Commission Implementing Decision (EU) 2021/1028 of 21 June 2021 adopting measures... (32021D1028)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION IMPLEMENTING DECISION (EU) 2021/1028

of 21 June 2021

adopting measures for the application of Regulation (EU) 2018/1240 of the European Parliament and of the Council as regards accessing, amending, erasing and advance erasing of data in the ETIAS Central System

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), in particular Article 73(3), third subparagraph, points (b)(i) and (ii), thereof,
Whereas:
(1) Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (ETIAS), applicable to visa-exempt third-country nationals seeking to enter the territory of the Member States.
(2) Prior to the development of the ETIAS Information System, it is necessary to adopt measures for the technical implementation of that system.
(3) The measures laid down by this Decision should be completed by the Technical Specifications of the ETIAS Information System. Based on the measures laid down by this Decision, the European Union Agency for the Operational Management of Large-Scale IT systems in the Area of Freedom, Security and Justice (eu-LISA) should then be able to define the design of the physical architecture of the ETIAS Information System, as well as the technical specifications of the system and to develop the ETIAS Information System.
(4) The technical development and implementation of the ETIAS Information System should cover the way authorities will access, amend and erase data in the ETIAS Central System.
(5) As regards access by border authorities for the purposes of obtaining the status of a travel authorisation at borders, access by immigration authorities for the purpose of verifying the conditions of entry or stay on the territory of Member States, access by the central access points for law enforcement purposes, and access by ETIAS National Units for the retrieval of files for the purpose of supporting the risk assessment, such access should be granted through a technical interface enabling the connection of national border infrastructures, the central access points, the national systems of the immigration authorities and other EU information systems or national systems, to the ETIAS Central System. The technical specifications developed by eu-LISA should include an interface control document describing the technical interface between the ETIAS Central System and other EU information systems and national systems.
(6) From the start of operations of the European search portal established pursuant to Article 6 of Regulation (EU) 2019/817 of the European Parliament and of the Council (2) searches performed by border authorities, immigration authorities or central access points should take place using the European search portal.
(7) As regards access for the purpose of the manual processing of applications, including for Europol when it provides opinions to ETIAS National Units, as well as access by the ETIAS Central Unit and the ETIAS National Units for the purpose of amending and erasing data, access should be granted through software designed for that purpose by eu-LISA. That software should also be used by Europol to request access to data in the ETIAS Central System for law enforcement purposes. The means by which the ETIAS Central Unit and the ETIAS National Units and Europol are to authenticate and access that software should be specified.
(8) Duly authorised users from the ETIAS Central Unit, the ETIAS National Units and Europol should log-into the software using user job profiles. The ETIAS Central Unit, the ETIAS National Units and Europol should be able to assign standard permissions, roles and job profiles to users or to customise job profiles using pre-established roles and permissions within the software to reflect the way the European Border and Coast Guard Agency and Member States will set-up and operate the ETIAS Central Unit and ETIAS National Units respectively, and Europol to reflect the working methods of Europol.
(9) Incompatibilities between pre-established roles and permissions should be pre-determined in the software to prevent users from creating job profiles combining incompatible roles and permissions. To separate duties and avoid users having conflicting responsibilities, permissions associated with the processing of applications should not be combined with permissions associated with amending and deleting data, nor with permissions associated with appeal procedures.
(10) In line with data protection principles, in particular data protection by design and default, users of the software should be allowed to view only those data which correspond to the permissions assigned to their job profiles. This could result in different user displays depending on the job profile being used.
(11) The software should be developed with general software functionalities supporting the ETIAS Central Unit and the ETIAS National Units in their tasks related to access, amendment and erasure of data.
(12) It should also include a number of specific functionalities to support users in their tasks related to accessing and amending of data, and when manually processing applications which triggered a hit during the automated processing of applications.
(13) Among those specific functionalities should be to always clearly display to users the remaining time to comply with their respective allocated deadlines for the various stages of the examination of the application laid down in Regulation (EU) 2018/1240.
(14) Other specific functionalities should support ETIAS National Units during the manual processing of applications when assessing risks. The software should enable extraction of limited data stored in the ETIAS Central System to facilitate consultation by ETIAS National Units of other EU information systems or databases (the Schengen Information system (SIS), the Visa Information System (VIS), the Entry/Exit System (EES) or Eurodac) or information in underlying national systems related to the hits triggered during the automated processing of applications. The ETIAS Information System should be developed in such a way as to allow files to be automatically created and available for extraction by ETIAS National Units when manually assessing applications in accordance with Article 26 or Article 28 of Regulation (EU) 2018/1240. It is necessary to identify those functionalities and data elements that should be automatically prepared as part of the files depending on the hit triggered during the automated processing of applications. It is furthermore necessary for the software to have specific functionalities allowing extraction of data in the context of national appeal procedures and allowing uploading of results of the risk assessments as well as recording of data related to national appeal procedures. The specific functionalities of the software for uploading of results of risk assessments should not allow for uploading of the justification behind the decision to issue or refuse a travel authorisation.
(15) eu-LISA should assign credentials to Member States enabling them to arrange one or more roles or user job profiles to the duly authorised staff of central access points, and border and immigration authorities.
(16) Given the existing obligation under Regulation (EU) 2018/1725 of the European Parliament and of the Council (3), the European Border and Coast Guard Agency, acting as data controller in accordance with Article 3, point (8) of that Regulation, and eu-LISA, acting as controller in relation to information security management of the ETIAS Central System, should carry out an assessment of the impact of the envisaged processing operations on the protection of personal data pursuant to Article 39 of Regulation (EU) 2018/1725.
(17) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2018/1240 and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen
acquis
, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.
(18) This Decision constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part and falls outside the scope of Council Decision 2002/192/EC (4); Ireland is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(19) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning association of those two States with the implementation, application and development of the Schengen
acquis
 (5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6).
(20) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (7), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8).
(21) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (9) which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10).
(22) As regards Cyprus, Bulgaria and Romania, and Croatia, this Decision constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within the meaning of, respectively, Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(23) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 22 January 2021.
(24) The measures provided for in this Decision are in accordance with the opinion of the Smart Borders Committee (ETIAS),
HAS ADOPTED THIS DECISION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Decision establishes measures for the application of Regulation (EU) 2018/1240 as regards:
(1) accessing data in accordance with Articles 22 to 29, Articles 33 to 44 and Articles 47 to 53 of that Regulation;
(2) amending, erasing and advance erasure of data in accordance with Article 55 of that Regulation.

Article 2

Definitions

For the purposes of this Decision, the following definitions apply:
(a) ‘role’ means a set of permissions linked to a specific purpose for processing data in the European Travel Information and Authorisation System (ETIAS);
(b) ‘job profile’ means one or more job functions covering one or more roles;
(c) ‘user’ means a duly authorised staff member of the ETIAS Central Unit, of an ETIAS National Unit, of Europol or of a central access point as well as border or immigration authorities with access credentials assigned with one or more roles or job profiles;
(d) ‘permission’ means a right to perform a data processing operation.

CHAPTER II

PROVISIONS ON SOFTWARE

Article 3

Authentication scheme and access management

1.   With the exception of access to watchlist entries, which shall be accessed in accordance with Commission Implementing Decision laying down measures for the application of Regulation (EU) 2018/1240 of the European Parliament and of the Council as regards the technical specification of ETIAS watchlist and of the impact assessment tool (11), data stored in the ETIAS Central System shall be accessed, by users from the ETIAS Central Unit, the ETIAS National Units and Europol, through the software referred to in Article 6(2), point (m) of Regulation (EU) 2018/1240 (‘the software’).
2.   When developing the software, eu-LISA shall:
(a) establish an authentication scheme to log-into the software;
(b) make available standard permissions, roles and job profiles to the ETIAS Central Unit, ETIAS National Units and Europol.
3.   The software shall provide the ETIAS Central Unit, ETIAS National Units and Europol with the technical means:
(a) to create new roles and amend or erase existing ones;
(b) to set-up access credentials enabling the users to carry out data processing operations in accordance with assigned roles;
(c) to regulate, within their organisations, the assignment and management of standard roles to users.
4.   The roles created or amended by the ETIAS Central Unit, ETIAS National Units and Europol shall only be visible to ETIAS Central Unit, the ETIAS National Unit or to Europol respectively.
5.   The software shall prevent the assignment of incompatible roles to users. It shall ensure that users having several job profiles are able to use only one job profile at a time, and are able to switch between job profiles without having to log out.
6.   The ETIAS Central Unit, ETIAS National Units and Europol shall be responsible for assigning job profiles via the software to users within their organisation. Each job profile, role or permission may be assigned to several users within the same organisation.
7.   Users may use pseudonyms. Those pseudonyms shall be traceable to the users’ official identities at national level or within Europol.
8.   The authentication scheme, and the standard permissions, roles and job profiles referred to in paragraph 2, and the prevention of the assignment of incompatible roles, as referred to in paragraph 4 of this Article, shall be part of the technical specifications provided for in Article 73(3) of Regulation (EU) 2018/1240.

Article 4

General software functionalities

1.   The software shall have at least the following functionalities supporting users for the purpose of accessing, amending and erasing data:
(a) the possibility to use a pre-determined set of filters to customise the display of data for each job profile logged into the software;
(b) the automatic saving of data added to the application file or draft amendments of data in the application file, where applicable, and logging out of the user after a pre-established period of inactivity;
(c) the possibility to block access to a hit by another user for a limited period of time, including marking of such blocked hits visible to other users;
(d) the option to save progress on the processing of an application by the ETIAS Central Unit or ETIAS National Units;
(e) the option to mark and record, at any time, a possible data inaccuracy or processing in contravention of Regulation (EU) 2018/1240 by the ETIAS Central Unit or the ETIAS National Units;
(f) enabling communication and information exchange between users from the ETIAS Central Unit, the ETIAS National Units and Europol;
(g) automatically deleting temporary notes referred to in Article 5(1), point (f) of this Decision at the time of completion of the manual processing by the ETIAS Central Unit and ETIAS National Units;
(h) preventing temporary notes referred to in Article 5(1), point (f) of this Decision from being visible to users other than those of the same Unit or Europol;
(i) allowing the ETIAS Central Unit to process Europol requests referred to in Article 5(1), point (m) of this Decision;
(j) the possibility to facilitate the retrieval of data when requested by data subjects, including templates for responding to the data subject with, where relevant, an overview of the changes made to the data, a selection of the personal data, or justifications referred to in Article 64(3) and (4) of Regulation (EU) 2018/1240;
(k) where a travel authorisation is amended on the basis of a request from an authorisation holder in accordance with Article 64 of Regulation (EU) 2018/1240, enabling users to notify a travel authorisation holder that an amended travel authorisation has been issued.
2.   eu-LISA shall describe the details of the general software functionalities in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 5

Specific software functionalities

1.   The software shall have at least the following specific functionalities supporting users when they access data in accordance with Chapters III, IV and VI of Regulation (EU) 2018/1240:
(a) a functionality displaying application files based on the time remaining until the next step of the manual processing, as the default display, as well as other filters, available for customising the display per user, for displaying the application files:
(i) time of entry to the manual processing phase;
(ii) any necessary consultation requests and the time remaining until the deadline for providing opinions expires (sorted by default with those consultation requests for which least time remains until the deadline);
(iii) the next step of the manual processing to be performed by an ETIAS National Unit consulted or responsible for the application;
(iv) the type of hit or background question triggering the manual processing;
(v) the type of application (that is to say humanitarian grounds or international obligations, or normal);
(vi) applications marked for special attention or ad hoc handling;
(vii) for the ETIAS National Unit of the Member State responsible, the type of opinion received from consulted ETIAS National Units or Europol, including whether or not received within the deadline;
(b) a functionality to calculate and clearly display the time remaining, as well as warnings on deadlines for the manual processing of applications, including when the ETIAS National Units or Europol are consulted;
(c) a functionality providing the ETIAS Central Unit, ETIAS National Units and Europol with a management dashboard giving an overview of the state of play of manual processing related operations;
(d) a functionality providing the option to mark an application for specific attention or ad hoc handling;
(e) a functionality providing the option to request a notification of the decision taken by the ETIAS National Unit of the Member State responsible regarding an application on which an ETIAS National Unit was consulted;
(f) a functionality enabling the ETIAS Central Unit and ETIAS National Units to add or delete temporary notes on the application file;
(g) functionalities supporting ETIAS National Units in manually processing applications pursuant to Article 26 and Article 28 of Regulation (EU) 2018/1240, as follows:
(i) for hits referred to in Article 26(3) of Regulation (EU) 2018/1240, a functionality making automatically available a file for extraction with the following data from the application file: ‘surname (family name)’, ‘first name(s) (given name(s))’, ‘surname at birth’, ‘date of birth’, ‘place of birth’, ‘current nationality’, ‘country of birth’, ‘the type, number and country of issue of the travel document’, enabling retrieving the record, file or alert having triggered the hit in the queried EU information systems and where additional information related to the hit in an EU information system referred to in that Article is stored in a national system or a database, to consult that national system or a database supporting the assessment of the risks identified in that paragraph;
(ii) for hits referred to in Article 26(4) of Regulation (EU) 2018/1240, a functionality making automatically available a file for extraction with the following data from the application file: answers provided by the applicant under Article 17(4) and (6) of that Regulation, ‘surname (family name)’, ‘first name(s) (given name(s))’, ‘surname at birth’, ‘date of birth’, ‘place of birth’, ‘current nationality’, ‘country of birth’, ‘the type, number and country of issue of the travel document’, enabling retrieval in the relevant national systems or databases information related to the hit and supporting the assessment of the risks identified in that paragraph;
(iii) for hits referred to in Article 26(5) of Regulation (EU) 2018/1240, a functionality making automatically available a file for extraction with the following data from the application file: ‘surname (family name)’, ‘first name(s) (given name(s))’, ‘surname at birth’, ‘date of birth’, ‘place of birth’, ‘current nationality’, ‘country of birth’, ‘type, number and country of issue of the travel document’ and ‘the national identifier’ of the watchlist entry, enabling retrieval in the relevant national systems or databases information related to the hit and supporting the assessment of the risk identified in that paragraph;
(iv) for hits referred to in Article 26(6) of Regulation (EU) 2018/1240, a functionality making automatically available a file for extraction with the following data from the application file ‘surname (family name)’, ‘first name(s) (given name(s))’, ‘surname at birth’, ‘date of birth’, ‘place of birth’, ‘current nationality’, ‘country of birth’ and ‘type, number and country of issue of the travel document’ enabling retrieval in the relevant national systems or databases information related to the hit and supporting the assessment of the risks identified in that paragraph;
(v) a functionality enabling users from the ETIAS National Units to upload the result of the assessment of the risks referred to in the second subparagraph of Article 26(7) of Regulation (EU) 2018/1240;
(h) a functionality enabling the extraction of the relevant data required for national appeal procedures, where such procedures have been initiated and recording in the ETIAS Central System that an appeal procedure was initiated, accompanied with the corresponding national appeal reference numbers and the outcome of that procedure;
(i) a functionality enabling the extraction of the additional information or documentation referred to in Article 27(2) and (8) of Regulation (EU) 2018/1240 and the uploading and storing of translations of that documentation in the application file;
(j) a functionality enabling follow up on the outcome of national appeals pursuant to Article 37(3), Article 40(3) and Article 41(7) of Regulation (EU) 2018/1240, including amendment or erasure of data in the ETIAS Central System, or where relevant issue of a new travel authorisation;
(k) a functionality to assign application files and limit or enable their visibility to specific users within the same ETIAS National Unit or within the ETIAS Central Unit, in order to enable coordination among users;
(l) a functionality enabling Europol to extract data transmitted to it by the ETIAS Central Unit as referred to in Article 29(2) of Regulation (EU) 2018/1240;
(m) a functionality enabling the ETIAS Central Unit to have access to the ETIAS Central System to process Europol requests for consultation of data stored in the ETIAS Central System, without viewing the search parameters of the Europol request or the search results, and to notify Europol of the transmission of the data pursuant to Article 53 of Regulation (EU) 2018/1240;
(n) a functionality enabling Europol to extract a file containing the data resulting from the request for consultation referred to in point (m);
(o) a functionality to assign consultation requests to specific users within Europol;
(p) a functionality enabling users from the ETIAS Central Unit or from the ETIAS National Units to work on different hits simultaneously within the same application file and to coordinate for the consolidation of an opinion in cases where more than one hit is identified for that Unit on one application file;
(q) a functionality ensuring that only one user, within the ETIAS Central Unit or an ETIAS National Unit, can work on the same hit, at the same time, in an application file;
(r) a functionality enabling the manual retrieval of an issued travel authorisation for the purposes of annulment and revocation.
2.   The functionality referred to in point (q) shall enable users to see hits on which it is not possible to work at a given time. Users with appropriate access credentials shall be able to view the content of the hit at all times.
3.   eu-LISA shall describe the details of the specific software functionalities referred to in paragraph 1, the format of the data in the extracted files referred to in paragraph 1, points (g), (l), (m) and (n) of this Article and the technical approach for keeping of records of all data processing operations referred to in Article 26(7) of Regulation (EU) 2018/1240 in the technical specifications provided for in Article 73(3) of that Regulation.

CHAPTER III

ACCESSING, AMENDING, ERASING AND ADVANCE ERASURE

Article 6

Accessing, amending, erasing and advance erasure for the purposes of Article 55 of Regulation (EU) 2018/1240

1.   For the purposes of Article 55 of Regulation (EU) 2018/1240, the software shall allow the ETIAS Central Unit or the ETIAS National Units to search the data stored in the ETIAS Central system. The following search fields shall be available:
(a) surname (family name);
(b) first name(s) (given name(s));
(c) type and travel document number and the three letter code of the issuing country of the travel document;
(d) application number;
(e) nationality or nationalities;
(f) date of birth;
(g) sex;
(h) period of time.
2.   In order to facilitate the retrieval of the application file, the software shall allow users to search by providing data corresponding to the search fields referred to in paragraph 1, point (c) or (d) of this Article.
3.   If data referred to in paragraph 1, points (c) or (d), are not available, the software shall allow users to search by providing data corresponding to the search fields referred to in paragraph 1, points (a), (b), (e), (f), (g) and (h). The software shall allow users to search where data corresponding to one of the search fields (b), (e), (g) is missing. Providing data corresponding to search field (h) shall be optional.
4.   The following rules shall apply to searches performed in accordance with paragraph 2:
(a) the search fields referred to in paragraph 1, points (c) and (d) shall be searched in exact mode;
(b) all other search fields referred to in paragraph 1 shall be searched in inexact mode.
5.   The application file shall be displayed, together with any linked application files, and in accordance with the permissions and roles defined for users.
6.   For the purposes of erasure of application files pursuant to Article 55(5) of Regulation (EU) 2018/1240, a functionality of the software shall enable users of the ETIAS National Units to perform searches and retrieve several application files at once. The software shall allow authorities referred to in Article 55(5) of that Regulation to make available for the use by the ETIAS National Units structured information containing the search fields referred to in paragraph 1 of this Article. Paragraphs 2 and 3 of this Article shall apply
mutatis mutandis
to those searches.
7.   Before any changes pursuant to Article 55 of Regulation (EU) 2018/1240 are recorded in the ETIAS Central System, the software shall request the user to confirm the amendment or erasure by entering their user credentials.

CHAPTER IV

ACCESS TO DATA FOR LAW ENFORCEMENT PURPOSES

Article 7

Access to data by Europol

1.   Requests for access by Europol pursuant to Article 53 of Regulation (EU) 2018/1240, shall be submitted through the software.
2.   Europol shall complete a form with the data referred to in Article 52(2) and (3) of Regulation (EU) 2018/1240, in accordance with Article 53 of that Regulation. Europol shall specify which data, if any, may be searched in inexact mode.
3.   The specialised unit of Europol responsible for prior verification of requests, referred to in Article 53(3) of Regulation (EU) 2018/1240, shall include in the request its assessment as to whether the request fulfils all the conditions in paragraph 2 of that Article. It shall be technically impossible to submit the request to the ETIAS Central Unit if the assessment is not included.
4.   The ETIAS Central System shall automatically prevent access to data referred to in Article 17(2), point (h) of Regulation (EU) 2018/1240. The ETIAS Central System shall also automatically prevent access to data referred to in Article 17(2), point (i) and Article 17(4), points (a), (b) and (c) of Regulation (EU) 2018/1240 if the specialised unit of Europol has not indicated that relevant justifications required pursuant to Article 53(1) of that Regulation have been provided and verified. The specialised unit of Europol shall indicate in the request that the necessary verifications have been done.

Article 8

Access to data by central access points

1.   The central access points shall search the ETIAS Central System with the data listed in Article 52(2) and (3) of Regulation (EU) 2018/1240 via the European search portal established pursuant to Article 6 of Regulation (EU) 2019/817. Data listed in Article 52(2) and (3) of Regulation (EU) 2018/1240 may be searched in inexact mode.
2.   Until the European search portal is operational for use by central access points, searches shall be performed directly via the ETIAS Central System.
3.   Where a request is received from an operating unit of the designated authorities, the central access point shall verify and confirm that the conditions in Article 52(1) of Regulation (EU) 2018/1240 are fulfilled.
4.   Where applicable, the central access point shall verify and confirm whether access to the data listed in Article 17(2), point (i) and Article 17(4), points (a), (b) and (c) of Regulation (EU) 2018/1240 is justified, in accordance with Article 51 of that Regulation.
5.   Where the central access point accesses the ETIAS Central System, the ETIAS Central System shall automatically prevent access to data listed in Article 17(2), point (h) of Regulation (EU) 2018/1240.
The ETIAS Central System shall only retrieve the data listed in Article 17(2), point (i) and Article 17(4), points (a), (b) and (c) of Regulation (EU) 2018/1240 where the central access point has confirmed that access to those data is justified pursuant to paragraph 4 of this Article.
In exceptional cases, by way of derogation from paragraph 3 of this Article, the central access points shall be able to indicate that the request concerns a case of urgency and shall be able to process the request from an operating unit of the designated authorities immediately. The verifications and confirmations provided for in paragraphs 3 and 4 of this Article shall be conducted
ex post
, in accordance with Article 51(4) of Regulation (EU) 2018/1240.

CHAPTER V

ACCESS TO DATA BY BORDER AND IMMIGRATION AUTHORITIES FOR THE PURPOSES OF VERIFICATION

Article 9

Access to data by border authorities at the external borders

1.   Border authorities shall access the ETIAS Central System to consult the data required for the performance of their duties.
Border authorities shall have access to search the ETIAS Central System, with the following data of the machine-readable zone of the travel document:
(a) surname (family name); first name or names (given names);
(b) date of birth; sex; nationality or nationalities;
(c) the type and number of the travel document and the three letter code of the issuing country of the travel document;
(d) the date of expiry of the validity of the travel document.
All data listed in the second subparagraph shall be used to initiate the search. The data listed in point (a) may be searched in inexact mode while the other data shall be searched in exact mode.
2.   Searches performed with the data listed in paragraph 1 of this Article shall return the data referred to in Article 47(2), points (a) to (d), of Regulation (EU) 2018/1240.
3.   In accordance with Article 47(4) of Regulation (EU) 2018/1240, border authorities shall be able to access the ETIAS Central System to consult additional information that has been added to the application file in accordance with Article 39(1), point (e) or Article 44(6), point (f) of that Regulation. For this purpose border authorities shall have access, via the European search portal, to search the ETIAS Central System using the data listed in paragraph 1, second subparagraph of this Article.
Until the European search portal is operational for use by border authorities, those searches shall be carried out directly in the ETIAS Central System.
4.   Searches performed in accordance with paragraph 3 of this Article shall return the data referred to in Article 39(1), point (e) or Article 44(6), point (f) of Regulation (EU) 2018/1240.

Article 10

Access to data by immigration authorities

1.   Immigration authorities shall have access via the European Search Portal to search the ETIAS Central System for checking or verifying if the conditions for entry to or stay on the territory of the Member States are fulfilled and for taking appropriate measures relating thereto. Pursuant to Article 49(1) of Regulation (EU) 2018/1240, immigration authorities shall have access to search the ETIAS Central System with the data listed in Article 17(2), points (a) to (e) of that Regulation.
Any combination of the data listed in Article 17(2), points (a) to (e) of Regulation (EU) 2018/1240 may be used as long as data referred to in Article 17(2), point (a) of that Regulation are used. Those searches may be performed in inexact mode.
Until the European search portal is operational for use by immigration authorities, those searches shall be carried out directly in the ETIAS Central System.
2.   Searches performed in accordance with paragraph 1 of this Article shall return the data referred to in Article 49(3) of Regulation (EU) 2018/1240.
3.   Immigration authorities shall also have access to the ETIAS Central System for the purpose of return, under the conditions laid down in Article 65(3) of Regulation (EU) 2018/1240.
Immigration authorities shall have access to search the ETIAS Central System with the data referred to in paragraph 1 of this Article.
Any combination of the data referred to in paragraph 1 of this Article may be used as long as data referred to in Article 17(2), point (a) of Regulation (EU) 2018/1240 are used.
4.   Searches performed in accordance with paragraphs 1 and 3 of this Article shall return the data referred to in the third subparagraph of Article 65(3) of Regulation (EU) 2018/1240. Data referred to in Article 17(2), point (k) of that Regulation shall only be returned if ‘date of birth’ was used in the search.

Article 11

Entry into force

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 21 June 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 236, 19.9.2018, p. 1
.
(2)  Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (
OJ L 135, 22.5.2019, p. 27
).
(3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(4)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(5)  
OJ L 176, 10.7.1999, p. 36
.
(6)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(7)  
OJ L 53, 27.2.2008, p. 52
.
(8)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(9)  
OJ L 160, 18.6.2011, p. 21
.
(10)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
(11)  C(2021) 4123.
Markierungen
Leseansicht