Legal provisions of COM(2009)344 - Requesting comparisons with EURODAC data by Member States' law enforcement authorities and Europol for law enforcement purposes

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2009)344 - Requesting comparisons with EURODAC data by Member States' law enforcement authorities and Europol for law enforcement ...
document COM(2009)344 EN
date July  8, 2009

Contents

CHAPTER I - GENERAL PROVISIONS

Article 1 - Subject matter and scope

This Decision lays down the conditions under which Member States' designated authorities and the European Police Office (Europol) may request the comparison of fingerprint data with those stored in the EURODAC central database for the purposes of the prevention, detection and investigation of terrorist offences and other serious criminal offences.

Article 2 - Definitions

1. For the purposes of this Decision, the following definitions shall apply:

(a) EURODAC means the database as established by Regulation (EC) No […/…] [new EURODAC];

(b) Europol means the European Police Office as established by Council Decision […/…./JHA];

(c) EURODAC data means all fingerprint data stored in the central database in accordance with Article 9 and Article 14(2) of [new EURODAC];

(d) terrorist offences means the offences under national law which correspond or are equivalent to the offences referred to in Articles 1 to 4 of Council Framework Decision 2002/475/JHA;

(e) serious criminal offences means the forms of crime which correspond or are equivalent to those referred to in Article 2(2) of Framework Decision 2002/584/JHA if they are punishable by a custodial sentence or a detention order for a maximum period of at least three years under national law;

(f) fingerprint data means the data relating to fingerprints of all or at least the index fingers, and if those are missing, the prints of all other fingers of a person, or a latent;

(g) National Access Point is the designated national system which communicates with the Central System as referred to in Article 4(2) of the [new EURODAC];

(h) Management Authority means the entity responsible for the operational management of EURODAC referred to in Article 5 of the [new EURODAC].

2. The definitions in Regulation (EC) No […/…] [new EURODAC] shall also apply.

Article 3 - Designated authorities

1. Member States shall designate the authorities which are authorised to access EURODAC data pursuant to this Decision. Designated authorities shall be authorities of the Member States which are responsible for the prevention, detection or investigation of terrorist offences and other serious criminal offences. Designated authorities shall not include agencies or units dealing especially with national security issues.

2. Every Member State shall keep a list of the designated authorities.

3. At national level, each Member State shall keep a list of the operating units within the designated authorities that are authorised to request comparisons with EURODAC data through the National Access Point.

Article 4 - Verifying authorities

1. Each Member State shall designate a single national body to act as its verifying authority. The verifying authority shall be an authority of the Member State which is responsible for the prevention, detection or investigation of terrorist offences and other serious criminal offences. Verifying authorities shall not include agencies or units dealing especially with national security issues.

2. The verifying authority shall ensure that the conditions for requesting comparisons of fingerprints with EURODAC data are fulfilled.

3. Only the verifying authority shall be authorised to forward requests for comparison of fingerprints to the National Access Point which communicates with the Central System.

Article 5 - Europol

1. Europol shall designate a specialised unit with duly empowered Europol officials to act as its verifying authority and shall designate in agreement with any Member State the National Access Point of that Member State which shall communicate its requests for comparison of fingerprint data to the Central System.

2. EUROPOL shall designate an operating unit that is authorised to request comparisons with EURODAC data through its designated National Access Point.

CHAPTER II - PROCEDURE FOR COMPARISON AND DATA TRANSMISSION

Article 6 - Procedure for comparison of fingerprint data with EURODAC data

1. The designated authorities referred to in Article 3(1) and Europol may submit a reasoned electronic request to the verifying authority for the transmission for comparison of fingerprint data to the EURODAC Central System via the National Access Point. Upon receipt of such a request, the verifying authority shall verify whether the conditions for requesting a comparison referred to in Article 7 or Article 8, as appropriate, are fulfilled.

2. Where all the conditions for requesting a comparison are fulfilled, the verifying authority shall transmit the request for comparison to the National Access Point which will process it to the EURODAC Central System for the purpose of comparison with all the EURODAC data.

3. In exceptional cases of urgency, the verifying authority may transmit the fingerprint data to the National Access Point for comparison immediately upon receipt of a request by a designated authority and only verify ex-post whether all the conditions of Article 7 or Article 8 are fulfilled, including whether an exceptional case of urgency actually existed. The ex-post verification shall take place without undue delay after the processing of the request.

4. Where the ex-post verification determines that the access was not justified, the information communicated from EURODAC shall be destroyed by all authorities which have accessed it and they shall inform the verifying authority of such destruction.

Article 7 - Conditions for access to EURODAC data by designated authorities

1. Designated authorities may request the comparison of fingerprint data with those stored in the EURODAC central database within the scope of their powers only if comparisons of national fingerprint databases and of the Automated Fingerprint Databases of other Member States under the Council Decision 2008/615/JHA return negative results and where:

(a) the comparison is necessary for the purpose of the prevention, detection or investigation of terrorist offences or other serious criminal offences;

(b) the comparison is necessary in a specific case;

(c) there are reasonable grounds to consider that such comparison with EURODAC data will substantially contribute to the prevention, detection or investigation of any of the criminal offences in question.

2. Requests for comparison with EURODAC data shall be limited to searching with fingerprint data.

Article 8 - Conditions for access to EURODAC data by Europol

1. Requests for comparison with EURODAC data by Europol shall take place within the limits of its mandate and where necessary for the performance of its tasks pursuant to the Europol Decision and for the purposes of a specific analysis or an analysis of a general nature and of a strategic type.

2. Requests for comparison with EURODAC data shall be limited to comparisons of fingerprint data.

3. Processing of information obtained by Europol from comparison with EURODAC shall be subject to the authorisation of the Member State of origin. Such authorisation shall be obtained via the Europol national unit of that Member State.

Article 9 - Communication between the verifying authorities and the National Access Points

1. EURODAC Communication Infrastructure shall be used for the data transmission by the verifying authorities of Member States and Europol to the National Access Points and vice versa . All communications shall take place electronically.

2. Fingerprints shall be digitally processed by the Member State and transmitted in the data format referred to in Annex I to the Regulation (EC) No […/…] [new EURODAC] , in order to ensure that the comparison can be carried out by means of the computerised fingerprint recognition system.

CHAPTER III - PERSONAL DATA PROTECTION

Article 10 - Protection of personal data

1. The Framework Decision 2008/977/JHA is applicable to the processing of personal data under this Decision.

2. The processing of personal data by Europol pursuant to this Decision shall be in accordance with the [Europol] Decision […/…/JHA] and the rules adopted in implementation thereof and shall be supervised by the independent joint supervisory body established by Article 34 of that Decision.

3. Personal data obtained pursuant to this Decision from EURODAC shall only be processed for the purposes of the prevention, detection and investigation of terrorist offences or of other serious criminal offences.

4. Personal data obtained by a Member State or Europol pursuant to this Decision from EURODAC shall be erased in national and Europol files after a period of one month, if the data are not required for a specific ongoing criminal investigation by that Member State, or Europol.

5. The monitoring of the lawfulness of the processing of personal data under this Decision by the Member States, including their transmission to and from EURODAC shall be carried out by the national competent authorities designated pursuant to Framework Decision 2008/977/JHA.

Article 11 - Data security

1. The Member State responsible shall ensure the security of the data during all transmissions of data under this Decision to the designated authorities and when received by them.

2. Each Member State shall, in relation to its national system, adopt the necessary measures, including a security plan, in order to:

(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purpose of EURODAC (checks at entrance to the installation);

(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e) prevent the unauthorised processing of data in EURODAC and any unauthorised modification or deletion of data processed in EURODAC (control of data processing);

(f) ensure that persons authorised to access EURODAC have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only (data access control);

(g) ensure that all authorities with a right to request comparisons with data held in EURODAC create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make these profiles available to the National Supervisory Authorities designated under Article 25 of the Framework Decision 2008/977/JHA without delay at their request (personnel profiles);

(h) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(i) ensure that it is possible to verify and establish what data have been processed in EURODAC, when, by whom and for what purpose (control of data recording);

(j) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from EURODAC or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(k) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Decision (self-auditing).

Article 12 - Prohibition of transfers of data to third countries or to international bodies or to private parties

Personal data obtained by a Member State or Europol pursuant to this Decision from the EURODAC central database shall not be transferred or made available to any third country or international organisation or a private entity established in or outside the European Union. This prohibition shall be without prejudice to the right of Member States to transfer such data to third countries to which the Dublin Regulation applies, provided that the conditions of Article 13 of the Framework Decision 2008/977/JHA are fulfilled.

Article 13 - Logging and documentation

1. Each Member State and Europol shall ensure that all data processing operations resulting from requests for comparison with EURODAC data pursuant to this Decision are logged or documented for the purposes of checking the admissibility of the request monitoring the lawfulness of the data processing and data integrity and security and for self-monitoring.

2. The log or documentation shall show in all cases:

(a) the exact purpose of the request for comparison, including the concerned form of a terrorist offence or other serious criminal offence and for Europol, the exact purpose of the request for comparison;

(b) the respective national file reference;

(c) the date and exact time of the request for comparison by the National Access Point to the EURODAC Central System;

(d) the name of the authority having requested access for comparison, and the person responsible who has made the request and processed the data;

(e) where applicable the use of the urgent procedure referred to in Article 6(3) and the decision taken with regard to the ex-post verification;

(f) the data used for comparison;

(g) according to national rules or the rules of the Europol Decision the identifying mark of the official who carried out the search and of the official who ordered the search or supply.

3. Such logs or documentation shall be used only for the data protection monitoring of the lawfulness of data processing as well as to ensure data security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 17. The competent national supervisory authorities responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security, shall have access to these logs at their request for the purpose of fulfilling their duties.

TITLE IV - FINAL PROVISIONS

Article 14 - Costs

Each Member State and Europol shall set up and maintain at their expense, the technical infrastructure necessary to implement this Decision, and be responsible for bearing its costs resulting from requests for comparison with EURODAC data for the purposes of this Decision.

Article 15 - Penalties

Member States and Europol shall take the necessary measures to ensure that any use of EURODAC data contrary to the provisions of this Decision is punishable by penalties, including administrative and/or criminal penalties, which are effective, proportionate and dissuasive.

Article 16 - Notification of designated authorities and verifying authorities

1. By [three months after the date of entry into force of this Decision] at the latest each Member State shall notify the Commission and the General Secretariat of the Council of its designated authorities and shall notify without delay any amendment thereto.

2. By [three months after the date of entry into force of this Decision] at the latest each Member State shall notify the Commission and the General Secretariat of the Council of its verifying authority and shall notify without delay any amendment thereto.

3. By [t hree months after the date of entry into force of this Decision] at the latest Europol shall notify the Commission and the General Secretariat of the Council of its verifying authority and the National Access Point which it has designated and shall notify without delay any amendment thereto.

4. The Commission shall publish information referred to in paragraphs 1, 2 and 3 in the Official Journal of the European Union on an annual basis.

Article 17 - Monitoring and evaluation

1. Each Member State and Europol shall prepare annual reports on the effectiveness of the comparison of fingerprint data with EURODAC data, containing information and statistics on the exact purpose of the comparison, including the type of a terrorist offence or a serious criminal offence, number of requests for comparison, the number and type of cases which have ended in successful identifications and on the need and use made of the exceptional case of urgency as well as on those cases where that urgency was not accepted by the ex post verification carried out by the verifying authority. Such reports shall be transmitted to the Commission.

2. Three years after the entry into force of this Decision and every four years thereafter, the Commission shall produce an overall evaluation of this Decision. This evaluation should include an examination of the results achieved against objectives and an assessment of the continuing validity of the underlying rationale, and shall make any necessary recommendations. The Commission shall submit the evaluation report to the European Parliament and the Council.

3. The Management Authority, Member States and Europol shall provide the Commission the information necessary to draft the evaluation reports referred to in paragraph 2. This information shall not jeopardise working methods nor include information that reveals sources, staff members or investigations of the designated authorities.

Article 18 - Entry into force and date of application

1. This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

2. This Decision shall apply from the date referred to in Article 33(2) of Regulation […] [new EURODAC] .