COMMISSION DELEGATED REGULATION (EU) 2021/2104
of 19 August 2021
laying down detailed rules on the operation of the web portal, pursuant to Article 49(6) of Regulation (EU) 2019/817 of the European Parliament and of the Council
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (1), and in particular Article 49(6) thereof,
Whereas:
(1) Regulation (EU) 2019/817, together with Regulation (EU) 2019/818 of the European Parliament and of the Council (2) establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.
(2) That framework includes a number of interoperability components which involve the processing of significant amounts of sensitive personal data. It is important that persons whose data are processed through those components can effectively exercise their rights as data subjects as required under Regulation (EU) 2016/679 (3), Directive (EU) 2016/680 (4) and Regulation (EU) 2018/1725 (5) of the European Parliament and of the Council.
(3) In order to facilitate the exercise of the right to information, access to, rectification, erasure or restriction of processing of personal data a web portal is established by Regulation (EU) 2019/817.
(4) This web portal should enable persons whose data are processed in the multi-identity detector and who have been informed of the presence of a red or white link to retrieve the information of the competent authority of the Member State responsible for the manual verification of different identities.
(5) For the purpose of facilitating the communication between the portal user and the competent authority of the Member State responsible for the manual verification of different identities, the web portal should include a template email available in the languages established in this Regulation. It should also provide an option on the language(s) to be used for a reply.
(6) In order to clarify respective responsibilities concerning the web portal, this Regulation should specify the responsibilities of the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’), the Commission and the Member States concerning the web portal.
(7) For the purpose of secure and smooth operation of this web portal, this Regulation should establish rules concerning the security of information in the web portal. In addition, access to the web portal should be logged in order to prevent any misuse.
(8) Given that Regulation (EU) 2019/817 builds upon the Schengen
acquis
, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/817 in its national law. It is therefore bound by this Regulation.
(9) This Regulation constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part (6). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(10) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(7), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (8).
(11) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(9), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (10).
(12) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(11) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (12).
(13) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(14) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 31 March 2021,
HAS ADOPTED THIS REGULATION:
Article 1
Domain and access
1. The web portal shall use the ‘.europa.eu’ domain name of the European Union.
2. The description of the web portal shall be made available for indexing by major public search engines.
3. The web portal shall be publicly available, in addition to the Member States’ official languages, in at least the following languages: Russian, Arabic, Japanese, Chinese, Albanian, Bosnian, Macedonian, Hindi, and Turkish.
4. The web portal shall contain the information referred to in Articles 47 and 48 of Regulation (EU) 2019/817 and a search tool for the retrieval of the contact details of the competent authority of the Member State responsible for the creation of a red or white link following the manual verification of different identities. The web portal may also contain other necessary information facilitating the exercise of rights referred to in Articles 47 and 48 of Regulation (EU) 2019/817.
5. The web portal shall be in compliance with the rules, guidelines and information of the Europa Web Guide of European Commission, including the guidelines on accessibility.
6. The web portal shall prevent the contact information of the authorities to be made available for search engines and other automatic tools for collection of contact information.
Article 2
Stakeholders and responsibilities
1. eu-LISA shall develop the web portal and ensure its technical management, as referred to in Article 49(5) of Regulation (EU) 2019/817, including the hosting, operation and maintenance of the web portal.
2. The Commission shall provide eu-LISA with the content of the web portal referred to in Article 1(4), as well as with any necessary corrections or updates.
3. Member States shall provide in a timely manner the contact details of authorities competent to examine and reply to any request referred to in Articles 47 and 48 of Regulation (EU) 2019/817 to eu-LISA, to allow the regular upload and update of the web portal content as referred to in Article 49(4) of Regulation (EU) 2019/817.
4. Member States shall provide eu-LISA with a single point of contact responsible for review and maintenance purposes.
5. eu-LISA shall review the provided contact details requesting all Member States to review the available information in order to update possible changes or additions. The review shall be carried out at least once a year.
6. In relation to the processing of data in the web portal Member State authorities shall be controllers in accordance with Article 4, point (7) of Regulation (EU) 2016/679 or Article 3, point (8) of Directive (EU) 2016/680.
7. In relation to the processing of personal data in the web portal, eu-LISA shall be the data processor within the meaning of Article 3, point (12) of Regulation (EU) 2018/1725.
Article 3
User Interface
1. The web portal shall include a search tool to allow users to input the reference of the authority responsible for the manual verification of the different identities referred to in Article 34(d) of Regulation (EU) 2019/817, in order to retrieve the contact information of that authority.
2. Upon verification of the validity and completeness of the input data, the web portal shall retrieve the contact details of that authority in accordance with Article 49(3) of Regulation (EU) 2019/817.
3. The web portal shall enable the user to open a request for information using template email through a web form in order to facilitate communication with the authority responsible for the manual verification of different identities. The template shall include a field for the single identification number referred to in Article 34(c) of Regulation (EU) 2019/817, to allow that authority to retrieve the appropriate link details and corresponding records.
4. The template email shall contain a standardised request for further information, which shall be available in the languages referred to in Article 1(3). The template email is set out in the Annex. The template email shall also provide an option on the language(s) to be used for a reply, which shall contain at least two languages to be chosen by each Member State. The language of the template email may be chosen by the user.
5. Following the submission of the filled template email through the web form, an automated acknowledgement email shall be sent to the user, containing the contact details of the authority responsible to follow up this request and enabling the person to exercise the rights pursuant to Article 48(1) of Regulation (EU) 2019/817.
Article 4
Content management
1. The web portal shall ensure a separation between the site pages containing information to the general public and the search tool and the site pages allowing the user to retrieve the contact information of the authority responsible for the manual verification of different identities.
2. To allow the management of the content by eu-LISA, the web portal shall contain an administration interface which shall be secured. All access to this interface and the changes performed shall be logged in accordance with Article 7.
3. The administration interface shall provide rights to eu-LISA to add, modify or remove content of the web portal. In no circumstance shall this interface allow eu-LISA to access data related to the third-country nationals that are stored in the EU information systems.
4. The content management solution shall provide a staging system where all changes can be prepared, viewed and pushed to the online system for publication at a given time point. The staging shall also have tools to ease management of the content and preview the result of changes.
Article 5
Security considerations
1. The web portal shall be designed and implemented to ensure the confidentiality, integrity and availability of the services and to ensure non-repudiation of transactions, by applying at minimum the following application security principles:
(a) defence in depth (layered security mechanisms);
(b) positive security model (defines what is allowed and rejects everything else);
(c) fail securely (handles errors securely);
(d) run with least privilege;
(e) keep security simple (avoid complex architectures when a simpler approach would be faster and simpler);
(f) detect and prevent intrusions (logging and managing all security relevant information) by applying proactive controls on the protection of the web portal information and Member State contact details from cyber-attacks and information leakage;
(g) do not trust infrastructure (the application needs to authenticate and authorise every action from surrounding systems);
(h) do not trust services (all external systems shall not be trusted);
(i) establish secure defaults (software and operating systems environments must be hardened according to best practices and industry standards).
2. The web portal shall also be designed and implemented to ensure the availability and integrity of logs recorded.
3. For security and data protection purposes, the web portal shall include a notice informing the users of the rules governing the usage of the web portal and of the consequences of providing incorrect information. The notice shall include an acceptance form of the rules governing the usage of the web portal that the user shall be required to submit before being allowed to use the web portal.
The technical and organisational implementation of the web portal shall be compliant with the security plan, the business continuity plan and a disaster recovery plan referred to in Article 42(3) of Regulation (EU) 2019/817.
Article 6
Data protection and rights of the data subject
1. The web portal shall be compliant with data protection rules of Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive (EU) 2016/680.
2. The web portal shall include a privacy notice. It should be accessible via a dedicated link. The notice shall also be accessible from every page of the web portal. It shall be provided for in a clear and comprehensive way.
Article 7
Logs
1. Without prejudice to the written records referred to in Article 48(10) of Regulation (EU) 2019/817, all access to the web portal shall be recorded in a log containing the following information:
(a) IP address of the system used by the requester;
(b) date and time of the request;
(c) technical information on the environment used for the request such as type of device, version of the operating system, model and version of the browser.
2. The information logged shall be used only for statistical purposes as well as to monitor the use of the web portal in order to prevent any misuse.
3. In case of access to the administration interface of the web portal, the following data shall be logged in addition to the data referred to in paragraph 1:
(a) identification of the user accessing the administration interface;
(b) actions performed on the web portal (add, modify or delete content).
4. Additional anonymous technical information may be logged during the use of the web portal in order to optimise its usage and performance as long as it does not contain personal data.
5. The information logged in accordance with paragraphs 1 and 3 shall be kept for a maximum of two years.
6. eu-LISA shall keep logs of all data processing operations in the web portal.
7. eu-LISA, the Member State authorities and Union agencies shall each define the list of staff duly authorised to access the data processing operations logs of the web portal.
Article 8
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 19 August 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 135, 22.5.2019, p. 27
.
(2) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (
OJ L 135, 22.5.2019, p. 85
).
(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(4) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (
OJ L 119, 4.5.2016, p. 89
).
(5) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(6) This Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(7)
OJ L 176, 10.7.1999, p. 36
.
(8) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(9)
OJ L 53, 27.2.2008, p. 52
.
(10) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(11)
OJ L 160, 18.6.2011, p. 21
.
(12) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
ANNEX
Request for information template email
The template for the email is the following:
TO: <
authority responsible for the manual verification of different identities and retrieved by the portal
>
FROM: <
user email address
>
SUBJECT: Request for information concerning multi-identity detector [
red link/white link
]: <
single identification number
>
Mail_Body:
Dear Madam, dear Sir,
I was informed in writing, via a form I received, about the existence of possible discrepancies in the personal information regarding myself.
These possible discrepancies in my identity information have led to the creation of a case file with reference <
single identification number
>.
I would like to request all further information concerning this case by <
date to be calculated by portal
> in <
language
(1) >to this
email address.
(1) Drop-down menu with linguistic options to be decided by each Member State.
Feedback