2009/876/EC: Commission Decision of 30 November 2009 adopting technical implement... (32009D0876)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION DECISION

of 30 November 2009

adopting technical implementing measures for entering the data and linking applications, for accessing the data, for amending, deleting and advance deleting of data and for keeping and accessing the records of data processing operations in the Visa Information System

(notified under document C(2009) 9402)

(Only the Bulgarian, Czech, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish texts are authentic)

(2009/876/EC)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)(1), and in particular Articles 45(2)(a) to (d) thereof,
Whereas:
(1) Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS)(2) established the VIS as a system for the exchange of visa data between Member States and gave a mandate to the Commission to develop the VIS.
(2) Regulation (EC) No 767/2008 defines the purpose and the functionalities of, and the responsibilities for the VIS and establishes the conditions and procedures for the exchange of visa data between Member States to facilitate the examination of visa applications and related decisions.
(3) Article 45(2) of Regulation (EC) No 767/2008 provides that the measures necessary for the technical implementation of the central VIS, the national interfaces and the communication infrastructure between the central VIS and the national interfaces shall be adopted in accordance with the procedure referred to in Article 49(2).
(4) Commission Decision 2009/377/EC(3) lays down measures for the consultation mechanism and the procedures referred to in Article 16 of Regulation (EC) No 767/2008. Commission Decision 2009/756/EC(4) lays down specifications for the resolution and use of fingerprints for biometric identification and verification in the VIS.
(5) Pursuant to Article 45(2) of Regulation (EC) No 767/2008, measures necessary for the technical implementation of the VIS, in relation to the procedures for entering data and linking applications, for accessing data, for amending, deleting and advance deleting of data and for keeping and accessing the records of data processing operations shall be adopted.
(6) A technical concept of ownership shall be adopted to ensure that data within the VIS can solely be maintained by the visa authorities of the Member States responsible for entering the data in the VIS.
(7) The measures laid down by the present Decision for the technical implementation of the VIS should be completed by the Detailed Technical Specifications and the Interface Control Document of the VIS.
(8) In accordance with Article 2 of the Protocol on the position of Denmark, annexed to the Treaty on European Union and the Treaty establishing the European Community, Denmark did not take part in the adoption of Regulation (EC) No 767/2008 and is not bound by it nor subject to its application. However, given that Regulation (EC) No 767/2008 builds upon the Schengen
acquis
under the provisions of Title IV of Part Three of the Treaty establishing the European Community, Denmark, in accordance with Article 5 of the Protocol, notified by letter of 13 October 2008 the transposition of this
acquis
in its national law. It is therefore bound under international law to implement this Decision.
(9) In accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen
acquis
(5), the United Kingdom has not taken part in the adoption of Regulation (EC) No 767/2008 and is not bound by it or subject to its application as it constitutes a development of provisions of the Schengen
acquis
. The United Kingdom is therefore not an addressee of this Decision.
(10) In accordance with Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(6), Ireland has not taken part in the adoption of Regulation (EC) No 767/2008 and is not bound by it or subject to its application as it constitutes a development of provisions of the Schengen
acquis
. Ireland is therefore not an addressee of this Decision.
(11) This Decision constitutes an act building on the Schengen
acquis
or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession and Article 4(2) of the 2005 Act of Accession.
(12) As regards Iceland and Norway, this Decision constitutes a development of provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(7), which fall within the area referred to in Article 1, point B of Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(8).
(13) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
which fall within the area referred to in Article 1, point B of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC(9) on the conclusion of that Agreement on behalf of the European Community.
(14) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
which fall within the area referred to in Article 1, point B of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/261/EC(10) on the signature, on behalf of the European Community, and on the provisional application of certain provisions of that Protocol.
(15) The measures provided for in this Decision are in accordance with the opinion of the Committee set up by Article 51(1) of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II)(11),
HAS ADOPTED THIS DECISION:

Article 1

The measures necessary for the technical implementation of the VIS, in relation to the procedures for entering data of visa applicants and linking applications in accordance with Article 8 of the VIS Regulation, for accessing the data in accordance with Article 15 and Articles 17 to 22 of the VIS Regulation, for amending, deleting and advance deleting of data in accordance with Articles 23 to 25 of the VIS Regulation and for keeping and accessing the records of data in accordance with Article 34 of the VIS regulation shall be as set out in the Annex.

Article 2

This Decision is addressed to the Kingdom of Belgium, the Republic of Bulgaria, the Czech Republic, the Federal Republic of Germany, the Republic of Estonia, the Hellenic Republic, the Kingdom of Spain, the French Republic, the Italian Republic, the Republic of Cyprus, the Republic of Latvia, the Republic of Lithuania, the Grand Duchy of Luxembourg, the Republic of Hungary, the Republic of Malta, the Kingdom of the Netherlands, the Republic of Austria, the Republic of Poland, the Portuguese Republic, Romania, the Republic of Slovenia, the Slovak Republic, the Republic of Finland and the Kingdom of Sweden.
Done at Brussels, 30 November 2009.
For the Commission
Jacques
BARROT
Vice-President
(1)  
OJ L 218, 13.8.2008, p. 60
.
(2)  
OJ L 213, 15.6.2004, p. 5
.
(3)  
OJ L 117, 12.5.2009, p. 3
.
(4)  
OJ L 270, 15.10.2009, p. 14
.
(5)  
OJ L 131, 1.6.2000, p. 43
.
(6)  
OJ L 64, 7.3.2002, p. 20
.
(7)  
OJ L 176, 10.7.1999, p. 36
.
(8)  
OJ L 176, 10.7.1999, p. 31
.
(9)  
OJ L 53, 27.2.2008, p. 1
.
(10)  
OJ L 83, 26.3.2008, p. 3
.
(11)  
OJ L 381, 28.12.2006, p. 4
.

ANNEX

1.   

TECHNICAL CONCEPT OF OWNERSHIP

A technical concept of ownership shall apply to the relationship between the Member State responsible for entering data in the VIS and these data.
The ownership shall be implemented by attaching the responsible Member State’s identification to the data entered in the visa application file.
The ownership of a visa application and of related decisions taken by visa authorities shall be registered in the VIS upon the creation of the application file or the entering of the related decision in the VIS and cannot be changed subsequently.

2.   

ENTERING THE DATA AND LINKING APPLICATIONS

2.1.   

Entering data upon the application

In cases where an application is lodged with the authority of a Member State representing another Member State, the entry of data into the VIS and the subsequent communication regarding that application file shall include the represented Member State identification, which shall be stored as an attribute ‘represented User’, taken from the same code table as the Member State entering the data in the VIS.
All application files linked pursuant to Article 8(4) of the VIS Regulation shall have the ownership of the same Member State.
When a Member State copies fingerprints from an application file registered in the VIS, it shall have ownership of the new application file into which fingerprints are copied.

2.2.   

Entering data after lodging the application

In cases where decisions to issue a visa, to discontinue the examination of the application, to refuse a visa, to annul or revoke or shorten the validity period or to extend a visa in accordance with Articles 10 to 14 of the VIS Regulation, are taken by a Member State representing another Member State, the communication for data-entering in the VIS shall include the represented Member State’s identification, taken from the same code table as the Member State entering the data in the VIS.
Decisions to issue a visa, to extend a visa with a new visa sticker and to shorten the validity period of a visa with a new visa sticker shall be entered in the VIS with the visa sticker data and with the same ownership.
The number of the visa sticker entered in the VIS according to Article 10(1)(e) of the VIS Regulation shall be, compliant with the provisions of Council Regulation (EC) No 856/2008(1), a combination of a 9-digit national number of the visa sticker and the 3-letter identification code for the issuing Member State(2) and include any preceding zeros up to the nine digits of the national number of the visa sticker.

2.3.   

Linking applications

2.3.1.   Linking applications if a previous application has been registered

Only the Member State having ownership of an application file shall be allowed to link it with other application file(s) of the same applicant or, for the purposes of correction, remove the linkage, in accordance with Article 8(3) of the VIS Regulation.
The fingerprints of an applicant shall only be copied, within the 59 months time frame, from his/her linked files. In case the fingerprint data of an application are copied from a previous application file not older than 59 months, the linkage between the application files shall not be removed.

2.3.2.   Linking applications of persons travelling together

In order to link application files of persons travelling together, in accordance with Article 8(4) of the VIS Regulation, the application numbers shall be transmitted to the VIS together with the appropriate type of group value, which shall be either family or travellers. Creation of a group or, for the purposes of correction, removal of the linkage between the individual group members, can only be performed by the Member State having the ownership of the application file(s) of the individual applicants within the group.

2.4.   

Procedures when particular data are not required to be provided for legal reasons or factually cannot be provided

In accordance with Article 8(5) of the VIS Regulation the entry ‘not applicable’ shall be entered into textual fields manually or, when available, by selecting the value from a code table. If the data field consists of more than one element, such an entry shall be used for each of them.
In case fingerprints are not required or cannot be provided, in accordance with Article 8(5) of the VIS Regulation, two Boolean fields shall be implemented in the VIS:
— ‘fingerprintsNotRequired’,
— ‘fingerprintsNotApplicable’,
These fields shall be set according to the table below indicating three possible situations:
— the fingerprints are required to be provided,
— the fingerprints are not required to be provided for legal reasons,
— the fingerprints cannot factually be provided.

Field in the VIS

Fingerprints are required to be provided

Fingerprints are not required to be provided for legal reasons

Fingerprints cannot be factually provided

‘fingerprintsNotRequired’

FALSE

TRUE

FALSE

‘fingerprintsNotApplicable’

FALSE

TRUE

TRUE

In addition, the appropriate free text field ‘ReasonForFingerprintNotApplicable’ shall contain the actual reason.
When a Member State transmits only data referred to in Article 5(1)(a) and (b) of the VIS Regulation, pursuant to Article 48(3), the absence of data referred to in Article 5(1)(c) shall be indicated by entering the remark ‘not applicable’, complemented by a reference to Article 48(3) of the VIS regulation in the free text field indicating that the data are not required to be provided for legal reasons. The relevant fields shall be set up as ‘FingerprintsNotRequired’ TRUE and ‘FingerprintsNotApplicable’ TRUE.

3.   

ACCESSING THE DATA

The date of an asylum application shall be used in connection with searches and retrievals of data for the purposes referred to in Article 21(2) of the VIS Regulation. In addition, retrieval of applications, which have been linked together in accordance with Article 8(4) of the VIS Regulation, shall be possible only for family type groups (spouse and/or children) referred to in section 2.3.2.

4.   

AMENDING, DELETING AND ADVANCE DELETING OF DATA PURSUANT TO ARTICLE 24 OF THE VIS REGULATION

The following data registered in the VIS cannot be modified:
— the application number,
— the visa sticker number,
— the type of the decision,
— the represented Member State (if applicable),
— the Member State responsible for entering the data in the VIS.
If the above-mentioned data have to be corrected, the application file or the data relating to decisions taken by visa authorities shall be deleted and a new one shall be created. Only the Member State having the ownership of the data contained in the application file shall be able to delete it.

5.   

KEEPING AND ACCESSING RECORDS OF DATA PROCESSING OPERATIONS

5.1.   

Keeping the records of data processing operations

Each data processing operation within the VIS shall be recorded as a log entry with a field ‘TypeOfAction’ including the purpose of access in accordance with Article 34(1) of the VIS Regulation.
The log entry shall be recorded with the timestamp of the moment it was received. This timestamp shall later be used to identify the log entries to be deleted.
For all data processing operations, the authority entering or retrieving the data shall be stored in the log entry. The user and the central VIS shall be specified in the log entry either as a sender or as a recipient.
No other operational data than the authority entering or retrieving the data and the visa application number shall be included in the log entry. The type of data transmitted or used for interrogation referred to in Article 34(1) of the VIS Regulation shall be stored.
When records referred in Article 34(2) of the VIS Regulation, having the field ‘TypeOfAction’ set to either ‘Delete Application’ or ‘Automatic Deletion’ are found by the VIS, it shall calculate that one year has passed since the expiration of the retention period referred to in Article 23(1) of the VIS Regulation and then proceed to the deletion. All records of data processing operations having the same application number shall be deleted simultaneously, if not required for data-protection monitoring purposes, in accordance with Article 34(2) of the VIS Regulation.
Records of data processing operations shall neither be modified nor deleted before one year after the expiration of the retention period referred to in Article 23(1) of the VIS Regulation.

5.2.   

Accessing the records of data processing operations

Access to the records (logs) kept by the Management Authority in accordance with Article 34(1) of the VIS Regulation shall be restricted to duly authorised administrators of the VIS and the European Data Protection Supervisor. This provision shall apply to records of access to the records
mutatis mutandis
.
(1)  
OJ L 235, 2.9.2008, p. 1
.
(2)  Exception for Germany: The country code for Germany is ‘D’.
Markierungen
Leseansicht