1.   ECRIS-TCN shall be composed of:

2.   The central system shall be hosted by eu-LISA at its technical sites.

3.   The interface software shall be integrated with the ECRIS reference implementation. The Member States shall use the ECRIS reference implementation or, in the situation and under the conditions set out in paragraphs 4 to 8, the national ECRIS implementation software to query ECRIS-TCN and to send subsequent requests for criminal records information.

4.   The Member States which use their national ECRIS implementation software shall be responsible for ensuring that their national ECRIS implementation software allows their national criminal records authorities to use ECRIS-TCN, with the exception of the Interface Software, in accordance with this Regulation. For that purpose, they shall, before the date of start of operations of ECRIS-TCN in accordance with Article 35(4), ensure that their national ECRIS implementation software functions in accordance with the protocols and technical specifications established in the implementing acts referred to in Article 10, and with any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts.

5.   For as long as they do not use the ECRIS reference implementation, Member States which use their national ECRIS implementation software shall also ensure the implementation of any subsequent technical adaptations to their national ECRIS implementation software required by any changes to the technical specifications established in the implementing acts referred to in Article 10, or changes to any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts, without undue delay.

6.   The Member States which use their national ECRIS implementation software shall bear all the costs associated with the implementation, maintenance and further development of their national ECRIS implementation software and its interconnection with ECRIS-TCN, with the exception of the interface software.

7.   If a Member State which uses its national ECRIS implementation software is unable to comply with its obligations under this Article, it shall be obliged to use the ECRIS reference implementation, including the integrated interface software, to make use of ECRIS-TCN.

8.   In view of the assessment to be carried out by the Commission pursuant to point (b) of Article 36(10), the Member States concerned shall provide the Commission with all necessary information.

1.   For each convicted third-country national, the central authority of the convicting Member State shall create a data record in the central system. The data record shall include:

2.   The fingerprint data referred to in point (b) of paragraph 1 of this Article shall have the technical specifications for the quality, resolution and processing of fingerprint data provided for in the implementing act referred to in point (b) of Article 10(1). The reference number of the fingerprint data of the convicted person shall include the code of the convicting Member State.

3.   The data record may also contain facial images of the convicted third-country national, if the law of the convicting Member State allows for the collection and storage of facial images of convicted persons.

4.   The convicting Member State shall create the data record automatically, where possible, and without undue delay after the conviction has been entered into the criminal records.

5.   The convicting Member States shall also create data records for convictions handed down prior to the date of start of entry of data in accordance with Article 35(1) to the extent that data related to convicted persons are stored in their national databases. In those cases, fingerprint data shall be included only where they have been collected during criminal proceedings in accordance with national law, and where they can be clearly matched with other identity information in criminal records.

6.   In order to comply with the obligations set out in points (b)(i) and (ii) of paragraph 1, and in paragraph 5, Member States may use fingerprint data collected for purposes other than criminal proceedings, where such use is permitted under national law.

1.   Until the entry into force of the delegated act provided for in paragraph 2, facial images may be used only to confirm the identity of a third-country national who has been identified as a result of an alphanumeric search or a search using fingerprint data.

2.   The Commission is empowered to adopt delegated acts in accordance with Article 37 supplementing this Regulation concerning the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions concerning such persons, when it becomes technically possible. Before exercising this empowerment, the Commission, taking into account necessity and proportionality, as well as technical developments in the field of facial recognition software, shall assess the availability and readiness of the required technology.

1.   The central authorities shall use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in order to obtain information on previous convictions through ECRIS, when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for any of the following purposes, if provided for under and in accordance with national law:

However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.

2.   Any Member State which decides, if provided for under and in accordance with national law, to use ECRIS-TCN for purposes other than those set out in paragraph 1 in order to obtain information on previous convictions through ECRIS, shall, by the date of start of operations as referred to in Article 35(4), or any time thereafter, notify the Commission of such other purposes and any changes to such purposes. The Commission shall publish such notifications in the Official Journal of the European Union within 30 days of receipt of the notifications.

3.   Eurojust, Europol and the EPPO are entitled to query ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in accordance with Articles 14 to 18. However, they shall not enter, rectify or erase any data in ECRIS-TCN.

4.   For the purposes referred to in paragraphs 1, 2 and 3, the competent authorities may also query ECRIS-TCN to verify whether, in respect of a citizen of the Union, any Member State holds criminal records information concerning this person as a third-country national.

5.   When querying ECRIS-TCN, the competent authorities may use all or only some of the data referred to in Article 5(1). The minimum set of data that is required to query the system shall be specified in an implementing act adopted in accordance with point (g) of Article 10(1).

6.   The competent authorities may also query ECRIS-TCN using facial images, provided that such functionality has been implemented in accordance with Article 6(2).

7.   In the event of a hit, the central system shall automatically provide the competent authority with information on the Member States holding criminal records information on the third-country national, along with the associated reference numbers and any corresponding identity information. Such identity information shall only be used for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system may only be used for the purpose of making a request according to Article 6 of Framework Decision 2009/315/JHA or a request referred to in Article 17(3) of this Regulation.

8.   In the event that there is no hit, the central system shall automatically inform the competent authority.

1.   Each data record shall be stored in the central system for as long as the data related to the convictions of the person concerned are stored in the criminal records.

2.   Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the data record, including any fingerprint data or facial images, from the central system. The erasure shall be done automatically, where possible, and in any event no later than one month after the expiry of the retention period.

1.   The Member States may modify or erase the data which they have entered into ECRIS-TCN.

2.   Any modification of the information in the criminal records which led to the creation of a data record in accordance with Article 5 shall include identical modification of the information stored in that data record in the central system by the convicting Member State without undue delay.

3.   If a convicting Member State has reason to believe that the data it has recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall:

4.   If a Member State other than the convicting Member State which entered the data has reason to believe that data recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall contact the central authority of the convicting Member State without undue delay.

The convicting Member State shall:

1.   The Commission shall adopt the implementing acts necessary for the technical development and implementation of ECRIS-TCN as soon as possible, and in particular acts concerning:

2.   The implementing acts referred to in paragraph 1 shall be adopted in accordance with the examination procedure referred to in Article 38(2).

1.   eu-LISA shall be responsible for the development of ECRIS-TCN in accordance with the principle of data protection by design and by default. In addition, eu-LISA shall be responsible for the operational management of ECRIS-TCN. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

2.   eu-LISA shall also be responsible for the further development and maintenance of the ECRIS reference implementation.

3.   eu-LISA shall define the design of the physical architecture of ECRIS-TCN including its technical specifications and evolution as regards the central system, the national central access point and the interface software. That design shall be adopted by its Management Board, subject to a favourable opinion of the Commission.

4.   eu-LISA shall develop and implement ECRIS-TCN as soon as possible after the entry into force of this Regulation and following the adoption by the Commission of the implementing acts provided for in Article 10.

5.   Prior to the design and development phase of ECRIS-TCN, the Management Board of eu-LISA shall establish a Programme Management Board composed of ten members.

The Programme Management Board shall be composed of eight members appointed by the Management Board, the Chair of the Advisory Group referred to in Article 39 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing ECRIS and which will participate in ECRIS-TCN. The Management Board shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities.

eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of ECRIS-TCN and on any other related work and activities.

The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of ECRIS-TCN and shall ensure consistency between central and national ECRIS-TCN projects, and national ECRIS implementation software. The Programme Management Board shall submit written reports regularly and if possible every month to the Management Board of eu-LISA on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the Management Board.

6.   The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:

7.   The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing ECRIS and the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.

8.   All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA. Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. The Programme Management Board's secretariat shall be ensured by eu-LISA.

9.   During the design and development phase, the Advisory Group referred to in Article 39 shall be composed of the national ECRIS-TCN project managers and chaired by eu-LISA. During the design and development phase it shall meet regularly, if possible at least once a month, until the start of operations of ECRIS-TCN. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.

10.   In order to ensure the confidentiality and integrity of data stored in ECRIS-TCN at all times, eu-LISA shall, in cooperation with the Member States, provide for appropriate technical and organisational measures, taking into account the state of the art, the cost of implementation and the risks posed by the processing.

11.   eu-LISA shall be responsible for the following tasks related to the communication infrastructure referred to in point (d) of Article 4(1):

12.   The Commission shall be responsible for all other tasks relating to the communication infrastructure referred to in point (d) of Article 4(1), in particular:

13.   eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data stored in ECRIS-TCN and shall provide regular reports to the Member States. eu-LISA shall provide regular reports to the Commission covering the issues encountered and the Member States concerned.

14.   The operational management of ECRIS-TCN shall consist of all the tasks necessary to keep ECRIS-TCN operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that ECRIS-TCN functions at a satisfactory level in accordance with the technical specifications.

15.   eu-LISA shall perform tasks related to providing training on the technical use of ECRIS-TCN and the ECRIS reference implementation.

16.   Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (17), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the central system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

1.   Each Member State shall be responsible for:

2.   Each Member State shall give the staff of its central authority who have a right to access ECRIS-TCN appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights, before authorising them to process data stored in the central system.

1.   In accordance with applicable Union data protection rules, each Member State shall ensure that the data recorded in ECRIS-TCN are processed lawfully, and in particular that:

2.   eu-LISA shall ensure that ECRIS-TCN is operated in accordance with this Regulation, with the delegated act referred to in Article 6(2) and with the implementing acts referred to in Article 10, as well as in accordance with Regulation (EU) 2018/1725. In particular, eu-LISA shall take the necessary measures to ensure the security of the central system and the communication infrastructure referred to in point (d) of Article 4(1), without prejudice to the responsibilities of each Member State.

3.   eu-LISA shall inform the European Parliament, the Council and the Commission as well as the European Data Protection Supervisor as soon as possible of the measures it takes pursuant to paragraph 2 in view of the start of operations of ECRIS-TCN.

4.   The Commission shall make the information referred to in paragraph 3 available to the Member States and to the public through a regularly updated public website.

1.   Eurojust shall have direct access to ECRIS-TCN for the purpose of the implementation of Article 17, as well as for fulfilling its tasks under Article 2 of Regulation (EU) 2018/1727, in order to identify the Member States holding information on previous convictions of third-country nationals.

2.   Europol shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under points (a) to (e) and (h) of Article 4(1) of Regulation (EU) 2016/794, in order to identify the Member States holding information on previous convictions of third-country nationals.

3.   The EPPO shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under Article 4 of Regulation (EU) 2017/1939, in order to identify the Member States holding information on previous convictions of third-country nationals.

4.   Following a hit indicating the Member States holding criminal records information on a third-country national, Eurojust, Europol, and the EPPO may use their respective contacts with the national authorities of those Member States to request the criminal records information in the manner provided for in their respective founding acts.

1.   Third countries and international organisations may, for the purposes of criminal proceedings, address requests for information on which Member States, if any, hold criminal records information on a third-country national to Eurojust. To that end, they shall use the standard form set out in the Annex to this Regulation.

2.   When Eurojust receives a request under paragraph 1, it shall use ECRIS-TCN to identify which Member States, if any, hold criminal records information on the third-country national concerned.

3.   If there is a hit, Eurojust shall ask the Member State that holds criminal records information on the third-country national concerned whether it consents to Eurojust informing the third country or the international organisation of the name of the Member State concerned. Where that Member State gives its consent, Eurojust shall inform the third country or the international organisation of the name of that Member State, and of how it can introduce a request for extracts from the criminal records with that Member State in accordance with the applicable procedures.

4.   In cases where there is no hit or where Eurojust cannot provide an answer in accordance with paragraph 3 to requests made under this Article, it shall inform the third country or international organisation concerned that it has completed the procedure, without providing any indication of whether criminal records information on the person concerned is held by one of the Member States.

1.   eu-LISA shall take the necessary measures to ensure the security of ECRIS-TCN, without prejudice to the responsibilities of each Member State, taking the security measures specified in paragraph 3 into consideration.

2.   As regards the operation of ECRIS-TCN, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 3, including the adoption of a security plan and a business continuity and disaster recovery plan, and to ensure that installed systems may, in case of interruption, be restored.

3.   The Member States shall ensure the security of the data before and during the transmission to and receipt from the national central access point. In particular, each Member State shall:

4.   eu-LISA and the Member States shall cooperate in order to ensure a coherent data security approach based on a security risk management process encompassing the entire ECRIS-TCN.

1.   Any person who, or any Member State which, has suffered material or non-material damage as a result of an unlawful processing operation or any other act incompatible with this Regulation shall be entitled to receive compensation from:

The Member State which is responsible for the damage suffered or eu-LISA, respectively, shall be exempted from liability, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.

2.   If any failure of a Member State, Eurojust, Europol, or the EPPO to comply with its obligations under this Regulation causes damage to ECRIS-TCN, that Member State, Eurojust, Europol, or the EPPO, respectively, shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in ECRIS-TCN failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the law of the defendant Member State. Claims for compensation against eu-LISA, Eurojust, Europol and the EPPO for the damage referred to in paragraphs 1 and 2 shall be governed by their respective founding acts.

1.   Each central authority is to be considered as data controller in accordance with applicable Union data protection rules for the processing of the personal data by that central authority's Member State under this Regulation.

2.   eu-LISA shall be considered as data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data entered into the central system by the Member States.

1.   The data entered into the central system shall only be processed for the purpose of the identification of the Member States holding the criminal records information on third-country nationals.

2.   With the exception of duly authorised staff of Eurojust, Europol and the EPPO who have access to ECRIS-TCN for the purposes of this Regulation, access to ECRIS-TCN shall be reserved exclusively to duly authorised staff of the central authorities. Access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

1.   The requests of third-country nationals concerning the rights of access to personal data, to rectification and erasure and to restriction of processing of personal data which are set out in the applicable Union data protection rules may be addressed to the central authority of any Member State.

2.   Where a request is made to a Member State other than the convicting Member State, the Member State to which the request has been made shall forward it to the convicting Member State without undue delay and in any event within 10 working days of receiving the request. Upon receipt of the request, the convicting Member State shall:

3.   In the event that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, the convicting Member State shall rectify or erase the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without undue delay that action has been taken to rectify or erase data relating to that person. The convicting Member State shall also without undue delay inform any other Member State which has been a recipient of conviction information obtained as a result of a query of ECRIS-TCN of what action has been taken.

4.   If the convicting Member State does not agree that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, that Member State shall adopt an administrative or judicial decision explaining in writing to the person concerned why it is not prepared to rectify or erase data relating to him or her. Such cases may, where appropriate, be communicated to the national supervisory authority.

5.   The Member State which has adopted the decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if the explanation given pursuant to paragraph 4 is not acceptable to him or her. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the national supervisory authorities, that is available in accordance with the national law of that Member State.

6.   Any request made pursuant to paragraph 1 shall contain the information necessary to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7.   Where paragraph 2 applies, the central authority to whom the request was addressed shall keep a written record that such a request was made and of how it was addressed and to which authority it was forwarded. Upon request from the national supervisory authority, the central authority shall make that record available to that national supervisory authority without delay. The central authority and the national supervisory authority shall erase such records three years after their creation.

1.   The central authorities shall cooperate with each other in order to ensure respect for the rights laid down in Article 25.

2.   In each Member State, the national supervisory authority shall, upon request, provide information to the person concerned on how to exercise his or her right to rectify or erase data relating to him or to her, in accordance with the applicable Union data protection rules.

3.   For the purposes of this Article, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State to which the request has been made shall cooperate with each other.

1.   Each Member State shall ensure that the national supervisory authorities designated pursuant to applicable Union data protection rules shall monitor the lawfulness of the processing of personal data referred to in Articles 5 and 6 by the Member State concerned, including their transmission to and from ECRIS-TCN.

2.   The national supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases related to the data exchange between those systems and ECRIS-TCN is carried out in accordance with relevant international auditing standards at least every three years from the date of the start of operations of ECRIS-TCN.

3.   Member States shall ensure that their national supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation.

4.   Each Member State shall supply any information requested by its national supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 19. Each Member State shall grant its national supervisory authorities access to its records pursuant to Article 25(7) and to its logs pursuant to Article 31(6) and allow them access at all times to all its ECRIS-TCN related premises.

1.   The European Data Protection Supervisor shall monitor that the personal data processing activities of eu-LISA concerning ECRIS-TCN are carried out in accordance with this Regulation.

2.   The European Data Protection Supervisor shall ensure that an audit of eu-LISA's personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, the Council, the Commission, eu-LISA and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.   eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 31 and allow him or her access to all of its premises at any time.

1.   eu-LISA and the competent authorities shall ensure, in accordance with their respective responsibilities, that all data processing operations in ECRIS-TCN are logged in accordance with paragraph 2 for the purposes of checking the admissibility of requests, monitoring data integrity and security and the lawfulness of the data processing as well as for the purposes of self-monitoring.

2.   The log shall show:

3.   The log of consultations and disclosures shall make it possible to establish the justification of such operations.

4.   Logs shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 36. Those logs shall be protected by appropriate measures against unauthorised access and erased after three years, if they are no longer required for monitoring procedures which have already begun.

5.   On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.

6.   The competent national supervisory authorities responsible for checking the admissibility of the requests and monitoring the lawfulness of the data processing and data integrity and security shall have access to logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent national supervisory authorities without undue delay.

1.   The duly authorised staff of eu-LISA, of the competent authorities and of the Commission shall have access to the data processed within ECRIS-TCN solely for the purposes of reporting and providing statistics, without allowing for individual identification.

2.   For the purpose of paragraph 1, eu-LISA shall establish, implement and host a central repository at its technical sites containing the data referred to in paragraph 1 which, without allowing for individual identification, enables customisable reports and statistics to be obtained. Access to the central repository shall be granted by means of secured access with control of access and specific user profiles, solely for the purpose of reporting and statistics.

3.   The procedures put in place by eu-LISA to monitor the functioning of ECRIS-TCN referred to in Article 36 as well as the ECRIS reference implementation shall include the possibility to produce regular statistics for monitoring purposes.

Every month eu-LISA shall submit to the Commission statistics relating to the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation. eu-LISA shall ensure that it is not possible to identify individuals on the basis of those statistics. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation.

4.   The Member States shall provide eu-LISA with the statistics necessary to fulfil its obligations referred to in this Article. They shall provide the Commission with statistics on the number of convicted third-country nationals, as well as the number of convictions of third-country nationals on their territory.

1.   The costs incurred in connection with the establishment and operation of the central system, the communication infrastructure referred to in point (d) of Article 4(1), the interface software and the ECRIS reference implementation shall be borne by the general budget of the Union.

2.   The costs of connection of Eurojust, Europol and the EPPO to ECRIS-TCN shall be borne by their respective budgets.

3.   Other costs shall be borne by the Member States, specifically the costs incurred by the connection of the existing national criminal records registers, fingerprints databases and the central authorities to ECRIS-TCN, as well as the costs of hosting the ECRIS reference implementation.

1.   Each Member State shall notify eu-LISA of its central authority, or authorities, that has access to enter, rectify, erase, consult or search data, as well as of any change in this respect.

2.   eu-LISA shall ensure publication of the list of central authorities notified by the Member States, both in the Official Journal of the European Union and on its website. When eu-LISA receives notification of a change to a Member State's central authority, it shall update the list without undue delay.

1.   Once the Commission is satisfied that the following conditions are met, it shall determine the date from which the Member States shall start entering the data referred to in Article 5 into ECRIS-TCN:

2.   When the Commission has determined the date of start of entry of data in accordance with paragraph 1, it shall communicate that date to the Member States. Within a period of two months following that date, the Member States shall enter the data referred to in Article 5 into ECRIS-TCN, taking account of Article 41(2).

3.   After the end of the period referred to in paragraph 2, eu-LISA shall carry out a final test of ECRIS-TCN, in cooperation with the Member States.

4.   When the test referred to in paragraph 3 has been successfully completed and eu-LISA considers that ECRIS-TCN is ready to start operations, it shall notify the Commission. The Commission shall inform the European Parliament and the Council of the results of the test and shall decide on the date on which ECRIS-TCN is to start operations.

5.   The decision of the Commission on the date of the start of operations of ECRIS-TCN, as referred to in paragraph 4, shall be published in the Official Journal of the European Union.

6.   The Member States shall start using ECRIS-TCN from the date determined by the Commission in accordance with paragraph 4.

7.   When taking the decisions referred to in this Article, the Commission may specify different dates for the entry into ECRIS-TCN of alphanumeric data and fingerprint data as referred to in Article 5, as well as for the start of operations with respect to those different categories of data.

1.   eu-LISA shall ensure that procedures are in place to monitor the development of ECRIS-TCN in light of objectives relating to planning and costs and to monitor the functioning of ECRIS-TCN and the ECRIS reference implementation in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.   For the purposes of monitoring the functioning of ECRIS-TCN and its technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in ECRIS-TCN and in the ECRIS reference implementation.

3.   By 12 December 2019 and every six months thereafter during the design and development phase, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of ECRIS-TCN and of the ECRIS reference implementation.

4.   The report referred to in paragraph 3 shall include an overview of the current costs and the progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of ECRIS-TCN to be borne by the general budget of the Union in accordance with Article 33.

5.   In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for these delays and of their impact in terms of time and finances.

6.   Once the development of ECRIS-TCN and of the ECRIS reference implementation is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

7.   In the event of a technical upgrade of ECRIS-TCN which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council.

8.   Two years after the start of operations of ECRIS-TCN and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of ECRIS-TCN and of the ECRIS reference implementation, including their security, based in particular on the statistics on the functioning and use of ECRIS-TCN and on the exchange, through the ECRIS reference implementation, of information extracted from the criminal records.

9.   Four years after the start of operations of ECRIS-TCN and every four years thereafter, the Commission shall conduct an overall evaluation of ECRIS-TCN and of the ECRIS reference implementation. The overall evaluation report established on this basis shall include an assessment of the application of this Regulation and an examination of results that have been achieved relative to the objectives that were set and of the impact on fundamental rights. The report shall also include an assessment of whether the underlying rationale for operating ECRIS-TCN continues to hold, of the appropriateness of the use of biometric data for the purposes of ECRIS-TCN, of the security of ECRIS-TCN and of any security implications for future operations. The evaluation shall include any necessary recommendations. The Commission shall transmit the report to the European Parliament, the Council, the European Data Protection Supervisor and the European Union Agency for Fundamental Rights.

10.   In addition, the first overall evaluation as referred to in paragraph 9 shall include an assessment of:

The assessment may be accompanied, if necessary, by legislative proposals. Subsequent overall evaluations may include an assessment of any or all of those aspects.

11.   The Member States, Eurojust, Europol and the EPPO shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 8 and 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

12.   Where relevant, the supervisory authorities shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraph 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

13.   eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 9.

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The power to adopt delegated acts referred to in Article 6(2) shall be conferred on the Commission for an indeterminate period of time from 11 June 2019.

3.   The delegation of power referred to in Article 6(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.   A delegated act adopted pursuant to Article 6(2) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

1.   Member States shall take the necessary measures to comply with this Regulation as soon as possible so as to ensure the proper functioning of ECRIS-TCN.

2.   For convictions handed down prior to the date of start of entry of data in accordance with Article 35(1), the central authorities shall create the individual data records in the central system as follows:

This form, which is available at www.eurojust.europa.eu in all 24 official languages of the institutions of the Union, should be addressed in one of those languages to ECRIS-TCN@eurojust.europa.eu

Requesting state or international organisation:

Name of state or international organisation:

Authority submitting the request:

Represented by (name of person):

Title:

Address:

Telephone number:

Email address:

Criminal proceedings for which the information is sought:

Domestic reference number:

Competent authority:

Type of crimes under investigation (please mention relevant article(s) of criminal code):

Other relevant information (e.g. urgency of the request):

Identity information of the person having the nationality of a third country in respect of whom information regarding the convicting Member State is sought:

NB: please provide as much available information as possible.

Surname (family name):

First name(s) (given names):

Date of birth:

Place of birth (town and country):

Nationality or nationalities:

Gender:

Previous name(s), if applicable:

Parents’ names:

Identity number:

Type and number of the person’s identification document(s):

Issuing authority of document(s):

Pseudonyms or aliases:

If fingerprint data are available, please provide these.

In case of multiple persons, please indicate them separately

A drop down panel would allow the insertion of additional subjects

Place

Date

(Electronic) signature and stamp:

1.   This Regulation, together with Regulation (EU) 2019/818 of the European Parliament and of the Council (34), establishes a framework to ensure interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), the European Travel Information and Authorisation System (ETIAS), Eurodac, the Schengen Information System (SIS), and the European Criminal Records Information System for third-country nationals (ECRIS-TCN).

2.   The framework shall include the following interoperability components:

3.   This Regulation also lays down provisions on data quality requirements, on a universal message format (UMF), on a central repository for reporting and statistics (CRRS) and on the responsibilities of the Member States and of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA), with respect to the design, development and operation of the interoperability components.

4.   This Regulation also adapts the procedures and conditions for the designated authorities and for the European Union Agency for Law Enforcement Cooperation (Europol) to access the EES, VIS, ETIAS and Eurodac for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

5.   This Regulation also lays down a framework for verifying the identity of persons and for identifying persons.

1.   By ensuring interoperability, this Regulation has the following objectives:

2.   The objectives referred to in paragraph 1 shall be achieved by:

1.   This Regulation applies to the EES, VIS, ETIAS and SIS.

2.   This Regulation applies to persons in respect of whom personal data may be processed in the EU information systems referred to in paragraph 1 of this Article and whose data are collected for the purposes defined in Articles 1 and 2 of Regulation (EC) No 767/2008, Article 1 of Regulation (EU) 2017/2226, Articles 1 and 4 of Regulation (EU) 2018/1240, Article 1 of Regulation (EU) 2018/1860 and Article 1 of Regulation (EU) 2018/1861.

1.   A European search portal (ESP) is established for the purposes of facilitating the fast, seamless, efficient, systematic and controlled access of Member State authorities and Union agencies to the EU information systems, to Europol data and to the Interpol databases for the performance of their tasks and in accordance with their access rights and the objectives and purposes of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

2.   The ESP shall be composed of:

3.   eu-LISA shall develop the ESP and ensure its technical management.

1.   The use of the ESP shall be reserved to the Member State authorities and Union agencies having access to at least one of the EU information systems in accordance with the legal instruments governing those EU information systems, to the CIR and the MID in accordance with this Regulation, to Europol data in accordance with Regulation (EU) 2016/794 or to the Interpol databases in accordance with Union or national law governing such access.

Those Member State authorities and Union agencies may make use of the ESP and the data provided by it only for the objectives and purposes laid down in the legal instruments governing those EU information systems, in Regulation (EU) 2016/794 and in this Regulation.

2.   The Member State authorities and Union agencies referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the central systems of the EES, VIS and ETIAS in accordance with their access rights as referred to in the legal instruments governing those EU information systems and in national law. They shall also use the ESP to query the CIR in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

3.   The Member State authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Central SIS referred to in Regulations (EU) 2018/1860 and (EU) 2018/1861.

4.   Where provided for under Union law, the Union agencies referred to in paragraph 1 shall use the ESP to search data related to persons or their travel documents in the Central SIS.

5.   The Member State authorities and Union agencies referred to in paragraph 1 may use the ESP to search data related to travel documents in the Interpol databases, where provided for and in accordance with their access rights under Union and national law.

1.   For the purposes of enabling the use of the ESP, eu-LISA shall, in cooperation with Member States, create a profile based on each category of ESP user and on the purposes of the queries, in accordance with the technical details and access rights referred to in paragraph 2. Each profile shall, in accordance with Union and national law, comprise the following information:

2.   The Commission shall adopt implementing acts to specify the technical details of the profiles referred to in paragraph 1 in accordance with the ESP users' access rights under the legal instruments governing the EU information systems and under national law. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

3.   The profiles referred to in paragraph 1 shall be reviewed regularly by eu-LISA in cooperation with Member States, at least once per year, and if necessary updated.

1.   The ESP users shall launch a query by submitting alphanumeric or biometric data to the ESP. Where a query has been launched, the ESP shall query the EES, ETIAS, VIS, SIS, Eurodac, ECRIS-TCN, the CIR, Europol data and the Interpol databases simultaneously with the data submitted by the user and in accordance with the user profile.

2.   The categories of data used to launch a query via the ESP shall correspond to the categories of data related to persons or travel documents that may be used to query the various EU information systems, Europol data and the Interpol databases in accordance with the legal instruments governing them.

3.   eu-LISA, in cooperation with Member States, shall implement an interface control document based on the UMF referred to in Article 38 for the ESP.

4.   When a query is launched by an ESP user, the EES, ETIAS, VIS, SIS, Eurodac, ECRIS-TCN, the CIR, the MID, the Europol data and the Interpol databases shall in reply to the query provide the data that they hold.

Without prejudice to Article 20, the reply provided by the ESP shall indicate to which EU information system or database the data belong.

The ESP shall provide no information regarding data in EU information systems, Europol data and the Interpol databases to which the user has no access under the applicable Union and national law.

5.   Any queries of the Interpol databases launched via the ESP shall be performed in such a way that no information shall be revealed to the owner of the Interpol alert.

6.   The ESP shall provide replies to the user as soon as data are available from one of the EU information systems, Europol data or Interpol databases. Those replies shall contain only the data to which the user has access under Union and national law.

7.   The Commission shall adopt an implementing act to specify the technical procedure for the ESP to query the EU information systems, Europol data and Interpol databases and the format of the ESP replies. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008, Article 69 of Regulation (EU) 2018/1240 and Articles 12 and 18 of Regulation (EU) 2018/1861, eu-LISA shall keep logs of all data processing operations in the ESP. Those logs shall include the following:

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the ESP make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

1.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the ESP, the ESP users shall be notified in an automated manner by eu-LISA.

2.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the national infrastructure in a Member State, that Member State shall notify eu-LISA and the Commission in an automated manner.

3.   In the cases referred to in paragraphs 1 or 2 of this Article, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States shall access the EU information systems or the CIR directly where they are required to do so under Union or national law.

4.   Where it is technically impossible to use the ESP to query one or several EU information systems or the CIR, because of a failure of the infrastructure of a Union agency, that agency shall notify eu-LISA and the Commission in an automated manner.

1.   A shared biometric matching service (shared BMS) storing biometric templates obtained from the biometric data referred to in Article 13 that are stored in the CIR and SIS and enabling querying with biometric data across several EU information systems is established for the purposes of supporting the CIR and the MID and the objectives of the EES, VIS, Eurodac, SIS and ECRIS-TCN.

2.   The shared BMS shall be composed of:

3.   eu-LISA shall develop the shared BMS and ensure its technical management.

1.   The shared BMS shall store the biometric templates, which it shall obtain from the following biometric data:

The biometric templates shall be stored in the shared BMS in logically separated form according to the EU information system from which the data originate.

2.   For each set of data referred to in paragraph 1, the shared BMS shall include in each biometric template a reference to the EU information systems in which the corresponding biometric data are stored and a reference to the actual records in those EU information systems.

3.   Biometric templates shall only be entered in the shared BMS following an automated quality check of the biometric data added to one of the EU information systems performed by the shared BMS to ascertain the fulfilment of a minimum data quality standard.

4.   The storage of the data referred to in paragraph 1 shall meet the quality standards referred to in Article 37(2).

5.   The Commission shall lay down, by means of an implementing act, the performance requirements and practical arrangements for monitoring the performance of the shared BMS in order to ensure that the effectiveness of biometric searches respect time-critical procedures such as border checks and identifications. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008 and Articles 12 and 18 of Regulation (EU) 2018/1861, eu-LISA shall keep logs of all data processing operations in the shared BMS. Those logs shall include the following:

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the shared BMS make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

1.   A common identity repository (CIR), creating an individual file for each person that is registered in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN containing the data referred to in Article 18, is established for the purpose of facilitating and assisting in the correct identification of persons registered in the EES, VIS, ETIAS, Eurodac and ECRIS-TCN in accordance with Article 20, of supporting the functioning of the MID in accordance with Article 21 and of facilitating and streamlining access by designated authorities and Europol to the EES, VIS, ETIAS and Eurodac, where necessary for the prevention, detection or investigation of terrorist offences or other serious criminal offences in accordance with Article 22.

2.   The CIR shall be composed of:

3.   eu-LISA shall develop the CIR and ensure its technical management.

4.   Where it is technically impossible because of a failure of the CIR to query the CIR for the purpose of identifying a person pursuant to Article 20, for the detection of multiple identities pursuant to Article 21 or for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences pursuant to Article 22, the CIR users shall be notified by eu-LISA in an automated manner.

5.   eu-LISA, in cooperation with Member States, shall implement an interface control document based on the UMF referred to in Article 38 for the CIR.

1.   The CIR shall store the following data, logically separated according to the information system from which the data have originated:

2.   For each set of data referred to in paragraph 1, the CIR shall include a reference to the EU information systems to which the data belong.

3.   The authorities accessing the CIR shall do so in accordance with their access rights under the legal instruments governing the EU information systems, and under national law and in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22.

4.   For each set of data referred to in paragraph 1, the CIR shall include a reference to the actual record in the EU information systems to which the data belong.

5.   The storage of the data referred to in paragraph 1 shall meet the quality standards referred to in Article 37(2).

1.   Where data are added, amended or deleted in the EES, VIS and ETIAS, the data referred to in Article 18 stored in the individual file of the CIR shall be added, amended or deleted accordingly in an automated manner.

2.   Where a white or red link is created in the MID in accordance with Article 32 or 33 between the data of two or more of the EU information systems constituting the CIR, instead of creating a new individual file, the CIR shall add the new data to the individual file of the linked data.

1.   Queries of the CIR shall be carried out by a police authority in accordance with paragraphs 2 and 5 only in the following circumstances:

Such queries shall not be allowed against minors under the age of 12 years old, unless in the best interests of the child.

2.   Where one of the circumstances listed in paragraph 1 arises and a police authority has been so empowered by national legislative measures as referred to in paragraph 5, it may, solely for the purpose of identifying a person, query the CIR with the biometric data of that person taken live during an identity check, provided that the procedure was initiated in the presence of that person.

3.   Where the query indicates that data on that person are stored in the CIR, the police authority shall have access to consult the data referred to in Article 18(1).

Where the biometric data of the person cannot be used or where the query with that data fails, the query shall be carried out with identity data of the person in combination with travel document data, or with the identity data provided by that person.

4.   Where a police authority has been so empowered by national legislative measures as referred to in paragraph 6, it may, in the event of a natural disaster, an accident or a terrorist attack and solely for the purpose of identifying unknown persons who are unable to identify themselves or unidentified human remains, query the CIR with the biometric data of those persons.

5.   Member States wishing to avail themselves of the possibility provided for in paragraph 2 shall adopt national legislative measures. When doing so, Member States shall take into account the need to avoid any discrimination against third-country nationals. Such legislative measures shall specify the precise purposes of the identification within the purposes referred to in Article 2(1)(b) and (c). They shall designate the competent police authorities and lay down the procedures, conditions and criteria of such checks.

6.   Member States wishing to avail themselves of the possibility provided for in paragraph 4 shall adopt national legislative measures laying down the procedures, conditions and criteria.

1.   Where a query of the CIR results in a yellow link in accordance with Article 28(4), the authority responsible for the manual verification of different identities in accordance with Article 29 shall have access, solely for the purpose of that verification, to the data referred to in Article 18(1) and (2) stored in the CIR connected by a yellow link.

2.   Where a query of the CIR results in a red link in accordance with Article 32, the authorities referred to in Article 26(2) shall have access, solely for the purposes of combating identity fraud, to the data referred to in Article 18(1) and (2) stored in the CIR connected by a red link.

1.   In a specific case, where there are reasonable grounds to believe that consultation of EU information systems will contribute to the prevention, detection or investigation of terrorist offences or other serious criminal offences, in particular where there is a suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offences is a person whose data are stored in the EES, VIS or ETIAS, the designated authorities and Europol may consult the CIR in order to obtain information on whether data on a specific person are present in the EES, VIS or ETIAS.

2.   Where in reply to a query the CIR indicates that data on that person are present in the EES, VIS or ETIAS, the CIR shall provide to designated authorities and Europol a reply in the form of a reference as referred to in Article 18(2) indicating which of those EU information systems contains matching data. The CIR shall reply in such a way that the security of the data is not compromised.

The reply indicating that data on that person are present in any of the EU information systems referred to in paragraph 1 shall be used only for the purposes of submitting a request for full access subject to the conditions and procedures laid down in the respective legal instruments governing such access.

In the event of a match or multiple matches, the designated authority or Europol shall make a request for full access to at least one of the information systems from which a match was generated.

Where exceptionally, such full access is not requested, the designated authorities shall record the justification for not making the request, which shall be traceable to the national file. Europol shall record the justification in the relevant file.

3.   Full access to the data contained in the EES, VIS or ETIAS for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences remains subject to the conditions and procedures laid down in the respective legal instruments governing such access.

1.   The data referred to in Article 18(1), (2) and (4) shall be deleted from the CIR in an automated manner in accordance with the data retention provisions of Regulations (EU) 2017/2226, (EC) No 767/2008 and (EU) 2018/1240 respectively.

2.   The individual file shall be stored in the CIR only for as long as the corresponding data are stored in at least one of the EU information systems whose data are contained in the CIR. The creation of a link shall not affect the retention period of each item of the linked data.

1.   Without prejudice to Article 46 of Regulation (EU) 2017/2226, Article 34 of Regulation (EC) No 767/2008 and Article 69 of Regulation (EU) 2018/1240, eu-LISA shall keep logs of all data processing operations in the CIR in accordance with paragraphs 2, 3 and 4 of this Article.

2.   eu-LISA shall keep logs of all data processing operations pursuant to Article 20 in the CIR. Those logs shall include the following:

3.   eu-LISA shall keep logs of all data processing operations pursuant to Article 21 in the CIR. Those logs shall include the following:

4.   eu-LISA shall keep logs of all data processing operations pursuant to Article 22 in the CIR. Those logs shall include the following:

The logs of such access shall be regularly verified by the competent supervisory authority in accordance with Article 41 of Directive (EU) 2016/680 or by the European Data Protection Supervisor in accordance with Article 43 of Regulation (EU) 2016/794, at intervals not exceeding six months, to verify whether the procedures and conditions set out in Article 22(1) and (2) of this Regulation are fulfilled.

5.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the CIR make pursuant to Articles 20, 21 and 22. Each Union agency shall keep logs of queries that its duly authorised staff make pursuant to Articles 21 and 22.

In addition, for any access to the CIR pursuant to Article 22, each Member State shall keep the following logs:

6.   In accordance with Regulation (EU) 2016/794, for any access to the CIR pursuant to Article 22 of this Regulation, Europol shall keep logs of the unique user identity of the official who carried out the query and of the official who ordered the query.

7.   The logs referred to in paragraphs 2 to 6 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

8.   eu-LISA shall store the logs related to the history of the data, in individual files. eu-LISA shall erase such logs in an automated manner, once the data are erased.

1.   A multiple-identity detector (MID) creating and storing identity confirmation files as referred to in Article 34, containing links between data in the EU information systems included in the CIR and SIS and allowing detection of multiple identities, with the dual purpose of facilitating identity checks and combating identity fraud, is established for the purpose of supporting the functioning of the CIR and the objectives of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

2.   The MID shall be composed of:

3.   eu-LISA shall develop the MID and ensure its technical management.

1.   For the purposes of the manual verification of different identities referred to in Article 29, access to the data referred to in Article 34 stored in the MID shall be granted to:

2.   Member State authorities and Union agencies having access to at least one EU information system included in the CIR or to SIS shall have access to the data referred to in Article 34(a) and (b) regarding any red links referred to in Article 32.

3.   Member State authorities and Union agencies shall have access to the white links referred to in Article 33 where they have access to the two EU information systems containing data between which the white link was created.

4.   Member State authorities and Union agencies shall have access to the green links referred to in Article 31 where they have access to the two EU information systems containing data between which the green link was created and a query of those information systems has revealed a match with the two sets of linked data.

1.   Multiple-identity detection in the CIR and SIS shall be launched where:

2.   Where the data contained within an EU information system referred to in paragraph 1 contains biometric data, the CIR and Central SIS shall use the shared BMS in order to perform multiple-identity detection. The shared BMS shall compare the biometric templates obtained from any new biometric data to the biometric templates already contained in the shared BMS in order to verify whether data belonging to the same person are already stored in the CIR or in Central SIS.

3.   In addition to the process referred to in paragraph 2, the CIR and Central SIS shall use the ESP to search the data stored in Central SIS and the CIR respectively using the following data:

4.   In addition to the process referred to in paragraphs 2 and 3, the CIR and Central SIS shall use the ESP to search the data stored in Central SIS and the CIR respectively using travel document data.

5.   The multiple-identity detection shall only be launched in order to compare data available in one EU information system with data available in other EU information systems.

1.   Where the queries referred to in Article 27(2), (3) and (4) do not report any match, the procedures referred to in Article 27(1) shall continue in accordance with the legal instruments governing them.

2.   Where the query laid down in Article 27(2), (3) and (4) reports one or several matches, the CIR and, where relevant, SIS shall create a link between the data used to launch the query and the data triggering the match.

Where several matches are reported, a link shall be created between all data triggering the match. Where the data were already linked, the existing link shall be extended to the data used to launch the query.

3.   Where the query referred to in Article 27(2), (3) and (4) reports one or several matches and the identity data of the linked files are the same or similar, a white link shall be created in accordance with Article 33.

4.   Where the query referred to in Article 27(2), (3) and (4) reports one or several matches and the identity data of the linked files cannot be considered to be similar, a yellow link shall be created in accordance with Article 30 and the procedure referred to in Article 29 shall apply.

5.   The Commission shall adopt delegated acts in accordance with Article 73 laying down the procedures to determine the cases in which identity data can be considered to be the same or similar.

6.   The links shall be stored in the identity confirmation file referred to in Article 34.

7.   The Commission shall, in cooperation with eu-LISA, lay down the technical rules for creating links between data from different EU information systems, by implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   Without prejudice to paragraph 2, the authority responsible for manual verification of different identities shall be:

The MID shall indicate the authority responsible for the manual verification of different identities in the identity confirmation file.

2.   The authority responsible for the manual verification of different identities in the identity confirmation file shall be the SIRENE Bureau of the Member State that created the alert where a link is created to data contained in an alert:

3.   Without prejudice to paragraph 4 of this Article, the authority responsible for the manual verification of different identities shall have access to the linked data contained in the relevant identity confirmation file and to the identity data linked in the CIR and, where relevant, in SIS. It shall assess the different identities without delay. Once such assessment is completed, it shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.

4.   Where the authority responsible for the manual verification of different identities in the identity confirmation file is the competent authority designated in accordance with Article 9(2) of Regulation (EU) 2017/2226 creating or updating an individual file in the EES in accordance with Article 14 of that Regulation, and where a yellow link is created, that authority shall carry out additional verifications. That authority shall, for that purpose only, have access to the related data contained in the relevant identity confirmation file. It shall assess the different identities, update the link in accordance with Articles 31, 32 and 33 of this Regulation and add it to the identity confirmation file without delay.

Such manual verification of different identities shall be initiated in the presence of the person concerned, who shall be offered the opportunity to explain the circumstances to the authority responsible, which shall take those explanations into account.

In cases in which the manual verification of different identities takes place at the border, it shall take place within 12 hours from the creation of a yellow link under Article 28(4), where possible.

5.   Where more than one link is created, the authority responsible for the manual verification of different identities shall assess each link separately.

6.   Where data reporting a match were already linked, the authority responsible for the manual verification of different identities shall take into account the existing links when assessing the creation of new links.

1.   Where manual verification of different identities has not yet taken place, a link between data from two or more EU information systems shall be classified as yellow in any of the following cases:

2.   Where a link is classified as yellow in accordance with paragraph 1, the procedure laid down in Article 29 applies.

1.   A link between data from two or more EU information systems shall be classified as green where:

2.   Where the CIR or SIS are queried and where a green link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data do not correspond to the same person.

3.   If a Member State authority has evidence to suggest that a green link has been incorrectly recorded in the MID, that a green link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.

1.   A link between data from two or more EU information systems shall be classified as red in any of the following cases:

2.   Where the CIR or SIS are queried and where a red link exists between data in two or more of the EU information systems, the MID shall indicate the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law, with any legal consequence for the person concerned being based only on the relevant data on that person. No legal consequence for the person concerned shall derive solely from the existence of a red link.

3.   Where a red link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).

4.   Without prejudice to the provisions related to the handling of alerts in SIS contained in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a red link is created, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of multiple unlawful identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.

5.   The information referred to in paragraph 4 shall be provided in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

6.   Where a red link is created, the MID shall notify the authorities responsible for the linked data in an automated manner.

7.   If a Member State authority or Union agency having access to the CIR or SIS has evidence to suggest that a red link has been incorrectly recorded in the MID or that data were processed in the MID, the CIR or SIS in breach of this Regulation, that authority or agency shall check the relevant data stored in the CIR and SIS and shall:

If a SIRENE Bureau is contacted pursuant to point (a) of the first subparagraph, it shall verify the evidence provided by the Member State authority or the Union agency and where relevant rectify or erase the link from the MID immediately.

The Member State authority obtaining the evidence shall inform the Member State authority responsible for the manual verification of different identities without delay of any relevant rectification or erasure of a red link.

1.   A link between data from two or more EU information systems shall be classified as white in any of the following cases:

2.   Where the CIR or SIS are queried and where a white link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data correspond to the same person. The queried EU information systems shall reply indicating, where relevant, all the linked data on the person, thereby triggering a match against the data that are linked by the white link, if the authority launching the query has access to the linked data under Union or national law.

3.   Where a white link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).

4.   Without prejudice to the provisions related to the handling of alerts in SIS contained in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a white link is created following a manual verification of different identities, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of similar or different identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.

5.   If a Member State authority has evidence to suggest that a white link has been incorrectly recorded in the MID, that a white link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.

6.   The information referred to in paragraph 4 shall be in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   eu-LISA shall keep logs of all data processing operations in the MID. Those logs shall include the following:

2.   Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the MID make. Each Union agency shall keep logs of queries that its duly authorised staff make.

3.   The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

1.   Without prejudice to Member States' responsibilities with regard to the quality of data entered into the systems, eu-LISA shall establish automated data quality control mechanisms and procedures on the data stored in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR.

2.   eu-LISA shall implement mechanisms for evaluating the accuracy of the shared BMS, common data quality indicators and the minimum quality standards for storage of data in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR.

Only data fulfilling the minimum quality standards may be entered in the EES, VIS, ETIAS, SIS, the shared BMS, the CIR and the MID.

3.   eu-LISA shall provide regular reports on the automated data quality control mechanisms and procedures and the common data quality indicators to the Member States. eu-LISA shall also provide a regular report to the Commission covering the issues encountered and the Member States concerned. eu-LISA shall also provide that report to the European Parliament and to the Council upon request. No reports provided under this paragraph shall contain any personal data.

4.   The details of the automated data quality control mechanisms and procedures, the common data quality indicators and the minimum quality standards for storage of data in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR, in particular regarding biometric data, shall be laid down in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

5.   One year after the establishment of the automated data quality control mechanisms and procedures, common data quality indicators and the minimum data quality standards, and every year thereafter, the Commission shall evaluate Member States' implementation of data quality and make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and, in particular, data quality issues deriving from erroneous data in EU information systems. The Member States shall regularly report to the Commission on any progress against this action plan until it is fully implemented.

The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor, to the European Data Protection Board and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007 (39).

1.   The universal message format (UMF) standard is hereby established. The UMF defines standards for certain content elements of cross-border information exchange between information systems, authorities or organisations in the field of Justice and Home Affairs.

2.   The UMF standard shall be used in the development of the EES, ETIAS, the ESP, the CIR, the MID and, if appropriate, in the development by eu-LISA or by any other Union agency of new information exchange models and information systems in the area of Justice and Home Affairs.

3.   The Commission shall adopt an implementing act to lay down and develop the UMF standard referred to in paragraph 1 of this Article. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the EES, VIS, ETIAS and SIS, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes.

2.   eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240, Article 60 of Regulation (EU) 2018/1861 and Article 16 of Regulation (EU) 2018/1860, logically separated by EU information system. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 63 of Regulation (EU) 2017/2226, Article 17 of Regulation (EC) No 767/2008, Article 84 of Regulation (EU) 2018/1240 and Article 60 of Regulation (EU) 2018/1861.

3.   eu-LISA shall render the data anonymous and shall record such anonymised data in the CRRS. The process for rendering the data anonymous shall be automated.

The data contained in CRRS shall not allow for the identification of individuals.

4.   The CRRS shall be composed of:

5.   The Commission shall adopt a delegated act in accordance with Article 73 laying down detailed rules on the operation of the CRRS, including specific safeguards for the processing of personal data under paragraphs 2 and 3 of this Article and security rules applicable to the repository.

1.   In relation to the processing of data in the shared BMS, the Member State authorities that are controllers for the EES, VIS and SIS respectively shall be controllers in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 or point (8) of Article 3 of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 of this Regulation that they enter into the underlying systems and shall have responsibility for the processing of the biometric templates in the shared BMS.

2.   In relation to the processing of data in the CIR, the Member State authorities that are controllers for the EES, VIS and ETIAS respectively, shall be controllers in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 in relation to data referred to in Article 18 of this Regulation that they enter into the underlying systems and shall have responsibility for the processing of those personal data in the CIR.

3.   In relation to the processing of data in the MID:

4.   For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs referred to in Articles 10, 16, 24 and 36 for self-monitoring as referred to in Article 44.

1.   eu-LISA, the ETIAS Central Unit, Europol and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to this Regulation. eu-LISA, the ETIAS Central Unit, Europol and the Member State authorities shall cooperate on security-related tasks.

2.   Without prejudice to Article 33 of Regulation (EU) 2018/1725, eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure.

3.   In particular, eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

4.   Member States, Europol and the ETIAS Central Unit shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components.

1.   Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.   Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA, the competent supervisory authorities and the European Data Protection Supervisor of any security incidents without delay.

Without prejudice to Articles 34 and 35 of Regulation (EU) 2018/1725 and Article 34 of Regulation (EU) 2016/794, the ETIAS Central Unit and Europol shall notify the Commission, eu-LISA and the European Data Protection Supervisor of any security incidents without delay.

In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor without delay.

4.   Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States, the ETIAS Central Unit and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

5.   The Member States concerned, the ETIAS Central Unit, Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specifications of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 74(2).

1.   Without prejudice to the right to compensation from, and liability of the controller or processor under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

The Member State concerned, Europol, the European Border and Coast Guard Agency or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to the interoperability components, that Member ate shall be liable for such damage, unless and insofar as eu-LISA or another Member State bound by this Regulation failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of the defendant Member State. Claims for compensation against the controller or eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

1.   The authority collecting the personal data to be stored in the shared BMS, the CIR or the MID shall provide the persons whose data are collected with the information required under Articles 13 and 14 of Regulation (EU) 2016/679, Articles 12 and 13 of Directive (EU) 2016/680 and Articles 15 and 16 of Regulation (EU) 2018/1725. The authority shall provide the information at the time that such data are collected.

2.   All information shall be made available, using clear and plain language, in a linguistic version the person concerned understands or is reasonably expected to understand. This shall include providing information in a manner which is appropriate to the age of the data subjects who are minors.

3.   Persons whose data are recorded in the EES, VIS or ETIAS shall be informed about the processing of personal data for the purposes of this Regulation in accordance with paragraph 1 when:

1.   In order to exercise their rights under Articles 15 to 18 of Regulation (EU) 2016/679, Articles 17 to 20 of Regulation (EU) 2018/1725 and Articles 14, 15 and 16 of Directive (EU) 2016/680, any person shall have the right to address himself or herself to the competent authority of any Member State, which shall examine and reply to the request.

2.   The Member State which examines such a request shall reply without undue delay and in any event within 45 days of receipt of the request. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The Member State which examines the request shall inform the data subject of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Member States may decide that replies are to be given by central offices.

3.   If a request for rectification or erasure of personal data is made to a Member State other than the Member State responsible for the manual verification of different identities, the Member State to which the request has been made shall contact the authorities of the Member State responsible for the manual verification of different identities within seven days. The Member State responsible for the manual verification of different identities shall check the accuracy of the data and the lawfulness of the data processing without undue delay and in any event within 30 days of such contact. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The Member State responsible for the manual verification of different identities shall inform the Member State which contacted it of any such extension together with the reasons for the delay. The person concerned shall be informed by the Member State which contacted the authority of the Member State responsible for the manual verification of different identities about the further procedure.

4.   If a request for rectification or erasure of personal data is made to a Member State where the ETIAS Central Unit was responsible for the manual verification of different identities, the Member State to which the request has been made shall contact the ETIAS Central Unit within seven days to ask for its opinion. The ETIAS Central Unit shall give its opinion without undue delay and in any event within 30 days of being contacted. That period may be extended by 15 further days where necessary, taking into account the complexity and number of the requests. The person concerned shall be informed by the Member State which contacted the ETIAS Central Unit about the further procedure.

5.   Where, following an examination, it is found that the data stored in the MID are inaccurate or have been recorded unlawfully, the Member State responsible for the manual verification of different identities or, where there was no Member State responsible for the manual verification of different identities or where the ETIAS Central Unit was responsible for the manual verification of different identities, the Member State to which the request has been made shall rectify or erase those data without any undue delay. The person concerned shall be informed in writing that his or her data have been rectified or erased.

6.   Where data stored in the MID are amended by a Member State during their retention period, that Member State shall carry out the processing laid down in Article 27 and, where relevant, Article 29 to determine whether the amended data are to be linked. Where the processing does not report any match, that Member State shall erase the data from the identity confirmation file. Where the automated processing reports one or several matches, that Member State shall create or update the relevant link in accordance with the relevant provisions of this Regulation.

7.   Where the Member State responsible for the manual verification of different identities or, where applicable, the Member State to which the request has been made does not agree that data stored in the MID are inaccurate or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the person concerned without delay why it is not prepared to rectify or erase data relating to him or her.

8.   The decision referred to in paragraph 7 shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request for access to, rectification, erasure or restriction of processing of personal data and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the supervisory authorities.

9.   Any request for access to, rectification, erasure or restriction of processing of personal data shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in this Article and shall be erased immediately afterwards.

10.   The Member State responsible for the manual verification of different identities or, where applicable, the Member State to which the request has been made shall keep a written record that a request for access to, rectification, erasure or restriction of processing of personal data was made and how it was addressed, and shall make that record available to supervisory authorities without delay.

11.   This Article is without prejudice to any limitations and restrictions to the rights set out in this Article pursuant to Regulation (EU) 2016/679 and Directive (EU) 2016/680.

1.   A web portal is established for the purpose of facilitating the exercise of the rights of access to, rectification, erasure or restriction of processing of personal data.

2.   The web portal shall contain information on the rights and procedures referred to in Articles 47 and 48 and a user interface enabling persons whose data are processed in the MID and who have been informed of the presence of a red link in accordance with Article 32(4) to receive the contact information of the competent authority of the Member State responsible for the manual verification of different identities.

3.   In order to obtain the contact information of the competent authority of the Member State responsible for the manual verification of different identities, the person whose data are processed in the MID should enter the reference to the authority responsible for the manual verification of different identities referred to in Article 34(d). The web portal shall use this reference in order to retrieve the contact information of the competent authority of the Member State responsible for the manual verification of different identities. The web portal shall also include a template e-mail to facilitate communication between the portal user and the competent authority of the Member State responsible for the manual verification of different identities. Such e-mail shall include a field for the single identification number referred to in Article 34(c) in order to allow the competent authority of the Member State responsible for the manual verification of different identities to identify the data concerned.

4.   Member States shall provide eu-LISA with the contact details of all authorities that are competent to examine and reply to any request referred to in Articles 47 and 48 and shall regularly review whether those contact details are up to date.

5.   eu-LISA shall develop the web portal and ensure its technical management.

6.   The Commission shall adopt a delegated act in accordance with Article 73 laying down detailed rules on the operation of the web portal, including the user interface, the languages in which the web portal shall be available and the template e-mail.

1.   Each Member State shall ensure that the supervisory authorities independently monitor the lawfulness of the processing of personal data under this Regulation by the Member State concerned, including their transmission to and from the interoperability components.

2.   Each Member State shall ensure that the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 are also applicable, where relevant, to access to the interoperability components by police authorities and designated authorities, including in relation to the rights of the persons whose data are so accessed.

3.   The supervisory authorities shall ensure that an audit of the personal data processing operations by the responsible national authorities for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least every four years.

The supervisory authorities shall publish annually the number of requests for rectification, erasure or restriction of processing of personal data, the action subsequently taken and the number of rectifications, erasures and restrictions of processing made in response to requests by the persons concerned.

4.   Member States shall ensure that their supervisory authorities have sufficient resources and expertise to fulfil the tasks entrusted to them under this Regulation.

5.   Member States shall supply any information requested by a supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 and shall, in particular, provide it with information on the activities carried out in accordance with their responsibilities under this Regulation. Member States shall grant the supervisory authorities referred to in Article 51(1) of Regulation (EU) 2016/679 access to their logs referred to in Articles 10, 16, 24 and 36 of this Regulation, to the justifications referred to in Article 22(2) of this Regulation and allow them to access all their premises used for interoperability purposes at all times.

1.   The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and ensure coordinated supervision of the use of the interoperability components and the application of other provisions of this Regulation, in particular if the European Data Protection Supervisor or a supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the communication channels of the interoperability components.

2.   In the cases referred to in paragraph 1 of this Article, coordinated supervision shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

3.   The European Data Protection Board shall send a joint report of its activities under this Article to the European Parliament, to the Council, to the Commission, to Europol, to the European Border and Coast Guard Agency and to eu-LISA by 12 June 2021 and every two years thereafter. That report shall include a chapter on each Member State prepared by the supervisory authority of the Member State concerned.

1.   eu-LISA shall ensure that the central infrastructures of the interoperability components are operated in accordance with this Regulation.

2.   The interoperability components shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and performance referred to in Article 55(1).

3.   eu-LISA shall be responsible for the development of the interoperability components and for any adaptations required for establishing interoperability between the central systems of the EES, VIS, ETIAS, SIS, Eurodac, ECRIS-TCN, and the ESP, the shared BMS, the CIR, the MID and the CRRS.

Without prejudice to Article 66, eu-LISA shall not have access to any of the personal data processed through the ESP, the shared BMS, the CIR or the MID.

eu-LISA shall define the design of the physical architecture of the interoperability components including their communication infrastructures and the technical specifications and their evolution as regards the central infrastructure and the secure communication infrastructure, which shall be adopted by the Management Board, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the EES, VIS, ETIAS or SIS deriving from the establishment of interoperability and provided for by this Regulation.

eu-LISA shall develop and implement the interoperability components as soon as possible after the entry into force of this Regulation and the adoption by the Commission of the measures provided for in Articles 8(2), 9(7), 28(5) and (7), 37(4), 38(3), 39(5), 43(5) and 78(10).

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination.

4.   During the design and development phase, a Programme Management Board composed of a maximum of 10 members shall be established. It shall be composed of seven members appointed by eu-LISA's Management Board from among its members or its alternates, the chair of the Interoperability Advisory Group referred to in Article 75, a member representing eu-LISA appointed by its Executive Director, and one member appointed by the Commission. The members appointed by eu-LISA's Management Board shall be elected only from those Member States that are fully bound under Union law by the legal instruments governing the development, establishment, operation and use of all the EU information systems and which will participate in the interoperability components.

5.   The Programme Management Board shall meet regularly and at least three times per quarter. It shall ensure the adequate management of the design and development phase of the interoperability components.

Every month, the Programme Management Board shall submit written reports on progress of the project to eu-LISA's Management Board. The Programme Management Board shall have no decision-making power, nor any mandate to represent the members of eu-LISA's Management Board.

6.   eu-LISA's Management Board shall establish the rules of procedure of the Programme Management Board, which shall include in particular rules on:

The chairmanship shall be held by a Member State that is fully bound under Union law by the legal instruments governing the development, establishment, operation and use of all the EU information systems and which will participate in the interoperability components.

All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA, and Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. eu-LISA shall provide the Programme Management Board with a secretariat.

The Interoperability Advisory Group referred to in Article 75 shall meet regularly until the start of operations of the interoperability components. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.

1.   Following the entry into operations of each interoperability component, eu-LISA shall be responsible for the technical management of the central infrastructure of the interoperability components, including their maintenance and technological developments. In cooperation with the Member States, it shall ensure that the best available technology is used, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management of the communication infrastructure referred to in Articles 6, 12, 17, 25 and 39.

Technical management of the interoperability components shall consist of all the tasks and technical solutions necessary to keep the interoperability components functioning and providing uninterrupted services to the Member States and to the Union agencies 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that the components function at a satisfactory level of technical quality, in particular as regards the response time for interrogation of the central infrastructures in accordance with the technical specifications.

All interoperability components shall be developed and managed in such a way as to ensure fast, seamless, efficient and controlled access, full, uninterrupted availability of the components and of the data stored in the MID, the shared BMS and the CIR, and a response time in line with the operational needs of the Member States' authorities and Union agencies.

2.   Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with data stored in the interoperability components. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Without prejudice to Article 66, eu-LISA shall not have access to any of the personal data processed through the ESP, the shared BMS, the CIR and the MID.

3.   eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data stored in the shared BMS and the CIR in accordance with Article 37.

4.   eu-LISA shall also perform tasks related to providing training on the technical use of the interoperability components.

1.   Each Member State shall be responsible for:

2.   Each Member State shall connect their designated authorities to the CIR.

1.   The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the ESP, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data.

2.   The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the CIR, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data.

3.   The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the MID, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data.

4.   The duly authorised staff of the European Border and Coast Guard Agency shall have access to consult the data referred to in paragraphs 1, 2 and 3 of this Article for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 11 and 13 of Regulation (EU) 2016/1624 of the European Parliament and of the Council (40).

5.   The duly authorised staff of Europol shall have access to consult the data referred to in paragraphs 2 and 3 of this Article for the purpose of carrying out strategic, thematic and operational analyses as referred to in Article 18(2)(b) and (c) of Regulation (EU) 2016/794.

6.   For the purpose of paragraphs 1, 2 and 3, eu-LISA shall store the data referred to in those paragraphs in the CRRS. It shall not be possible to identify individuals from the data included in the CRRS, but the data shall allow the authorities listed in paragraphs 1, 2 and 3 to obtain customisable reports and statistics to enhance the efficiency of border checks, to help authorities processing visa applications and to support evidence-based policy-making on migration and security in the Union.

7.   Upon request, relevant information shall be made available by the Commission to the European Union Agency for Fundamental Rights in order to evaluate the impact of this Regulation on fundamental rights.

1.   For a period of two years from the date the ESP commences operations, the obligations referred to in Article 7(2) and (4) shall not apply and the utilisation of the ESP shall be optional.

2.   The Commission is empowered to adopt a delegated act in accordance with Article 73 in order to amend this Regulation by extending the period referred to in paragraph 1 of this Article once, by no longer than one year, when an assessment of the implementation of the ESP has shown that such an extension is necessary, especially in view of the impact that bringing the ESP into operation would have on the organisation and length of border checks.

1.   For a period of one year following notification by eu-LISA of the completion of the test of the MID referred to in Article 72(4)(b) and before the start of operations of the MID, the ETIAS Central Unit shall be responsible for carrying out multiple-identity detection using the data stored in the EES, VIS, Eurodac and SIS. The multiple-identity detections shall be carried out using only biometric data.

2.   Where the query reports one or several matches and the identity data in the linked files are the same or similar, a white link shall be created in accordance with Article 33.

Where the query reports one or several matches and the identity data in the linked files cannot be considered to be similar, a yellow link shall be created in accordance with Article 30 and the procedure referred to in Article 29 shall apply.

Where several matches are reported, a link shall be created between each piece of data triggering the match.

3.   Where a yellow link is created, the MID shall grant access to the identity data present in the different EU information systems to the ETIAS Central Unit.

4.   Where a link is created to an alert in SIS other than an alert created under Article 3 of Regulation (EU) 2018/1860, Articles 24 and 25 of Regulation (EU) 2018/1861, or Article 38 of Regulation (EU) 2018/1862, the MID shall grant access to the identity data present in the different information systems to the SIRENE Bureau of the Member State that created the alert.

5.   The ETIAS Central Unit or, in the cases referred to in paragraph 4 of this Article the SIRENE Bureau of the Member State that created the alert, shall have access to the data contained in the identity confirmation file and shall assess the different identities and shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file.

6.   The ETIAS Central Unit shall notify the Commission in accordance with Article 71(3) only once all yellow links have been manually verified and their status updated as either green, white or red links.

7.   Member States shall assist the ETIAS Central Unit where necessary in carrying out multiple-identity detection under this Article.

8.   The Commission is empowered to adopt a delegated act in accordance with Article 73 in order to amend this Regulation by extending the period referred to in paragraph 1 of this Article by six months, renewable twice by six months each time. Such an extension shall only be granted following an assessment of the estimated completion time for multiple-identity detection under this Article, which demonstrates that the multiple-identity detection cannot be completed before expiry of the period remaining either under paragraph 1 of this Article or any ongoing extension, for reasons independent of the ETIAS Central Unit, and that no corrective measures can be applied. The assessment shall be carried out no later than three months before the expiry of such period or ongoing extension.

1.   The costs incurred in connection with the establishment and operation of the ESP, the shared BMS, the CIR and the MID shall be borne by the general budget of the Union.

2.   Costs incurred in connection with the integration of the existing national infrastructures and their connection to the national uniform interfaces as well as in connection with hosting the national uniform interfaces shall be borne by the general budget of the Union.

The following costs shall be excluded:

3.   Without prejudice to further funding for this purpose from other sources of the general budget of the European Union, an amount of EUR 32 077 000 shall be mobilised from the envelope of EUR 791 000 000 foreseen under Article 5(5)(b) of Regulation (EU) No 515/2014 to cover the costs of implementation of this Regulation, as foreseen under paragraphs 1 and 2 of this Article.

4.   From the envelope referred to in paragraph 3, EUR 22 861 000 shall be allocated to eu-LISA, EUR 9 072 000 shall be allocated to Europol and EUR 144 000 shall be allocated to the European Union Agency for Law Enforcement Training (CEPOL) to support these agencies in performing their respective tasks under this Regulation. Such funding shall be implemented under indirect management.

5.   The costs incurred by the designated authorities shall be borne by the designating Member States respectively. The costs of connecting each designated authority to the CIR shall be borne by each Member State.

The costs incurred by Europol, including of connection to the CIR, shall be borne by Europol.

1.   The Member States shall notify eu-LISA of the authorities referred to in Articles 7, 20, 21 and 26 that may use or have access to the ESP, the CIR and the MID respectively.

A consolidated list of those authorities shall be published in the Official Journal of the European Union within a period of three months from the date on which each interoperability component commenced operations in accordance with Article 72. Where there are amendments to the list, eu-LISA shall publish an updated consolidated list once a year.

2.   eu-LISA shall notify the Commission of the successful completion of the tests referred to in Article 72(1)(b), (2)(b), (3)(b), (4)(b), (5)(b) and (6)(b).

3.   The ETIAS Central Unit shall notify the Commission of the successful completion of the transitional period laid down in Article 69.

4.   The Commission shall make the information notified pursuant to paragraph 1 available to the Member States and to the public, via a constantly updated public website.

1.   The Commission shall determine the date from which the ESP is to start operations by means of an implementing act once the following conditions have been met:

The ESP shall only query the Interpol databases once the technical arrangements allow compliance with Article 9(5). Any impossibility of complying with Article 9(5) shall have the result that the ESP does not query the Interpol databases but shall not delay the start of operations of the ESP.

The Commission shall set the date referred to in the first subparagraph to be within 30 days from adoption of the implementing act.

2.   The Commission shall determine the date from which the shared BMS is to start operations by means of an implementing act once the following conditions have been met: