Legal provisions of COM(2013)95 - Entry/Exit System (EES) to register entry and exit data of third country nationals crossing the external borders of the Member States of the EU

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2013)95 - Entry/Exit System (EES) to register entry and exit data of third country nationals crossing the external borders of the ...
document COM(2013)95 EN
date February 28, 2013

Contents

CHAPTER 1 - General Provisions

Article 1 - Subject matter

A system referred to as the Entry/Exit System (EES) is hereby established for the recording and storage of information on the time and place of entry and exit of third country nationals crossing the external borders and admitted for a short stay in the territory of the Member States, for the calculation of the duration of their stay, and for the generation of alerts to Member States when authorised periods for stay have expired.

Article 2 - Set-up of the EES

1. The EES shall have the structure determined in Article 6.

2. The Agency for the operational management of large-scale information systems in the area of freedom, security and justice (hereinafter the Agency) is hereby entrusted with the tasks of development and operational management of the EES, including the functionalities for processing biometric data referred to in Article 12.

Article 3 - Scope

1. This Regulation shall apply to any third country national admitted for a short stay in the territory of the Member States subject to border checks in accordance with the Schengen Borders Code when crossing the external borders of the Member States.

2. This Regulation shall not apply to the crossing of external borders by:

(a)     members of the family of a Union citizen to whom Directive 2004/38/EC applies who hold a residence card referred to in that Directive;

(b)     members of the family of nationals of third countries enjoying the right of free movement under Union law who hold a residence card referred to in Directive 2004/38/EC;

This Regulation shall not apply to family members mentioned in points (a) and (b) even if they are not accompanying or joining the Union citizen or a third-country national enjoying the right of free movement;

(c)     holders of residence permits referred to in Article 2 (15) of the Schengen Borders Code;

(d)     nationals of Andorra, Monaco and San Marino.

Article 4 - Purpose

The EES shall have the purpose of improving the management of the external borders and the fight against irregular immigration, the implementation of the integrated border management policy, the cooperation and consultation between border and immigration authorities by providing access by Member States to the information of the time and place of the entry and exit of third country nationals at the external borders and facilitating decisions relating thereto, in order:

– to enhance checks at external border crossing points and combat irregular immigration;

– to calculate and monitor the calculation of the duration of the authorised stay of third-country nationals admitted for a short stay;

– to assist in the identification of any person who may not, or may no longer, fulfil the conditions for entry to, or stay on the territory of the Member States;

– to enable national authorities of the Member States to identify overstayers and take appropriate measures;

– to gather statistics on the entries and exits of third country nationals for the purpose of analysis.

Article 5 - Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘external borders' means external borders as defined in Article 2(2) of the Schengen Borders Code;

(2) border authorities means the competent authorities assigned, in accordance with national law, to carry out checks on persons at the external border crossing points in accordance with the Schengen Borders Code;

(3) ‘immigration authorities’ means the competent authorities assigned, in accordance with national law, to examine the conditions and take decisions related to the stay of third country nationals on the territory of the Member States;

(4) visa authorities means the authorities which are responsible in each Member State for examining and for taking decisions on visa applications or for decisions whether to annul, revoke or extend visas, including the central visa authorities and the authorities responsible for issuing visas at the border in accordance with the Visa Code;

(5) 'third‑country national' means any person who is not a citizen of the Union within the meaning of Article 20 of the Treaty, with the exception of persons who under agreements between the Union or the Union and its Member States, on the one hand, and third countries, on the other, enjoy rights of free movement equivalent to those of Union citizens;

(6) ‘travel document’ means a passport or other equivalent document, entitling the holder to cross the external borders and to which a visa may be affixed;

(7) short stay means stays in the territory of the Member States of a duration of no more than 90 days in any 180 days period;

(8) 'Member State responsible’ means the Member State which has entered the data in the EES;

(9) 'verification’ means the process of comparison of sets of data to establish the validity of a claimed identity (one-to-one check);

(10) 'identification’ means the process of determining a person’s identity through a database search against multiple sets of data (one-to-many check);

(11) 'alphanumeric data’ means data represented by letters, digits, special characters, space and punctuation marks;

(12) biometric data means fingerprints;

(13) ‘overstayer’ means a third country national who does not fulfil, or no longer fulfils the conditions relating to the duration of a short stay on the territory of the Member States;

(14) Agency means the agency established by Regulation (EU) No 1077/2011;

(15) Frontex means the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union established by Regulation (EC) No 2007/2004;

(16) supervisory authority means the supervisory authority established in accordance with Article 28 of Directive 95/46/EC;

(17) operational management means all the tasks necessary to keep large-scale IT systems functioning, including responsibility for the communication infrastructure used by them;

(18) development means all the tasks necessary to create a large-scale IT system, including the communication infrastructure used by it.

Article 6 - Technical architecture of the EES

The EES shall be composed of:

(a) a Central System comprising a Central Unit and a Back-up Central Unit, capable of ensuring all the functionalities of the Central Unit in the event of the failure of the system;

(b) a National System comprising the required hardware, software and national communication infrastructure to connect the end user devices of the competent authorities as defined in Article 7(2) with the Network Entry Points in each Member State;

(c) a Uniform Interface in each Member State based on common technical specifications and identical for all Member States;

(d) the Network Entry Points, which are part of the Uniform Interface and are the national points of access connecting the National System of each Member State to the Central System and

(e) the Communication Infrastructure between the Central System and the Network Entry Points.

Article 7 - Access for entering, amending, deleting and consulting data

1. In accordance with Article 4, access to the EES for entering, amending, deleting and consulting the data referred to in Articles 11 and 12 in accordance with this Regulation shall be reserved exclusively to duly authorised staff of the authorities of each Member State which are competent for the purposes laid down in Articles 15 to 22, limited to the extent needed for the performance of the tasks in accordance with this purpose, and proportionate to the objectives pursued.

2. Each Member State shall designate the competent authorities, including border, visa and immigration authorities, the duly authorised staff of which shall have access to enter, amend, delete or consult data in the EES. Each Member State shall without delay communicate to the Agency a list of these authorities. That list shall specify for which purpose each authority may have access to the data in the EES.

Within three months after the EES has become operational in accordance with Article 41, the Agency shall publish a consolidated list in the Official Journal of the European Union. Where there are amendments thereto, the Agency shall publish once a year an updated consolidated list.

Article 8 - General principles

1. Each competent authority authorised to access the EES in accordance with this Regulation shall ensure that the use of the EES is necessary, appropriate and proportionate to the performance of tasks of the competent authorities.

2. Each competent authority shall ensure that in using the EES, it does not discriminate against third country nationals on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation and that it fully respects the human dignity and the integrity of the person.

Article 9 - Automated calculator

The EES shall incorporate an automated mechanism that indicates the maximum authorised duration of stay in accordance with Article 5(1) of the Schengen Borders Code for each third-country national registered in the EES.

The automated calculator shall:

(a)          inform the competent authorities and the third-country national of the authorised length of stay on border entry;

(b)          identify third country nationals upon exit who have overstayed.

Article 10 - Information mechanism

1. The EES shall include a mechanism that shall automatically identify which entry/exit records do not have exit data immediately following the date of expiry of the authorised length of stay and identify records for which the maximum stay allowance has been exceeded.

2. A list, generated by the system, containing the data referred to in Article 11 of all identified overstayers shall be available to the designated competent national authorities.

CHAPTER II  Entry and use of data by border authorities

Article 11 - Personal data for visa holders

1. In the absence of a previous registration of a third country national in the EES where a decision to authorise the entry of a visa holder has been taken in accordance with the Schengen Borders Code, the border authority shall create the individual file of the person by entering the following data:

(a)          surname (family name), surname at birth (earlier family name(s)), first name(s) (given names); date of birth, place of birth, country of birth, nationality or nationalities and sex;

(b)          type and number of the travel document or documents, the authority which issued it or them and the date of issue;

(c)          three letter code of the issuing country, and the the date of expiry of the validity of the travel document(s);

(d)          the visa sticker number, including the three letter code of the issuing Member State, and the date of expiry of the validity of the visa, if applicable;

(e)          at the first entry on the basis of the visa, the number of entries and the authorised period of stay as indicated on the visa sticker;

(f)           if applicable, information that the person has been granted access to the Registered Traveller Programme in accordance with Regulation COM(2013)97 final, the unique identifier number and status of participation.

2. On each entry of that person the following data shall be entered in an entry/exit record, which shall be linked to the individual file of that person using the individual reference number created by the EES upon creation of that file:

(a)          date and time of the entry;

(b)          Member State of entry, the border crossing point and authority that authorised the entry;

(c)          the calculation of the number of days of the authorised stay(s) and the date of the last day of authorised stay.

3. On exit the following data shall be entered in the entry/exit record linked to the individual file of that person:

(a)          date and time of the exit;

(b)          the Member State and the border crossing point of the exit.

Article 12 - Personal data for third country nationals exempt from the visa obligation

1. In the absence of a previous registration of a third country national in the EES where a decision has been taken to authorise the entry in accordance with the Schengen Borders Code of a national of a third country exempt from the visa obligation, the border authority shall create an individual file and enter ten fingerprints in the individual file of that person, in addition to the data referred to in Article 11, with the exception of the information referred to in Article 11 paragraph 1(d) and(e).

2. Children under the age of 12 shall be exempt from the requirement to give fingerprints for legal reasons.

3. Persons for whom fingerprinting is physically impossible shall be exempt from the requirement to give fingerprints for factual reasons.

However, should the impossibility be of a temporary nature, the person shall be required to give the fingerprints at the following entry. The border authorities shall be entitled to request further clarification on the grounds for the temporary impossibility to provide fingerprints.

Member States shall ensure that appropriate procedures guaranteeing the dignity of the person are in place in the event of encountered difficulties with capturing fingerprints.

4. Where the person concerned is exempt from the requirement to give fingerprints for legal or factual reasons pursuant to paragraphs 2 or 3, the specific data field shall be marked as ‘not applicable’. The system shall permit a distinction to be made between the cases where fingerprints are not required to be provided for legal reasons and the cases where they cannot be provided for factual reasons.

5. For a period of three years after the EES has started operation only the alphanumeric data referred to in paragraph 1 shall be recorded.

Article 13 - Procedures for entering data at border crossing points where a previous file has been registered

If a previous file has been registered, the border authority shall, if necessary, update the file data, enter an entry/exit record for each entry and exit in accordance with Articles 11 and 12 and link that record to the individual file of the person concerned.

Article 14 - Data to be added where an authorisation to stay is revoked or extended

1. Where a decision has been taken to revoke an authorisation to stay or to extend the duration of the authorised stay, the competent authority that has taken the decision shall add the following data to the entry/exit record:

(a)          the status information indicating that the authorisation to stay has been revoked or that the duration of the authorised stay has been extended;

(b)          the authority that revoked the authorisation to stay or extended the duration of the authorised stay;

(c)          the place and date of the decision to revoke the authorisation to stay or to extend the duration of the authorised stay;

(d)          the new expiry date of the authorisation to stay.

2. The entry/exit record shall indicate the ground(s) for revocation of the authorisation to stay, which shall be:

(a)          the grounds on which the person is being expelled;

(b)          any other decision taken by the competent authorities of the Member State, in accordance with national legislation, resulting in the removal or departure of the third country national who does not fulfil or no longer fulfils the conditions for the entry to or stay in the territory of the Member States.

3. The entry/exit record shall indicate the grounds for extending the duration of an authorised stay.

4. When a person has departed or been removed from the territories of the Member States pursuant to a decision, as referred to in paragraph 2(b), the competent authority shall enter the data in accordance with Article 13 in the entry/exit record of that specific entry.

Article 15 - Use of data for verification at the external borders

1. Border authorities shall have access to the EES for consulting the data to the extent the data is required for the performance of border control tasks.

2. For the purposes referred to in paragraph 1, the border authorities shall have access to search with the data referred to in Article 11(1)(a) in combination with some or all of the following data:

– the data referred to in Article 11(1)(b);

– the data referred to in Article 11(1)(c);

– the visa sticker number referred to in Article 11(1)(d);

– the data referred to in Article 11(2)(a);

– the Member State and border crossing point of entry or exit;

– the data referred to in Article 12.

CHAPTER III - Entry of data and use of the EES by other authorities

Article 16 - Use of the EES for examining and deciding on visa applications

1. Visa authorities shall consult the EES for the purposes of the examination of visa applications and decisions relating to those applications, including decisions to annul, revoke or extend the period of validity of an issued visa in accordance with the relevant provisions of the Visa Code.

2. For the purposes referred to in paragraph 1, the visa authority shall be given access to search with one or several of the following data:

(a)          the data referred to in Article 11(1)(a), (b) and (c);

(b)          the visa sticker number, including the three letter code of the issuing Member State referred to in Article 11(1)(d);         

(c)          the data referred to in Article 12.

3. If the search with the data listed in paragraph 2 indicates that data on the third country national are recorded in the EES, visa authorities shall be given access to consult the data of the individual file of that person and the entry/exit records linked to it solely for the purposes referred to in paragraph 1.

Article 17 - Use of the EES for examining applications for access to the RTP

1. The competent authorities refered to in Article 4 of Regulation COM(2013)97 final shall consult the EES for the purposes of the examination of RTP applications and decisions relating to those applications, including decisions to refuse, revoke or extend the period of validity of access to the RTP in accordance with the relevant provisions of that Regulation.

2. For the purposes referred to in paragraph 1, the competent authority shall be given access to search with one or several of the data referred to in Article 11(1)(a), (b) and (c).

3. If the search with the data listed in paragraph 2 indicates that data on the third country national are recorded in the EES, the competent authority shall be given access to consult the data of the individual file of that person and the entry/exit records linked to it solely for the purposes referred to in paragraph 1.

Article 18 - Access to data for verification within the territory of the Member States

1. For the purpose of verifying the identity of the third country national and/or whether the conditions for entry to or stay on the territory of the Member States are fulfilled, the competent authorities of the Member States, shall have access to search with the data referred to in Article 11(1)(a), (b) and (c), in combination with fingerprints refered to in Article 12.

2. If the search with the data listed in paragraph 1 indicates that data on the third country national is recorded in the EES, the competent authority shall be given access to consult the data of the individual file of that person and the entry/exit record(s) linked to it solely for the purposes referred to in paragraph 1.

Article 19 - Access to data for identification

1. Solely for the purpose of the identification of any person who may not, or may no longer, fulfil the conditions for entry to, stay or residence on the territory of the Member States, the authorities competent for carrying out checks at external border crossing points in accordance with the Schengen Borders Code or within the territory of the Member States as to whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, shall have access to search with the fingerprints of that person.

2. If the search with the data listed in paragraph 1 indicates that data on the person are recorded in the EES, the competent authority shall be given access to consult the data of the individual file and the linked entry/exit records), solely for the purposes referred to in paragraph 1.

CHAPTER IV - Retention and amendment of the data

Article 20 -  Retention period for data storage

1. Each entry/exit record shall be stored for a maximum of 181 days.

2. Each individual file together with the linked entry/exit record(s) shall be stored in the EES for a maximum of 91 days after the last exit record, if there is no entry record within 90 days following that last exit record.

3. By way of derogation from paragraph 1, if there is no exit record following the date of expiry of the authorised period of stay, the data shall be stored for a maximum period of five years following the last day of the authorised stay.

Article 21 - Amendment of data

1. The competent authorities of the Member States designated in accordance with Article 7 shall have the right to amend data which has been introduced into the EES, by correcting or deleting such data in accordance with this Regulation.

2            The information on persons referred to in Article 10(2) shall be deleted without delay where the third-country national provides evidence in accordance with the national law of the Member State responsible, that he or she was forced to exceed the authorised duration of stay due to unforeseeable and serious event, that he or she has acquired a legal right to stay or in case of errors. The third-country national shall have access to an effective judicial remedy to ensure the data is amended.

Article 22 - Advance data deletion

Where, before expiry of the period referred to in Article 20, a third country national has acquired the nationality of a Member State, or has fallen under the derogation of Article 3(2), the individual file and the records linked to it in accordance with Articles 11 and 12, shall be deleted without delay from the EES by the Member State the nationality of which he or she has acquired or the Member State that issued the residence card. The individual shall have access to an effective judicial remedy to ensure the data is deleted.

CHAPTER V - Development, Operation and Responsibilities

Article 23 - Adoption of implementation measures by the Commission prior to development

              The Commission shall adopt the following measures necessary for the development and technical implementation of the Central System, the Uniform Interfaces, and the Communication Infrastructure including specifications with regard to:

(a) the specifications for the resolution and use of fingerprints for biometric verification in the EES;

(b) the design of the physical architecture of the system including its communication infrastructure;

(c) entering the data in accordance with Article 11 and 12;

(d) accessing the data in accordance with Articles 15 to 19;

(e) keeping, amending, deleting and advance deleting of data in accordance with Articles 21 and 22;

(f) keeping and accessing the records in accordance with Article 30;

(g) performance requirements.

Those implementing acts shall be adopted in accordance with the procedure referred to in Article 42.

The technical specifications and their evolution as regards the Central Unit, the Back-up Central Unit, the Uniform Interfaces, and the Communication Infrastructure shall be defined by the Agency after receiving a favorable opinion of the Commission.

Article 24 - Development and operational management

1. The Agency shall be responsible for the development of the Central Unit, the Back-Up Central Unit, the Uniform Interfaces including the Network Entry Points and the Communication Infrastructure.

The Central Unit, the Back-up Central Unit, the Uniform Interfaces, and the Communication Infrastructure shall be developed and implemented by the Agency as soon as possible after entry into force of this Regulation and adoption by the Commission of the measures provided for in Article 23(1).

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

2. The Agency shall be responsible for the operational management of the Central Unit, the Back-Up Central Unit, and the Uniform Interfaces. It shall ensure, in cooperation with the Member States at all times the best available technology, subject to a cost-benefit analysis.

The Agency shall also be responsible for the operational management of the Communication Infrastructure between the Central system and the Network Entry Points.

Operational management of the EES shall consist of all the tasks necessary to keep the EES functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality, in particular as regards the time required for interrogation of the central database by border crossing points, which should be as short as possible.

3. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, the Agency shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with EES data. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 25 - National Responsibilities

1. Each Member State shall be responsible for:

(a)          the development of the National System and the connection to the EES;

(b)          the organisation, management, operation and maintenance of its National System; and

(c)          the management and arrangements for access of duly authorised staff of the competent national authorities to the EES in accordance with this Regulation and to establish and regularly update a list of such staff and their profiles.

2. Each Member State shall designate a national authority, which shall provide the access of the competent authorities referred to in Article 7 to the EES, and connect that national authority to the Network Entry Point.

3. Each Member State shall observe automated procedures for processing the data.

4. Before being authorised to process data stored in the EES, the staff of the authorities having a right to access the EES shall be given appropriate training about data security and data protection rules.

5. Costs incurred by the National System as well as by hosting the National Interface shall be borne by the Union budget.

Article 26 - Responsibility for the use of data

1. Each Member State shall ensure that the data recorded in the EES is processed lawfully, and in particular that only duly authorised staff have access to the data for the performance of their tasks in accordance with Articles 15 to 19 of this Regulation. The Member State responsible shall ensure in particular that:

(a)          the data is collected lawfully;

(b)          the data is registered lawfully into the EES;

(c)          the data is accurate and up-to-date when it is transmitted to the EES.

2. The Agency shall ensure that the EES is operated in accordance with this Regulation and the implementing acts referred to in Article 23. In particular, the Agency shall:

(a)          take the necessary measures to ensure the security of the Central System and the communication infrastructure between the Central System and the Network Entry Points, without prejudice to the responsibilities of each Member State;

(b)          ensure that only duly authorised staff has access to data processed in the EES for the performance of the tasks of the Agency in accordance with this Regulation.

3. The Agency shall inform the European Parliament, the Council and the Commission of the measures it takes pursuant to paragraph 2 for the start of operations of the EES.

Article 27 - Communication of data to third countries, international organisations and private parties

1. Data stored in the EES shall not be transferred or made available to a third country, to an international organisation or any private party.

2. By way of derogation from paragraph 1, the data referred to in Article 11(1)(a), (b) and (c) and Article 12 (1) may be transferred or made available to a third country or to an international organisation listed in the Annex if necessary in individual cases for the purpose of proving the identity of third-country nationals, including for the purpose of return, only where the following conditions are satisfied:

(a)          the Commission has adopted a decision on the adequate protection of personal data in that third country in accordance with Article 25(6) of Directive 95/46/EC, or a readmission agreement is in force between the Community and that third country, or Article 26(1)(d) of Directive 95/46/EC applies;

(b)          the third country or international organisation agrees to use the data only for the purpose for which they were provided;

(c)          the data are transferred or made available in accordance with the relevant provisions of Union law, in particular readmission agreements, and the national law of the Member State which transferred or made the data available, including the legal provisions relevant to data security and data protection; and

(d)          the Member State which entered the data in the EES has given its consent.

3. Transfers of personal data to third countries or international organisations pursuant to paragraph 2 shall not prejudice the rights of refugees and persons requesting international protection, in particular as regards non-refoulement.

Article 28 - Data security

1. The Member State responsible shall ensure the security of the data before and during the transmission to the Network Entry Point. Each Member State shall ensure the security of the data it receives from the EES.

2. Each Member State shall, in relation to its National System, adopt the necessary measures, including a security plan, in order to:

(a)          physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)          deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purposes of the EES (checks at entrance to the installation);

(c)          prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)          prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)          prevent the unauthorised processing of data in the EES and any unauthorised modification or deletion of data processed in the EES (control of data entry);

(f)           ensure that persons authorised to access the EES have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only (data access control);

(g)          ensure that all authorities with a right of access to the EES create profiles describing the functions and responsibilities of persons who are authorised to enter, amend, delete, consult and search the data and make their profiles available to the supervisory authorities without delay at their request (personnel profiles);

(h)          ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(i)           ensure that it is possible to verify and establish what data has been processed in the EES, when, by whom and for what purpose (control of data recording);

(j)           prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the EES or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(k)          monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).

3. The Agency shall take the necessary measures in order to achieve the objectives set out in paragraph 2 as regards the operation of the EES, including the adoption of a security plan.

Article 29 - Liability

1. Any person who, or Member State which, has suffered damage as a result of an unlawful processing operation or any act incompatible with this Regulation shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event giving rise to the damage.

2. If any failure of a Member State to comply with its obligations under this Regulation causes damage to the EES, that Member State shall be held liable for such damage, unless and insofar as the Agency or another Member State participating in EES failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.

Article 30 - Keeping of records

1. Each Member State and the Agency shall keep records of all data processing operations within the EES. These records shall show the purpose of access referred to in Article 7, the date and time, the type of data transmitted as referred to in Article 11 to 14, the type of data used for interrogation as referred to in Articles 15 to 19 and the name of the authority entering or retrieving the data. In addition, each Member State shall keep records of the staff duly authorised to put in or retrieve the data.

2. Such records may be used only for the data protection monitoring of the admissibility of data processing as well as to ensure data security. The records shall be protected by appropriate measures against unauthorised access and deleted after a period of one year after the retention period referred to in Article 20 has been expired, if they are not required for monitoring procedures which have already begun.

Article 31 - Self-monitoring

Member States shall ensure that each authority entitled to access EES data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 32 - Penalties

Member States shall take the necessary measures to ensure that any misuse of data entered in the EES is punishable by penalties, including administrative and/or criminal penalties in accordance with national law, that are effective, proportionate and dissuasive.

CHAPTER VI - Rights and supervision on data protection

Article 33 - Right of information

1. Persons whose data are recorded in the EES shall be informed of the following by the Member State responsible:

(a)          the identity of the controller referred to in Article 37(4);

(b)          the purposes for which the data will be processed within the EES;

(c)          the categories of recipients of the data;

(d)          the data retention period;

(e)          that the collection of the data is mandatory for the examination of entry conditions;

(f)           the existence of the right of access to data relating to them, the right to request that inaccurate data relating to them be corrected or that unlawfully processed data relating to them be deleted, including the right to receive information on the procedures for exercising those rights and contact details of the national supervisory authorities, or of the European Data Protection Supervisor if applicable, which shall hear claims concerning the protection of personal data.

2. The information referred to in paragraph 1 shall be provided in writing.

Article 34 - Right of access, correction and deletion

1. Without prejudice to the obligation to provide other information in accordance with Article 12(a) of Directive 95/46/EC, any person shall have the right to obtain communication of the data relating to him or her recorded in the EES and of the Member State which transmitted it to the EES. Such access to data may be granted only by a Member State. Each Member State shall record any requests for such access.

2. Any person may request that data relating to him or her which is inaccurate be corrected and that data recorded unlawfully be deleted. The correction and deletion shall be carried out without delay by the Member State responsible, in accordance with its laws, regulations and procedures.

3. If the request as provided for in paragraph 2 is made to a Member State, other than the Member State responsible, the authorities of the Member State to which the request has been lodged shall contact the authorities of the Member State responsible within a time limit of 14 days. The Member State responsible shall check the accuracy of the data and the lawfulness of its processing in the EES within a time limit of one month.

4. In the event that data recorded in the EES are inaccurate or have been recorded unlawfully, the Member State responsible shall correct or delete the data in accordance with Article 21. The Member State responsible shall confirm in writing to the person concerned without delay that it has taken action to correct or delete data relating to him.

5. If the Member State responsible does not agree that data recorded in the EES is inaccurate or has been recorded unlawfully, it shall explain in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him.

6. The Member State responsible shall also provide the person concerned with information explaining the steps which he can take if he does not accept the explanation provided. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the supervisory authorities that is available in accordance with the laws, regulations and procedures of that Member State.

Article 35 - Cooperation to ensure the rights on data protection

1. The Member States shall cooperate actively to enforce the rights laid down in Article 34.

2. In each Member State, the supervisory authority shall, upon request, assist and advise the person concerned in exercising his/her right to correct or delete data relating to him/her in accordance with Article 28(4) of Directive 95/46/EC.

3. The supervisory authority of the Member State responsible which transmitted the data and the supervisory authorities of the Member States to which the request has been lodged shall cooperate to this end.

Article 36 - Remedies

1. In each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to or the right of correction or deletion of data relating to him, provided for in Article 35.

2. The assistance of the supervisory authorities shall remain available throughout the proceedings.

Article 37 - Supervision by the supervisory authority

1. The supervisory authority shall monitor the lawfulness of the processing of personal data, referred to in Articles 11 to 14 by the Member State in question, including their transmission to and from the EES.

2. The supervisory authority shall ensure that an audit of the data processing operations in the National System is carried out in accordance with relevant international auditing standards at least every four years.

3. Member States shall ensure that their supervisory authority has sufficient resources to fulfil the tasks entrusted to it under this Regulation.

4. In relation to the processing of personal data in the EES, each Member State shall designate the authority which is to be considered as controller in accordance with Article 2(d) of Directive 95/46/EC and which shall have central responsibility for the processing of data by this Member State. Each Member State shall communicate this authority to the Commission.

5. Each Member State shall supply any information requested by the supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Article 28 and grant them access to their records as referred to in Article 30 and allow them access at all times to all their premises.

Article 38 - Supervision by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall check that the personal data processing activities of the Agency are carried out in accordance with this Regulation. The duties and powers referred to in Articles 46 and 47 of Regulation (EC) No 45/2001 shall apply accordingly.

2. The European Data Protection Supervisor shall ensure that an audit of the Agency's personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of such audit shall be sent to the European Parliament, the Council, the Agency, the Commission and the supervisory authorities. The Agency shall be given an opportunity to make comments before the report is adopted.

3. The Agency shall supply information requested by the European Data Protection Supervisor, give him/her access to all documents and to its records referred to in Article 30 and allow him/her access to all its premises, at any time.

Article 39 - Cooperation between supervisory authorities and the European Data Protection Supervisor

1. The supervisory authorities and the European Data Protection Supervisor, each acting within the scope of their respective competences, shall actively cooperate within the framework of their responsibilities and shall ensure coordinated supervision of the EES and the National Systems.

2. They shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties over the interpretation or application of this Regulation, study problems with the exercise of independent supervision or with the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3. The supervisory authorities and the European Data Protection Supervisor shall meet for that purpose at least twice a year. The costs of these meetings shall be borne by the European Data Protection Supervisor. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4. A joint report of activities shall be sent to the European Parliament, the Council, the Commission and the Agency every two years. This report shall include a chapter of each Member State prepared by the supervisory authority of that Member State.

CHAPTER VII - Final provisions

Article 40 - Use of data for reporting and statistics

1. The duly authorised staff of the competent authorities of Member States, of the Agency and of Frontex shall have access to consult the following data, solely for the purposes of reporting and statistics without allowing individual identification:

(a)          status information;

(b)          nationality of the third country national;

(c)          Member State, date and border crossing point of the entry and Member State, date and border crossing point of the exit;

(d)          the type of the travel document;

(e)          number of overstayers referred to in Article 10;

(f)           the data entered in respect of any stay revoked or whose validity is extended;

(g)          the authority that issued the visa, if applicable;

(h)          the number of persons exempt from the requirement to give fingerprints pursuant to Article 12(2) and (3).

Article 41 - Start of operations

1. The Commission shall determine the date from which the EES is to start operations, after the following conditions are met:

(a)          the measures referred to in Article 23 have been adopted;

(b)          the Agency has declared the successful completion of a comprehensive test of the EES, which shall be conducted by the Agency in cooperation with the Member States, and;

(c)          the Member States have validated the technical and legal arrangements to collect and transmit the data referred to in Articles 11 to 14 to the EES and have notified them to the Commission.

2. The Commission shall inform the European Parliament of the results of the test carried out pursuant to paragraph 1(b).

3. The Commission decision referred to in paragraph 1 shall be published in the Official Journal.

Article 42 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 43 - Notifications

1. Member States shall notify the Commission of:

(a)          the authority which is to be considered as controller referred to in Article 37;

(b)          the necessary technical and legal arrangements referred to in Article 41.

2. Member States shall notify the Agency of the competent authorities which have access to enter, amend, delete, consult or search data, referred to in Article 7.

3. The Agency shall notify the Commission of the successful completion of the test referred to in Article 41 paragraph 1 (b).

The Commission shall make the information notified pursuant to paragraph 1(a) available to the Member States and the public via a constantly updated electronic public register.

Article 44 - Advisory group

An Advisory Group shall be established by the Agency and provide it with the expertise related to the EES in particular in the context of the preparation of its annual work programme and its annual activity report.

Article 45 -  Training

The Agency shall perform tasks related to training referred to in Article 25 (4).

Article 46 - Monitoring and evaluation

1. The Agency shall ensure that procedures are in place to monitor the functioning of the EES against objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. For the purposes of technical maintenance, the Agency shall have access to the necessary information relating to the data processing operations performed in the EES.

3. Two years after the start of operations of the EES and every two years thereafter, the Agency shall submit to the European Parliament, the Council and the Commission a report on the technical functioning of EES, including the security thereof.

4. Two years after the EES is brought into operation and every four years thereafter, the Commission shall produce an overall evaluation of the EES. This overall evaluation shall include an examination of results achieved against objectives, an assessement of the continuing validity of the underlying rationale, the application of the Regulation, the security of the EES and any implications on future operations. The Commission shall transmit the evaluation report to the European Parliament and the Council.

5. The first evaluation shall specifically examine the contribution the entry-exit system could make in the fight against terrorist offences and other serious criminal offences and will deal with the issue of access for law enforcement purposes to the information stored in the system, whether, and if so, under which conditions such access could be allowed, whether the data retention period shall be modified and whether access to authorities of third countries shall be granted, taking into account the operation of the EES and the results of the implementation of the VIS.

6. Member States shall provide the Agency and the Commission with the information necessary to draft the reports referred to in paragraphs 3 and 4 according to the quantitative indicators predefined by the Commission and/or the Agency.

7. The Agency shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraphs 4 and 5.

Article 47 - Entry into force and applicability

1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2. It shall apply from the date referred to in the first paragraph of Article 41.

3. Articles 23 to 25, 28 and 41 to 45 shall apply as from the date referred to in paragraph 1.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.