adequate management of the design and development phase of the router.

Every month, the Interoperability Programme Management Board shall submit written reports on progress of the project to eu-LISA's Management Board. The Interoperability Programme Management Board shall have no decision-making power, nor any mandate to represent the members of eu-LISA's Management Board.

The Advisory Group referred to in Article 77 shall meet regularly until the start of operations of the router. It shall report after each meeting to the Interoperability Programme Management Board. It shall provide the technical expertise to support the tasks of the Interoperability Programme Management Board and shall follow up on the state of preparation of the Member States.

Article 66

Responsibilities of eu-LISA following the start of operations of the router

1. Following the entry into operations of the router, eu-LISA shall be responsible for the technical management of the central infrastructure of the router, including its maintenance and technological developments. In cooperation with Member States, it shall ensure that the best available technology is used, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management of the necessary communication infrastructure.

Technical management of the router shall consist of all the tasks and technical solutions necessary to keep the router functioning and providing uninterrupted services to Member States and to Europol 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability and the response time for submitting requests to the national databases and Europol data in accordance with the technical specifications.

The router shall be developed and managed in such a way as to ensure fast, efficient and controlled access, full and uninterrupted availability of the router, and a response time in line with the operational needs of the competent authorities of the Member States and Europol.

2. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 42 , eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with data stored in the interoperability components. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

eu-LISA shall not have access to any of the personal data processed through the router.

3. eu-LISA shall also perform tasks related to providing training on the technical use of the router.

CHAPTER 8

AMENDMENTS TO OTHER EXISTING INSTRUMENTS

Article 67

Amendments to Decisions 2008/615/JHA and 2008/616/JHA

1.In Decision 2008/615/JHA, Articles 2 to 6 and Sections 2 and 3 of Chapter 2 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

Therefore, Articles 2 to 6 and Sections 2 and 3 of Chapter 2 of Decision 2008/615/JHA are deleted from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

2.In Decision 2008/616/JHA, Chapters 2 to 5 and Articles 18, 20 and 21 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router as set out in Article 74. 

Therefore, Chapters 2 to 5 and Articles 18, 20 and 21 of Decision 2008/616/JHA are deleted from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

Article 68

Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1)the following Article 13a is inserted:

“Article 13a

Tasks related to the router 

In relation to Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation], the Agency shall perform the tasks related to the router conferred on it by that Regulation.

___________

*    Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

in Article 17, paragraph 3 is replaced by the following:

‘3. The seat of the Agency shall be Tallinn, Estonia.

The tasks relating to development and operational management referred to in Article 1(4) and (5) and Articles 3 to 8 and Articles 9, 11 and 13a shall be carried out at the technical site in Strasbourg, France.

A backup site capable of ensuring the operation of a large-scale IT system in the event of failure of such a system shall be installed in Sankt Johann im Pongau, Austria.’

Article 69

Amendments to Regulation (EU) 2019/817

In Article 6(2) of Regulation (EU) 2019/817 the following point (d) is added:

“(d) a secure communication infrastructure between the ESP and the router established by Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].

___________

*    Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

Article 70

Amendments to Regulation (EU) 2019/818

Regulation (EU) 2019/818 is amended as follows:

(1)in Article 6(2), the following point (d) is added:

“(d) a secure communication infrastructure between the ESP and the router established by Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].

___________

*    Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

(2)In Article 39, paragraphs 1 and 2 are replaced by the following:

“1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the SIS, Eurodac, ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Prüm II.”

 “2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 65(1) of Regulation (EU) …/… * [this Regulation ]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 65(1) of Regulation (EU) …/… * [this Regulation ].”

CHAPTER 9

FINAL PROVISIONS

Article 71

Reporting and statistics

1. The duly authorised staff of the competent authorities of Member States, the Commission, Europol and eu-LISA shall have access to consult the following data related to the router, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries per category of data;

(c)number of queries to each of the connected databases;

(d)number of matches against each Member State’s database per category of data;

(e)number of matches against Europol data per category of data;

(f)number of confirmed matches where there were exchanges of core data; and

(g)number of queries to the Common Identity Repository via the router.

It shall not be possible to identify individuals from the data.

2. The duly authorised staff of the competent authorities of Member States, Europol and the Commission shall have access to consult the following data related to Eucaris, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries to each of the connected databases; and

(c)number of matches against each Member State’s database. 

It shall not be possible to identify individuals from the data.

3. The duly authorised staff of the competent authorities of Member States, the Commission and Europol shall have access to consult the following data related to EPRIS, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries to each of the connected indexes; and

(c)number of matches against each Member State’s database. 

It shall not be possible to identify individuals from the data.

4. eu-LISA shall store the data referred to in those paragraphs.

The data shall allow the authorities referred to in paragraph 1 to obtain customisable reports and statistics to enhance the efficiency of law enforcement cooperation.

Article 72

Costs

1. Costs incurred in connection with the establishment and operation of the router and EPRIS shall be borne by the general budget of the Union.

2. Costs incurred in connection with the integration of the existing national infrastructures and their connections to the router and EPRIS as well as costs incurred in connection with the establishment of national facial images databases and police national indexes for the prevention, detection and investigation of criminal offences shall be borne by the general budget of the Union.

The following costs shall be excluded:

(a)Member States' project management office (meetings, missions, offices);

(b)hosting of national IT systems (space, implementation, electricity, cooling);

(c)operation of national IT systems (operators and support contracts);

(d)design, development, implementation, operation and maintenance of national communication networks.

3. Each Member State shall bear the costs arising from the administration, use and maintenance of the Eucaris software application referred to in Article 19(1).

4. Each Member State shall bear the costs arising from the administration, use and maintenance of their connections to the router and EPRIS.

Article 73

Notifications

1. Member States shall notify eu-LISA of the authorities referred to in Article 36, which may use or have access to the router.

2. eu-LISA shall notify the Commission of the successful completion of the tests referred to in Article 74(1), point (b).

3. Member States shall notify the Commission, Europol and eu-LISA of the national contact points.

Article 74

Start of operations

1. The Commission shall determine the date from which the Member States and the Union agencies may start using router by means of an implementing act once the following conditions have been met:

(a)the measures referred to in Article 37(6) have been adopted; 

(b)eu-LISA has declared the successful completion of a comprehensive test of the router, which it has conducted in cooperation with the Member States authorities’ and Europol.

In that implementing act the Commission shall also determine the date from which the Member States and the Union agencies must start using router. That date shall be one year after the date determined in accordance with the first subparagraph.

The Commission may postpone the date from which the Member States and the Union agencies must start using router by one year at most where an assessment of the implementation of the router has shown that such a postponement is necessary. That implementing act shall be adopted in accordance with the procedure referred to in Article 76(2).

2. The Commission shall determine the date from which the Member States and the Union agencies are to start using EPRIS by means of an implementing act once the following conditions have been met:

(a)the measures referred to in Article 44(7) have been adopted;

(b)Europol has declared the successful completion of a comprehensive test of EPRIS, which it has conducted in cooperation with the Member States’ authorities.

3. The Commission shall determine the date from which Europol is to make available third country-sourced biometric data to Member States in accordance with Article 49 by means of an implementing act once the following conditions have been met:

(a)the router is in operation;

(b)Europol has declared the successful completion of a comprehensive test of the connection, which it has conducted in cooperation with the Member States authorities’ and eu-LISA.

4. The Commission shall determine the date from which Europol is to have access to data stored in Member States’ databases in accordance with Article 50 by means of an implementing act once the following conditions have been met:

(a)the router is in operation;

(b)Europol has declared the successful completion of a comprehensive test of the connection, which it has conducted in cooperation with the Member States authorities’ and eu-LISA.

Article 75

Transitional provisions and derogations

1. Member States and the Union agencies shall start applying Articles 21 to 24, Article 47 and Article 50(6) from the date determined in accordance with Article 74(1), the first subparagraph with the exception of Member States, which did not start using the router.

2. Member States and the Union agencies shall start applying Articles 25 to 28 and Article 50(4) from the date determined in accordance with Article 74(2).

3. Member States and the Union agencies shall start applying Article 49 from the date determined in accordance with Article 74(3).

4. Member States and the Union agencies shall start applying Article 50(1), (2), (3), (5) and (7) from the date determined in accordance with Article 74(4).

Article 76

Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.

Article 77

Advisory group

The responsibilities of eu-LISA’s Interoperability Advisory Group shall be extended to cover the router. That Interoperability Advisory Group shall provide eu-LISA with expertise related to the router in particular in the context of the preparation of its annual work programme and its annual activity report.

Article 78

Practical handbook

The Commission shall, in close cooperation with the Member States, Europol and eu-LISA, make available a practical handbook for the implementation and management of this Regulation. The practical handbook shall provide technical and operational guidelines, recommendations and best practices. The Commission shall adopt the practical handbook in the form of a recommendation.

Article 79

Monitoring and evaluation

1. eu-LISA and Europol shall, respectively, ensure that procedures are in place to monitor the development of the router and of EPRIS in light of objectives relating to planning and costs and to monitor the functioning of the router and of EPRIS in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. By [one year after entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall respectively submit a report to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and information as to any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 72.

Once the development of the router is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

3. By [one year after entry into force of this Regulation] and every year thereafter during the development phase of EPRIS, Europol shall submit a report to the European Parliament and to the Council on the state of preparation for the implementation of this Regulation and on the state of play of the development of EPRIS including detailed information about the costs incurred and information as to any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 72.

Once the development of EPRIS is finalised, Europol shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

4. For the purposes of technical maintenance, eu-LISA and Europol shall have access to the necessary information relating to the data processing operations performed in the router and EPRIS respectively.

5. Two years after the start of operations of the router and every two years thereafter, eu-LISA shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning of the router, including the security thereof.

6. Two years after the start of operations of EPRIS and every two years thereafter, Europol shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning of EPRIS, including the security thereof.

7. Three years after the start of operations of the router and EPRIS as referred to in Article 74 and every four years thereafter, the Commission shall produce an overall evaluation of Prüm II, including:

(a)an assessment of the application of this Regulation;

(b)an examination of the results achieved against the objectives of this Regulation and its impact on fundamental rights;

(c)the impact, effectiveness and efficiency of Prüm II performance and its working practices in light of its objectives, mandate and tasks;

(d)an assessment of the security of Prüm II.

The Commission shall transmit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights.

8. The Member States and Europol shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 2 and 5. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

9. The Member States shall provide Europol and the Commission with the information necessary to draft the reports referred to in paragraphs 3 and 6. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

10. Member States, eu-LISA and Europol shall provide the Commission with the information necessary to produce the evaluations referred to in paragraph 7. Member States shall also provide the Commission with the number of confirmed matches against each Member State’s database per category of data.

Article 80

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels,

LEGISLATIVE FINANCIAL STATEMENT

1.    FRAMEWORK OF THE LEGISLATIVE INITIATIVE

1.1.    Title of the legislative initiative

1.2.    Policy area(s) concerned

1.3.    The proposal relates to

◻ a new action

◻ a new action following a pilot project/preparatory action 43  

⌧ the extension of an existing action 

◻ a merger of one or more actions towards another/a new action 

1.4.    Objective(s)

1.4.1.    General objective(s)

1.4.2.    Specific objective(s)

1.4.3.    Expected result(s) and impact

Specify the effects which the legislative initiative should have on the beneficiaries/groups targeted.

1.4.4.    Indicators of performance

Specify the indicators for monitoring progress and achievements.

1.5.    Grounds for the legislative initiative

1.5.1.    Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the legislative initiative

1.5.2.    Added value of Union involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this point ‘added value of Union involvement’ is the value resulting from Union intervention which is additional to the value that would have been otherwise created by Member States alone.

1.5.3.    Lessons learned from similar experiences in the past

1.5.4.    Compatibility with the Multiannual Financial Framework and possible synergies with other appropriate instruments

1.5.5.    Assessment of the different available financing options, including scope for redeployment

The appropriations needed to finance the development of the Prüm II framework have not been planned under the Europol and eu-LISA MFF allocations, as this is a new proposal for which amounts were not known at the time of the proposal. It is proposed to increase Europol’s and eu-LISA’s allocations in years 2024, 2025, 2026 and 2027 by corresponding reductions in the Internal Security Fund (ISF) and the Border Management and Visa Policy Instrument (BMVI), respectively. 

1.6.    Duration and financial impact of the legislative initiative

◻ limited duration

◻    Proposal/initiative in effect from [DD/MM]YYYY to [DD/MM]YYYY

◻    Financial impact from YYYY to YYYY

⌧ unlimited duration

Implementation with a start-up period from 2024 to 2026

followed by full-scale operation.

1.7.    Management mode(s) planned 45  

⌧ Direct management by the Commission

–X by its departments, including by its staff in the Union delegations;

–◻ by executive agencies

⌧ Shared management with the Member States

⌧ Indirect management by entrusting budget implementation tasks to:

◻ international organisations and their agencies (to be specified);

◻the EIB and the European Investment Fund;

⌧ bodies referred to in Articles 70 and 71;

◻ public law bodies;

◻ bodies governed by private law with a public service mission to the extent that they provide adequate financial guarantees;

◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that provide adequate financial guarantees;

◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.

Comments

2.    MANAGEMENT MEASURES

2.1.    Monitoring and reporting rules

Specify frequency and conditions.

2.2.    Management and control system(s)

2.2.1.    Information concerning the risks identified and the internal control system(s) set up to mitigate them

2.2.2.    Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure)

2.3.    Measures to prevent fraud and irregularities

Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.

3.    ESTIMATED FINANCIAL IMPACT OF THE LEGISLATIVE INITIATIVE

3.1.    Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

Existing budget lines

In order of multiannual financial framework headings and budget lines.

3.2.    Estimated impact on expenditure

3.2.1.    Summary of estimated impact on expenditure

EUR million (to three decimal places)

Comment: The additional appropriations requested in the context of this proposal for Europol will be covered from the Internal Security Fund (ISF) under Heading 5.

EUR million (to three decimal places)

Comment: The additional appropriations requested in the context of this proposal for eu-LISA will be covered from the Border Management and Visa Policy Instrument (BMVI) under Heading 4.

Comment: The appropriations requested in the context of this proposal will be covered by appropriations already foreseen in the LFS underlying the ISF Regulation. No additional financial or human resources are requested in the context of this legislative proposal.

The costs per Member State include:

·upgrading their infrastructure to support the exchange of web services and set up the connection with the central router, implying efforts to analyse and define the new architectural landscape;

·upgrading their infrastructure to support the exchange of web services and set up the connection with the central router;

·configuring a web service exchange system and the setup of the connection with the central router;

·designing a new national architecture and the specifications to ensure the access of national data through the developed solutions (router and EPRIS);

·setting up a new index or making an already existing index available for police record exchange;

·setting up a new facial images database or making an already existing facial images database available for exchange.

·integrating the national solution;

·generic costs linked to project management.

The following table indicates the costs per category:

*Estimated MS without a facial images database

EUR million (to three decimal places)

EUR million (to three decimal places)

3.2.2.    Estimated impact on Europol’s appropriations

◻    The proposal/initiative does not require the use of operational appropriations

⌧    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.3.    Estimated impact on eu-LISA’s appropriations

◻    The proposal/initiative does not require the use of operational appropriations

⌧    The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

3.2.4.    Estimated impact on Europol’s human resources

3.2.4.1.    Summary

◻    The proposal/initiative does not require the use of appropriations of an administrative nature

⌧    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

Staff requirements (FTE):

The human ressources necessary to implement the objectives of this proposal have been estimated in cooperation with Europol. The estimates take into consideration the expected increase in workload as stakeholders make more use of Europol’s services over time, as well as the time needed for Europol to absorb resources in order to avoid a situation where the agency would not be able to fully implement its EU contribution and commit appropriations in due time.

The human ressources necessary to implement the objectives of this proposal will be partially covered by existing staff at Europol’s (baseline) and partially by additional ressources (additional staff compared to baseline scenario).

No increase in contract agents is foreseen in the LFS.

For the implementation of Prüm II, the resources needed for Europol can be divided into 3 categories:

1) ICT costs for connecting to the biometric router at eu-LISA, necessary development works in Europol informations systems to expose Third Party sourced data for searches from Member States and integrate the searches in Prum with Third Party data in Europol single search interface USE-UI,

2) costs for staff in Europol Operations Directorate to perform the searches with Third Party sourced data and biometrics experts to perform the verification of hits,

3) hosting a central router for police records. This will include one off hardware costs (including different environments for production and testing for Member States), ICT staff to ensure the development and change management of ADEP.EPRIS software, testing with Member States, 24/7 helpdesk to support Member States in case of issues. In order to ensure full support to Member States, it requires the availability of different profiles of ICT staff, e.g. general coordination, requirements engineers, developers, testers, system administrators. It is foreseen to still need a slightly higher amount of ICT staff in the first year after entry into operation.

Due to security constraints and the agreed ceiling of contract agents, the majority of Prüm related tasks have to be performed by Europol staff. Certain less sensitive activities are foreseen to be outsourced to contractors (testing, some development tasks).                    

3.2.5.    Estimated impact on eu-LISA’s human resources

3.2.5.1.    Summary

◻    The proposal/initiative does not require the use of appropriations of an administrative nature

⌧    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

Staff requirements (FTE):

The human ressources necessary to implement the objectives of the new mandate have been estimated in cooperation with eu-LISA. The estimates take into consideration the expected increase in workload as stakeholders make more use of eu-LISA’s services over time, as well as the time needed for eu-LISA to absorb resources in order to avoid a situation where the agency would not be able to fully implement its EU contribution and commit appropriations in due time.

These estimates are based on the following staffing levels: