COMMISSION DELEGATED REGULATION (EU) 2021/2222

of 30 September 2021

supplementing Regulation (EU) 2019/818 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (1), and in particular Article 39(5) thereof,

Whereas:

(1) Regulation (EU) 2019/818, together with Regulation (EU) 2019/817 of the European Parliament and of the Council (2), establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.

(2) That framework includes a number of components and tools supporting interoperability, including a central repository for reporting and statistics (‘the central repository’). The central repository stores anonymised data extracted from the underlying EU information systems, the shared biometric matching service, the common identity repository and the multi-identity detector, in order to provide cross-system statistical reporting for policy, operational and data quality purposes.

(3) The European Agency for the Operational Management of Large-scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) is responsible for establishing, implementing and hosting the central repository and for its operational management.

(4) In order to enable the central repository to provide cross-system statistical data, it is necessary to lay down detailed rules on its operation, including specific standards for the processing of personal data, and security rules.

(5) In order to make it impossible to identify individuals from the statistical data in the central repository, eu-LISA should develop a data anonymisation tool as part of its architecture. The anonymisation process should be automated.

(6) Controlled and secured access should be granted only to authorised staff of the competent authorities, Union institutions and agencies, so that they can consult the data and statistics in the central repository. For that purpose, eu-LISA should develop a reporting tool as part of its architecture. eu-LISA staff should not have direct access to any personal data stored in the EU information systems or the interoperability components.

(7) In order to keep trace of the cross-matching of identity files within or between the corresponding EU information systems for relevant statistical purposes, the central repository should keep a unique reference number. It should not be possible to use that number to retrieve information from the identity files.

(8) The technical solution hosting the central repository should be implemented at eu-LISA’s technical site and at the backup site in order to ensure it remains available at all times.

(9) Given that Regulation (EU) 2019/818 builds upon the Schengen

acquis

, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/818 in its national law. It is therefore bound by this Regulation.

(10) This Regulation constitutes a development of the provisions of the Schengen

acquis

in which Ireland does not take part (3). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(11) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen

acquis

(4), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (5).

(12) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

(6), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (7).

(13) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

(8) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (9).

(14) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen

acquis

within the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.

(15) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered an opinion on 17 June 2021,

HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘statistical data’ means the data, which is anonymised and used solely for the purpose of producing statistical reports pursuant to Regulation (EU) 2017/2226 (11), Regulation (EU) 2018/1240 (12), Regulation (EU) 2018/1860 (13), Regulation (EU) 2018/1861 (14), Regulation (EU) 2018/1862 (15) and Regulation (EU) 2019/816 (16) of the European Parliament and of the Council;

(2) ‘(statistical) reports’ means an organised collection of statistical data, produced by the central repository in an automated manner according to a set of pre-established rules and stored in the central repository;

(3) ‘customisable reports’ means statistical reports that are extracted on the basis of statistical data contained in the central repository in accordance with specific rules determined ad hoc by a user and stored in the central repository;

(4) ‘critical identity data’ means any of the following data or a combination thereof, from which individuals can be identified:

(a) name, first name, surname, family name, given names, alias of any person whose data may be stored in any EU information system;

(b) number of travel document;

(d) telephone, IP address;

(e) email addresses;

(f) biometric data.

Article 2

Information to be contained in the central repository

1. The data referred to in Article 39(2) of Regulation (EU) 2019/818 shall be made available and stored in the central repository in accordance with this Regulation.

2. The central repository shall contain statistical data, including reports on system usage for the purposes of monitoring the functioning of the interoperability components referred to in Article 62 of Regulation (EU) 2019/818.

3. The central repository shall contain technical reports to ensure monitoring by eu-LISA of the development and functioning of the interoperability components in accordance with Article 74(1) of Regulation (EU) 2019/818.

4. The central repository shall keep a unique reference number enabling to keep trace of the cross-matching of identity files within or between the corresponding EU information systems for statistical purposes. It shall not be possible to use that reference number to retrieve the underlying identity files.

5. The central repository shall enable the duly authorised staff of the competent authorities referred to in Article 39(2) of Regulation (EU) 2019/818 to obtain the following:

(a) reports pursuant to Article 74 of Regulation (EU) 2018/1862, containing the following statistics on records kept in the Schengen Information System:

(i) daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate, pursuant to Article 74(3) of that Regulation;

(ii) annual reports on the number of hits per category of alert, how many times the Schengen Information System was searched and how many times it was accessed for the purpose of entering, updating or deleting an alert, both for each Member State and in aggregate, pursuant to Article 74(3) of that Regulation;

(iii) at the request of the Commission, additional specific statistical reports, either on a regular or ad hoc basis, on the performance and the use of the Schengen Information System and on the exchange of supplementary information, pursuant to Article 74(6), second subparagraph of that Regulation;

(iv) At the request of the European Border and Coast Guard Agency, additional specific statistical reports, either on a regular or ad hoc basis, for the purpose of carrying out risk analyses and vulnerability assessments, pursuant to Article 74(6), third subparagraph of that Regulation;

(v) reports and statistics for the purposes of technical maintenance, reporting, data quality reporting and statistics pursuant to Article 74(2) of that Regulation;

(vi) data quality reports in accordance with pursuant to Article 15(4) of that Regulation.

(b) reports pursuant to Article 32 of Regulation (EU) 2019/816, containing the following statistics on the records kept in the European Criminal Records Information System for third-country nationals (ECRIS-TCN) and the ECRIS reference implementation:

(i) customisable reports and statistics relating to the recording, storage and exchange of information extracted from criminal records through the European Criminal Records Information System for third-country nationals;

(ii) reports and statistics for the purposes of technical maintenance, data quality reporting and statistics pursuant to Article 32(3) of that Regulation.

6. The technical reports referred to in paragraph 2 shall contain statistics on the usage of the system, availability, incidents, performance capacity, biometric accuracy, data quality and, where applicable, pending transactions.

7. The business reports produced by the central repository shall be customisable by the user in order to allow the filtering or grouping of the data by means of a reporting tool made available with the central repository.

8. A catalogue of reports shall be made available. Requests for new reports or changes to existing ones shall follow eu-LISA change management policy.

Article 3

Data repository and reporting tool

1. The central repository shall use a technical solution hosting data extracted from the underlying EU information systems and interoperability components.

2. The technical solution shall contain a reporting tool configured to create, maintain and execute the reports and customisable reports referred to in Article 2.

3. The reporting tool shall allow for the generation of business reports and technical reports, and their retrieval by the user.

4. The reporting tool shall enable the provision of cross-system statistical data and analytical reporting for policy, operational and data quality purposes, where provided for by Union law.

5. All reports shall be managed within the technical solution. The appropriate security and integrity measures shall be implemented in the technical solution, in order to meet the requirements of the security plan provided for Article 42(3) of Regulation (EU) 2019/818.

6. The technical solution shall be implemented at eu-LISA’s technical site and at the backup site.

Article 4

Data extraction

The central repository shall obtain, from the EU information systems, read-only copies of the data referred to in Article 39(2) and Article 62(1), (2) and (3) of Regulation (EU) 2019/818, in order to produce the statistics and reports referred to in Articles 39 and 62 of that Regulation. The data shall be obtained on a regular basis and at least daily, by means of one-way extraction.

Article 5

Data anonymisation tool

1. The data extracted from the underlying EU information systems and interoperability components shall be anonymised using a data anonymisation tool. Only anonymised data shall be stored in the central repository.

2. The data anonymisation tool shall identify critical identity data in the EU information systems and shall anonymise it by means of an automated process before statistical data is stored in the central repository. The anonymisation process shall be irreversible.

Article 6

Access

1. Access to the central repository by duly authorised staff shall be granted and managed in accordance with Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816.

2. The central repository shall be accessible by the Member States, the Commission and the Union agencies, in accordance with their access rights under Union law, via a secure network connection (TESTA).

3. Only duly authorised staff of the competent authorities in accordance with Article 39(2) and Article 62(1) to (5) of Regulation (EU) 2019/818 shall be granted access to the tool referred to in Article 3(2) of this Regulation.

4. Competent authorities shall access the central repository by means of user profiles. eu-LISA shall keep a list of the user profiles. One authority may have several profiles, depending on its access rights.

5. Access to the central repository shall be logged. The information logged shall contain at least:

(a) a timestamp;

(b) authority;

6. Logs enabling the identification of users accessing the central repository shall be kept at national level and by the Commission, the European Border and Coast Guard Agency and Europol. eu-LISA shall keep logs of all accessing operations. The logs shall be stored in the central repository for one year, after which they shall be automatically erased.

7. Any conflicting roles within the central repository shall be identified and access shall be granted in accordance with the following principles:

(a) ‘need-to-know’;

(b) least privilege access;

8. Data quality reports issued pursuant to Article 15(4) of Regulation (EU) 2018/1862 shall include a tool for Member States to provide eu-LISA with feedback on the correction of the issues encountered.

Article 7

Data processor

For the purpose of anonymising personal data pursuant to Article 5, eu-LISA shall be the data processor within the meaning of Article 3, point (12) of Regulation (EU) 2018/1725.

Article 8

Other data protection and security aspects

1. The data stored in the central repository shall be consulted solely for the purpose of reporting and statistics.

2. eu-LISA shall implement the necessary security measures to ensure the integrity of data in the central repository. Any changes to the data shall be traceable for auditing purposes.

Article 9

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels, 30 September 2021.

For the Commission

The President

Ursula VON DER LEYEN

(1)

OJ L 135, 22.5.2019, p. 85

(2) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (

OJ L 135, 22.5.2019, p. 27

(3) This Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen

acquis

(

OJ L 64, 7.3.2002, p. 20

(4)

OJ L 176, 10.7.1999, p. 36

(5) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen

acquis

(

OJ L 176, 10.7.1999, p. 31

(6)

OJ L 53, 27.2.2008, p. 52

(7) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

(

OJ L 53, 27.2.2008, p. 1

(8)

OJ L 160, 18.6.2011, p. 21

(9) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

, relating to the abolition of checks at internal borders and movement of persons (

OJ L 160, 18.6.2011, p. 19

(10) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

(11) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011(

OJ L 327, 9.12.2017, p. 20

(12) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (

OJ L 236, 19.9.2018, p. 1

(13) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (

OJ L 312, 7.12.2018, p. 1

(14) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (

OJ L 312, 7.12.2018, p. 14

(15) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (

OJ L 312, 7.12.2018, p. 56

(16) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (

OJ L 135, 22.5.2019, p. 1