Commission Implementing Decision (EU) 2019/328 of 25 February 2019 laying down me... (32019D0328)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION IMPLEMENTING DECISION (EU) 2019/328

of 25 February 2019

laying down measures for keeping and accessing the logs in the Entry/Exit System (EES)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (1), and in particular point (f) of the first paragraph of Article 36 thereof,
Whereas:
(1) Regulation (EU) 2017/2226 established the Entry/Exit System (EES) as a system which registers electronically the time and place of entry and exit of third-country nationals admitted for a short stay to the territory of the Member States and which calculates the duration of their authorised stay.
(2) The EES aims to improve the management of external borders, to prevent irregular immigration and to facilitate the management of migration flows. The EES should in particular contribute to the identification of any person who does not fulfil or no longer fulfils the conditions of the authorised stay on the territory of the Member States. Additionally, the EES should contribute to the prevention, detection and investigation of terrorist offences and of other serious criminal offences.
(3) Prior to the development of the EES it is necessary to adopt measures for the development and technical implementation of the EES.
(4) Based on those measures, the European agency for the operational management of large-scale information systems in the area of freedom, security and justice should then be able to define the design of the physical architecture of the EES including its Communication Infrastructure, as well as the technical specifications of the system and to develop the EES.
(5) The measures laid down by this Decision for the development and technical implementation of the EES should be completed by the Technical Specifications and the Interface Control Document of the EES which will be developed by the European agency for the operational management of large-scale information systems in the area of freedom, security and justice.
(6) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2017/2226 and is not bound by it or subject to its application. However, given that Regulation (EU) 2017/2226 builds upon the Schengen acquis, Denmark, in accordance with Article 4 of that Protocol, notified on 30 May 2018 its decision to implement Regulation (EU) 2017/2226 in its national law. Denmark is therefore bound under international law to implement this Decision.
(7) This Decision is without prejudice to the application of Directive 2004/38/EC of the European Parliament and of the Council (2).
(8) This Decision constitutes a development of the provisions of the Schengen
acquis
in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (3); the United Kingdom is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(9) This Decision constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (4); Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(10) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latter's association with the implementation, application and development of the Schengen acquis (5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6).
(11) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (7), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8).
(12) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (9) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10).
(13) As regards Cyprus, Bulgaria, Romania and Croatia, the operation of the EES requires the granting of passive access to the VIS and the putting into effect of all the provisions of the Schengen acquis relating to the SIS in accordance with the relevant Council Decisions. Those conditions can only be met once the verification in accordance with the applicable Schengen evaluation procedure has been successfully completed. Therefore, the EES should be operated only by those Member States which fulfil those conditions by the start of operations of the EES. Member States not operating the EES from the initial start of operations should be connected to the EES in accordance with the procedure set out in Regulation (EU) 2017/2226 as soon as all of those conditions are met.
(14) The European Data Protection Supervisor delivered an opinion on 20 July 2018.
(15) The measures provided for in this Decision are in accordance with the opinion of the Smart Borders Committee,
HAS ADOPTED THIS DECISION:

Article 1

The measures necessary for the technical implementation of the EES in relation to the procedures for keeping and accessing the logs in accordance with Article 46 of the Regulation (EU) 2017/2226 shall be as set out in the Annex to this Decision.

Article 2

This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 25 February 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1)  
OJ L 327, 9.12.2017, p. 20
.
(2)  Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (
OJ L 158, 30.4.2004, p. 77
).
(3)  Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen
acquis
(
OJ L 131, 1.6.2000, p. 43
).
(4)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(5)  
OJ L 176, 10.7.1999, p. 36
.
(6)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(7)  
OJ L 53, 27.2.2008, p. 52
.
(8)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(9)  
OJ L 160, 18.6.2011, p. 21
.
(10)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).

ANNEX

1.   KEEPING THE LOGS OF DATA PROCESSING OPERATIONS

In this Annex, no distinction is made regarding the logs that could be stored at Entry/Exit Central System (CS-EES) level or at NUI level as all logs will be consolidated at CS-EES level.
Each data processing operation within the EES shall be recorded as a log entry. The log entry shall have a specific field allowing for the identification of the operation performed including the purpose of access in accordance with Article 46(1) (a) of Regulation (EU)2017/2226. All data transmitted shall be logged; in case of VIS consultations, provisions laid down in Article 34 of Regulation (EC)767/2008 of the European Parliament and of the Council (1) shall also be applied.
The log entry shall be recorded with the qualified electronic timestamp with the time and date the data was received. This timestamp shall later be used to identify the log entries to be deleted as per the retention period for each type of log in accordance with Article 46(4) of Regulation (EU) 2017/2226.
For all data processing operations, a unique ID of the authority entering or retrieving the data shall be stored in the log entry. The authority and the central EES shall be specified in the log entry either as a sender or as a recipient.
The data transmitted or used for interrogation referred to in Article 46(1) (c) and (d) of Regulation (EU) 2017/2226 shall be archived in the log. In the case of consultation of the overstayer report, the data referred to in Article 46(1) (a), (b) (d) and (e) of Regulation (EU) 2017/2226 shall be logged.
Logs as referred to in Article 46 of Regulation (EU) 2017/2226, shall be recorded in the CS-EES. The CS-EES shall proceed daily to the deletion of log entries in accordance with Article 46(4) of Regulation (EU) 2017/2226. All logs pertaining to the same third-country national and corresponding to an operation ‘delete Files or Entry/Exit/Refusal Records’ or ‘automatic deletion’ shall be deleted one year after that deletion, unless identified as to be kept for data-protection monitoring purposes, in accordance with Article 46(4) of Regulation (EU) 2017/2226. Provisions for avoiding the deletion of the latter logs shall be created in a way as to flag each individual log and any associated log.
Logs of data processing operations shall neither be modified nor deleted before one year after the expiration of the retention period referred to in Article 34 of Regulation (EU) 2017/2226.

2.   ACCESSING THE LOGS OF DATA PROCESSING OPERATIONS

Access to the logs kept by eu-LISA in accordance with Article 46 of Regulation (EU) 2017/2226 shall be restricted to duly authorised eu-LISA administrators of the EES, the European Data Protection Supervisor and the national supervisory authorities. Access to these logs shall likewise be traceable. This provision shall apply to logs recording access to the logs mutatis mutandis.
(1)  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (
OJ L 218, 13.8.2008, p. 60
).
Markierungen
Leseansicht