Home Über uns Sitemap Login Registrieren
Commission Delegated Decision (EU) 2019/970 of 22 February 2019 on the tool for a... (32019D0970)
EU - Rechtsakte: 19 Area of freedom, security and justice
13.6.2019   
EN
Official Journal of the European Union
L 156/15

COMMISSION DELEGATED DECISION (EU) 2019/970

of 22 February 2019

on the tool for applicants to check the status of their applications and to check the period of validity and status of their travel authorisations pursuant to Article 31 of Regulation (EU) 2018/1240 of the European Parliament and of the Council

(Text with EEA relevance)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular, Article 31 thereof,
Whereas:
(1) Regulation (EU) 2018/1240 established a European Travel Information and Authorisation System (ETIAS) as a system for third-country nationals exempt from the requirement to be in possession of a visa when crossing the external borders. It laid down the conditions and procedures to issue or refuse a travel authorisation.
(2) Applicants for an ETIAS travel authorisation, travel authorisation holders, persons whose ETIAS travel authorisation was refused, revoked or annulled or persons whose ETIAS travel authorisation has expired and have given their consent to retain their data in accordance with Article 54(2) of Regulation (EU) 2018/1240 (further referred to as ‘applicant’) should be able to verify the status of their application and to check the period of validity and status of their travel authorisation.
(3) This Decision should set out conditions on how applicants can verify the status of their applications and to check the period of validity and status of their travel authorisation using a dedicated tool.
(4) The verification tool should be accessible through the dedicated public website, the app for mobile devices and through a secure link. This link to the verification tool should be sent to the applicant's email address when the applicant is notified of acknowledgment of the submission of an application or of the issue, revocation or annulment of a travel authorisation, in accordance with Articles 19(5), 38(1)(a), 42(a) and 44(6)(a) of Regulation (EU) 2018/1240.
(5) The verification tool should enable confirming the identity of the applicant. It is therefore necessary to set out authentication requirements for accessing the verification tool. Applicants should submit data in order to authenticate themselves. It is also necessary to set out outputs of the verification tool enabling the applicant to verify the status of their application and to check the period of validity and status of their travel authorisation.
(6) The communication channels of the verification tool with the ETIAS Central System should be set out. Furthermore, the message format, standards and protocols as well as the security requirements should be established.
(7) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2017/2226 of the European Parliament and of the Council (2) and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen
acquis
, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.
(8) This Decision constitutes a development of the provisions of the Schengen
acquis
in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (3); the United Kingdom is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(9) This Decision constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (4); Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(10) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latter's association with the implementation, application and development of the Schengen
acquis
 (5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6).
(11) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
 (7), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8).
(12) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
 (9) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10).
(13) The European Data Protection Supervisor was consulted on 28 January 2019 and delivered an opinion on 8 February 2019,
HAS ADOPTED THIS DECISION:

Article 1

Access to the verification tool

1.   Applicants for an ETIAS travel authorisation, travel authorisation holders, persons whose ETIAS travel authorisation was refused, revoked or annulled or persons whose ETIAS travel authorisation has expired and have given their consent to retain their data in accordance with Article 54(2) of Regulation (EU) 2018/1240 (further referred to as ‘applicant’) shall have access to the verification tool.
2.   The verification tool shall be accessible via:
(a) the dedicated public website;
(b) the app for mobile devices referred to in Article 16 of Regulation (EU) 2018/1240;
(c) a link provided through the ETIAS email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240. This link shall be sent when the applicant is notified of acknowledgment of the submission of an application or of the issue, revocation or annulment of a travel authorisation, in accordance with Articles 19(5), 38(1)(a), 42(a) and 44(6)(a) of Regulation (EU) 2018/1240.

Article 2

The two-factor authentication required for access to the verification tool

1.   In order to connect to the verification tool, two-factor authentication shall be used.
2.   The first authentication shall consist of entering the following data:
(a) travel document number;
(b) country of issue of the travel document to be selected from a predetermined list;
(c) email address.
3.   The data submitted by the applicant shall be the same as the one provided by them in their application form.
4.   The second authentication shall consist of a unique code to be entered into the verification tool to confirm authentication.
5.   Upon submission of the information in paragraph 2, the unique code shall be automatically generated and sent to the applicant through the email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.
6.   The unique code shall expire after a short period of time. Sending a new unique code shall invalidate unique codes previously sent to the same applicant.
7.   The unique code shall be sent to the same email address provided in the submitted application.
8.   The unique code shall be usable only once.

Article 3

Output of the verification tool

1.   Upon authentication for access to the tool, applicants shall view the status of the applications or travel authorisations linked to their travel document number.
2.   The verification tool shall provide one of the following status categories per each application or travel authorisation linked to the travel document number:
(a) ‘submitted’;
(b) ‘valid’;
(c) ‘refused’;
(d) ‘annulled’;
(e) ‘revoked’;
(f) ‘expired’.
3.   For all valid travel authorisations, the verification tool shall provide the end date of the travel authorisation validity period.
4.   In case of limited territorial validity, the applicant shall be informed about the Member State(s) for which the travel authorisation is valid. This information shall be displayed in a prominent place in the verification tool.
5.   A disclaimer shall be shown in the verification tool indicating that a valid travel authorisation shall not confer an automatic right of entry or stay as specified in Article 36(6) of Regulation (EU) 2018/1240. This disclaimer shall also invite applicants to consult the Entry/Exit System (EES) web service referred to in Article 13 of Regulation (EU) 2017/2226, which shall be clearly indicated, in order to gain further information on the remaining period of authorised stay.

Article 4

Data extraction requirements

1.   The verification tool shall make use of a separate read-only database updated within a few minutes via a one-way extraction of the minimum subset of data stored in ETIAS necessary to implement the provisions of Articles 2 and 3 of this Decision.
2.   eu-LISA shall be responsible for the security of the verification tool, for the security of the personal data it contains and for the process of extracting the personal data into the separate read-only database.

Article 5

Message format, standards and protocols

The message format and the protocols to be implemented shall be included in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 6

Specific security considerations

1.   The verification tool shall be designed and implemented to ensure the confidentiality, integrity and availability of processed data and to ensure non-repudiation of transactions. The technical and organisational implementation of it shall meet the requirements of the ETIAS security plan referred in Article 59(3) of Regulation (EU) 2018/1240 and of the rules on data protection and security applicable to the public website and the app for mobile devices referred to in Article 16(10) of Regulation (EU) 2018/1240.
2.   The verification tool shall be designed in a way that precludes unlawful access to the verification tool. For this purpose, the verification tool shall limit the number of attempts to access the tool with the same travel document and unique code. The tool shall also include measures to protect against non-human behaviour.
3.   The verification tool shall also include time-out measures after some minutes of inactivity.
4.   Additional details concerning the confidentiality, integrity and availability of processed data shall be subject of the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 7

Logs

1.   The verification tool shall keep activity logs, including:
(a) authentication data, including whether the authentication was successful or not;
(b) date and time of access.
2.   Activity logs of the tool shall be copied to the Central System. They shall be stored for no longer than one year after the end of the retention period of the application file, unless they are required for monitoring procedures which have already begun. After that period, they shall be automatically erased.
Such logs can only be used for the purpose of Article 69(4) of Regulation (EU) 2018/1240.

Article 8

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 22 February 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1)  
OJ L 236, 19.9.2018, p. 1
.
(2)  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (
OJ L 327, 9.12.2017, p. 20
).
(3)  Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen
acquis
(
OJ L 131, 1.6.2000, p. 43
).
(4)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(5)  
OJ L 176, 10.7.1999, p. 36
.
(6)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(7)  
OJ L 53, 27.2.2008, p. 52
.
(8)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(9)  
OJ L 160, 18.6.2011, p. 21
.
(10)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
Markierungen
Leseansicht