Commission Delegated Regulation (EU) 2023/332 of 11 July 2022 supplementing Regul... (32023R0332)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION DELEGATED REGULATION (EU) 2023/332

of 11 July 2022

supplementing Regulation (EU) 2019/818 of the European Parliament and of the Council as regards determining cases where identity data are considered as same or similar for the purpose of the multiple identity detection

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (1), and in particular Article 28(5) thereof,
Whereas:
(1) Regulation (EU) 2019/818, together with Regulation (EU) 2019/817 of the European Parliament and of the Council (2) establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.
(2) That framework includes a number of interoperability components, including a multiple-identity detector. The multiple-identity detector creates and stores links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for
bona fide
travellers and combating identity fraud. The linking of data is essential for the multiple-identity detector to fulfil its objectives.
(3) The multiple-identity detection process results in the creation of automated white and yellow links. A white link indicates that the identity data of the linked files are the same or similar whereas a yellow link indicates that the identity data of the linked files cannot be considered to be similar and that manual verification of the different identities should be carried out.
(4) Considering the burden on persons whose data is registered in the EU information systems, and the national authorities as well as with Union agencies, it is necessary to limit the number of cases in which yellow links are generated by the multiple-identity detector and therefore require manual verification.
(5) Pursuant to Regulation (EU) 2019/818, the European Agency for the Operational Management of Large-Scale Information Systems in the area of Freedom, Security and Justice (‘eu-LISA’), established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (3), should be responsible for the preparation, development and operational management of the interoperability components, including the multi-identity detector.
(6) Prior to the development of the multi-identity detector, it is necessary to lay down the procedures to determine the cases in which identity data concerning a person stored across several systems are considered the same or similar for the purpose of multiple-identity detection.
(7) Given that Regulation (EU) 2019/818 builds upon the Schengen
acquis
, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/818 in its national law. It is therefore bound by this Regulation.
(8) This Regulation constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part (4). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(9) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
 (5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6).
(10) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (7), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8).
(11) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (9) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10).
(12) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (11) and delivered an opinion on 27 April 2021,
HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purposes of this Regulation, the following definitions apply:
(1) ‘identity data’ means the following data:
(a) surname (family name); first name or names (given names); date of birth; nationality or nationalities; and sex; as referred to in Articles 16(1)(a), 17(1) and 18(1) of Regulation (EU) 2017/2226 of the European Parliament and of the Council (12);
(b) surname (family name), first name(s) (given name(s)), surname at birth; alias(es); date of birth, place of birth, sex and current nationality; as referred to in Article 17(2) of Regulation (EU) 2018/1240 of the European Parliament and of the Council (13);
(c) surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held, as referred to in Article 20(2) of Regulation (EU) 2018/1861 of the European Parliament and of the Council (14);
(d) surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held, as referred to in Article 4 of Regulation (EU) 2018/1860 of the European Parliament and of the Council (15);
(e) surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held as referred to in Article 20(3) of Regulation (EU) 2018/1862 of the European Parliament and of the Council (16);
(f) surname (family name), first names (given names), date of birth, place of birth (town and country), nationality or nationalities and gender, previous names, if applicable as referred to in Article 5(1), point (a)(i), of Regulation (EU) 2019/816 of the European Parliament and of the Council (17);
(g) until the the start of operations of the Visa Information System pursuant to Article 11 of Regulation (EU) 2021/1134 (18): surname (family name), first name or names (given names), date of birth, sex, place and country of birth, and nationalities as referred to in Article 9(4), points (a) and (aa), of Regulation (EC) No 767/2008 of the European Parliament and of the Council (19);
(h) from the start of operations of the Visa Information System pursuant to Article 11 of Regulation (EU) 2021/1134: surname (family name), first name(s) (given name(s)), date of birth, place and country of birth, sex, and nationality or nationalities as referred to in Article 9(4), points(a) and (aa), and in Article 22a(1), point (d), of Regulation (EC) No 767/2008;
(2) ‘equal’ means a 100 % correspondence between data from two different EU information systems, including, where necessary, the use of a conversion-harmonisation functionality for harmonising the format of all data before comparison;
(3) ‘transliteration’ means a type of conversion of a text from one script to another that involves swapping letters in previously identified ways.

Article 2

Same identity data

The procedures for determining the cases where identity data shall be considered as the same are set out in Annex I.

Article 3

Similar identity data

The procedures for determining the cases where identity data shall be considered as similar are set out in Annex II.

Article 4

Logs

1.   The common identity repository shall keep the logs of the comparison of data containing, at least:
(a) the date and time of the comparison;
(b) the result of the comparison, including which identity data was considered as same or similar;
(c) the colour of the link following the automated comparison;
(d) the colour of the link following the manual processing subsequent to the creation of a yellow link;
(e) the amendments to the links, including where the identity data was considered as similar.
2.   The logs shall be stored in the common identity repository. They shall be stored for no longer than one year following the comparison of data. After that period, they shall be automatically erased.
3.   The logs shall be used by the common identity repository to produce automatic reports of activities and to support and monitor the accuracy of the comparison of data between EU information systems.

Article 5

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 11 July 2022.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 135, 22.5.2019, p. 85
.
(2)  Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (
OJ L 135, 22.5.2019, p. 27
).
(3)  Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (
OJ L 286, 1.11.2011, p. 1
).
(4)  This Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(5)  
OJ L 176, 10.7.1999, p. 36
.
(6)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(7)  
OJ L 53, 27.2.2008, p. 52
.
(8)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(9)  
OJ L 160, 18.6.2011, p. 21
.
(10)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
(11)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(12)  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (
OJ L 327, 9.12.2017, p. 20
).
(13)  Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (
OJ L 236, 19.9.2018, p. 1
).
(14)  Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (
OJ L 312, 7.12.2018, p. 14
).
(15)  Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (
OJ L 312, 7.12.2018, p. 1
).
(16)  Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (
OJ L 312, 7.12.2018, p. 56
).
(17)  Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (
OJ L 135, 22.5.2019, p. 1
).
(18)  Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (
OJ L 248, 13.7.2021, p. 11
).
(19)  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (
OJ L 218, 13.8.2008, p. 60
).

ANNEX I

1.   

Data from different information systems

 

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

1

Names (including surname and first name)

Surnames

Previously used surnames

Aliases surnames

Forenames

Previously used forenames

Aliases forenames

Names at birth

Surname (family name)

First name

Names

Given names

Surname (family name)

Surname at birth

Other names (aliases, artistic names, usual names)

First name(s)

Given name(s)

Surname (family name)

Pseudonyms

Aliases

Previous names

First names (Given names)

Pseudonyms

Aliases

Previous names

Surname (family name)

Surname at birth (former family name(s))

First name(s) (given name(s))

2

Date of birth

Date of birth

Aliases date of birth

Date or birth

Date of birth

Date of birth

Date of birth

3

Gender

Gender

Aliases gender

Sex

Sex

Gender

Sex

4

Nationality and place of birth

Any nationalities held

Aliases nationality

Place of birth (country of birth)

Aliases place of birth (country of birth)

Nationality

Nationalities

Current Nationality

Place of birth

Nationality

Nationalities

Place of birth (town and country)

Current nationality

Nationalities

Nationality at birth

Place and country of birth

In the case of the Schengen Information System, for each data provided for in the table, the identity data may belong to one of the following categories:
(a) ‘confirmed identity’, where the person’s identity has been confirmed on the basis of genuine identification documents, as a result of biometric matching or by a statement from the competent authorities;
(b) ‘not confirmed identity’, where there is not sufficient proof of the person’s identity;
(c) ‘alias’, where a person uses a false or assumed identity;
(d) ‘misused identity’, where a person, subject to an alert in the Schengen Information System, uses the identity of another real person, in particular when a document is used to the detriment of the real owner of that document.
For the purposes of this table, aliases identity data refer to categories (b), (c) and (d), while the non-alias data refer to category (a).

2.   

Same identity data
This Annex lays down the cases in which identity data shall be considered as the same. In order for identity data to be considered as the same, all the conditions of Section 3 should be fulfilled.

3.   

Cases where identity data shall be considered as the same per data category
In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the cumulative conditions laid down in Sections 3.1, 3.2, 3.3 and 3.4 shall be met.

3.1.   

Names

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Names (including surname and first name)

Surnames

Previously used surnames

Aliases surnames

Forenames

Previously used forenames

Names at birth

Aliases forenames

Surname (family name)

First name

Names

Given names

Surname (family name)

Surname at birth

Other names (aliases, artistic names, usual names)

First name(s)

Given name(s)

Surname (family name)

Pseudonyms

Aliases

Previous names

First names (Given names)

Pseudonyms

Aliases

Previous names

Surname (family name)

Surname at birth (former family name(s))

First name(s) (given name(s))

In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the following cumulative conditions must be met:
(a) the data inserted in at least one of the following data fields is equal in the two systems:
(i) surname;
(ii) family name;
(iii) previously used surnames;
(iv) surname at birth;
(v) other names (aliases, artistic names, usual names);
(vi) pseudonyms;
(vii) aliases surnames;
(viii)
previous names;
(ix) former family names;
(b) the data inserted in at least one of the following data fields is equal in the two systems:
(i) first name;
(ii) forename;
(iii) name;
(iv) given names;
(v) previously used forenames;
(vi) other names (aliases, artistic names, usual names);
(vii) pseudonyms;
(viii)
aliases forenames;
(ix) previous names.

3.2.   

Date of birth

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Date of birth

Date of birth

Aliases date of birth

Date or birth

Date of birth

Date of birth

Date of birth

In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the values contained under the data-category ‘date of birth’ must be equal in both systems.

3.3.   

Gender

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Gender

Gender

Aliases gender

Sex

Sex

Gender

Sex

In order for identity data to be considered as the same, where a link is created between data from two EU information systems, the data contained under the data-category ‘gender’ must be equal in both systems.

3.4.   

Nationalities and place of birth

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Nationalities and place of birth

Any nationalities held

Aliases nationality

Place of birth (country of birth)

Aliases place of birth (country of birth)

Nationality

Nationalities

Current Nationality

Place of birth

Nationality

Nationalities

Place of birth (town and country)

Current nationality

Nationalities

Nationality at birth

Place and country of birth

In order for identity data to be considered as the same, where a link is created between data from two EU information systems, at least one of the data fields under the data-category ‘nationalities and place of birth’ must be equal in both systems, including at least one of the nationalities.

ANNEX II

1.   

Data from different information systems

 

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

1

Names (including surname and first name)

Surnames

Previously used surnames

Aliases surnames

Forenames

Previously used forenames

Names at birth

Aliases forenames

Surname (family name)

First name

Names

Given names

Surname (family name)

Surname at birth

Other names (aliases, artistic names, usual names)

First name(s)

Given name(s)

Surname (family name)

Pseudonyms

Aliases

Previous names

First names (Given names)

Pseudonyms

Aliases

Previous names

Surname (family name)

Surname at birth (former family name(s))

First name(s) (given name(s))

2

Date of birth

Date of birth

Aliases date of birth

Date or birth

Date of birth

Date of birth

Date of birth

3

Gender

Gender

Aliases gender

Sex

Sex

Gender

Sex

4

Nationality and place of birth

Any nationalities held

Aliases nationality

Place of birth (country of birth)

Aliases place of birth (country of birth)

Nationality

Nationalities

Current Nationality

Place of birth

Nationality

Nationalities

Place of birth (town and country)

Current nationality

Nationalities

Nationality at birth

Place and country of birth

In the case of the Schengen Information System, for each data provided for in the table, the identity data may belong to one of the following categories:
(a) ‘confirmed identity’, where the person’s identity has been confirmed on the basis of genuine identification documents, as a result of biometric matching or by a statement from the competent authorities;
(b) ‘not confirmed identity’, where there is not sufficient proof of the person’s identity;
(c) ‘alias’, where a person uses a false or assumed identity;
(d) ‘misused identity’, where a person, subject to an alert in the Schengen Information System, uses the identity of another real person, in particular when a document is used to the detriment of the real owner of that document.
For the purposes of this table, aliases identity data refer to categories (b), (c) and (d), while the non-alias data refer to category (a).

2.   

Similar identity data
Section 3 provides an exhaustive list of rules for when identity data shall be considered as similar.
eu-LISA, assisted and advised by the Interoperability Advisory Group, shall apply these rules by means of an algorithm in consultation with the Commission assisted and advised by the Interoperability Subgroup of the Expert Group on Information Systems for Borders and Security (‘Expert Group’).
eu-LISA shall monitor the impact of the application of the algorithm and report, on a regular basis, to the Expert Group.
Where necessary, in order to limit the number of cases in which yellow links generated by the multiple-identity detector would need to be turned into white links by the responsible authorities, the Commission, assisted and advised by the Expert Group, shall request eu-LISA to adjust the algorithm by prioritising the yellow links created between identity data that are considered more similar, in compliance with the rules in Section 3.
The multiple-identity detector shall always check identity data against all rules laid down in Section 3.

3.   

Cases where identity data shall be considered as similar

3.1.   

Names

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Names (including surname and first name)

Surnames

Previously used surnames

Aliases surnames

Forenames

Previously used forenames

Names at birth

Aliases forenames

Surname (family name)

First name

Names

Given names

Surname (family name)

Surname at birth

Other names (aliases, artistic names, usual names)

First name(s)

Given name(s)

Surname (family name)

Pseudonyms

Aliases

Previous names

First names (Given names)

Pseudonyms

Aliases

Previous names

Surname (family name)

Surname at birth (former family name(s))

First name(s) (given name(s))

Identity data of the data-category ‘names’ shall be considered similar where there are:
(a) known transliteration in names;
(b) inversions of the following categories of data:
(i) surname; family name; previously used surnames; surname at birth, name at birth; aliases surnames, former family names;
(ii) first name; forename; name; given names; previously used forenames; aliases forenames;
(c) cases where the first name, forename and surname are regrouped in one of the data fields;
(d) cases where the order of two words is inversed, including both adjacent and non-adjacent;
(e) cases where the order of two letters is inversed, including both adjacent and non-adjacent;
(f) cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system;
(g) cases where a difference is found due to the use of hyphens, commas or apostrophes;
(h) cases where the name is truncated.

3.2.   

Date of birth

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Date of birth

Date of birth

Aliases date of birth

Date or birth

Date of birth

Date of birth

Date of birth

Identity data of the data-category ‘date of birth’ shall be considered similar where there are:
(a) cases where the fields of month and day match if they are inversed;
(b) cases where the difference in date of birth is due to a known conversion of different calendars;
(c) cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system.

3.3.   

Gender

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Gender

Gender

Aliases gender

Sex

Sex

Gender

Sex

3.4.   

Nationalities and place of birth

Data-category

SIS

EES

ETIAS

ECRIS-TCN

VIS

Nationalities and place of birth

Any nationalities held

Aliases nationality

Place of birth (country of birth)

Aliases place of birth (country of birth)

Nationality

Nationalities

Current Nationality

Place of birth

Nationality

Nationalities

Place of birth (town and country)

Current nationality

Nationalities

Nationality at birth

Place and country of birth

Identity data of the data-category ‘nationalities and place of birth’ shall be considered similar where there are:
(a) known transliteration in nationalities or place of birth;
(b) cases where a single character edit including insertions, deletions and substitutions is required to have a data-category of one EU information system being equal to a data-category in another EU information system;
(c) known cases where nationalities/countries/cities changed their denomination.
Markierungen
Leseansicht