Legal provisions of COM(2016)883 - Establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters - EU monitor

EU monitor
Thursday, June 4, 2020
calendar

Legal provisions of COM(2016)883 - Establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters

Please note

This page contains a limited version of this dossier in the EU Monitor.


CHAPTER I - General provisions


Article 1

General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to ensure the application of the provisions of Chapter 4 and Chapter 5 of Title V of Part Three TFEU relating to the movement of persons on their territories, using information communicated through this system.

Article 2

Subject matter

1. This Regulation establishes the conditions and procedures for the entry and processing of alerts in SIS on persons and objects and for the exchange of supplementary information and additional data for the purpose of police and judicial cooperation in criminal matters.

2. This Regulation also lays down provisions on the technical architecture of SIS, on the responsibilities of the Member States and of the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), on data processing, on the rights of the persons concerned and on liability.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)‘alert’ means a set of data entered into SIS allowing the competent authorities to identify a person or an object with a view to taking specific action;

(2)‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to alerts in SIS, which is to be exchanged through the SIRENE Bureaux:

(a)in order to allow Member States to consult or inform each other when entering an alert;

(b)following a hit in order to allow the appropriate action to be taken;

(c)when the required action cannot be taken;

(d)when dealing with the quality of SIS data;

(e)when dealing with the compatibility and priority of alerts;

(f)when dealing with rights of access;

(3)‘additional data’ means the data stored in SIS and connected with alerts in SIS which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of conducting a search in SIS;

(4)‘personal data’ means personal data as defined in point 1 of Article 4 of Regulation (EU) 2016/679;

(5)‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(6)a ‘match’ means the occurrence of the following steps:

(a)a search has been conducted in SIS by an end-user;

(b)that search has revealed an alert entered into SIS by another Member State; and

(c)data concerning the alert in SIS match the search data;

(7)a ‘hit’ means any match which fulfils the following criteria:

(a)it has been confirmed by:

(i)the end-user; or

(ii)the competent authority in accordance with national procedures, where the match concerned was based on the comparison of biometric data;

and

(b)further actions are requested;

(8)‘flag’ means a suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons and alerts for discreet, inquiry and specific checks;

(9)‘issuing Member State’ means the Member State which entered the alert into SIS;

(10)‘executing Member State’ means the Member State which takes or has taken the required actions following a hit;

(11)‘end-user’ means a member of staff of a competent authority authorised to search directly CS-SIS, N.SIS or a technical copy thereof;

(12)‘biometric data’ means personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person, which allow or confirm the unique identification of that natural person, namely photographs, facial images, dactyloscopic data and DNA profile;

(13)‘dactyloscopic data’ means data on fingerprints and palm prints which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(14)‘facial image’ means digital images of the face with sufficient image resolution and quality to be used in automated biometric matching;

(15)‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the noncoding part of an analysed human DNA sample, namely the particular molecular structure at the various DNA locations (loci);

(16)‘terrorist offences’ means offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (35), or equivalent to one of those offences for the Member States which are not bound by that Directive;

(17)‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399 of the European Parliament and of the Council (36).

Article 4

Technical architecture and ways of operating SIS

1. SIS shall be composed of:

(a)a central system (Central SIS) composed of:

(i)a technical support function (‘CS-SIS’) containing a database (the ‘SIS database’), and including a backup CS-SIS;

(ii)a uniform national interface (‘NI-SIS’);

(b)a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS; and

(c)a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux, as referred to in Article 7(2).

An N.SIS as referred to in point (b) may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. Two or more Member States may establish in one of their N.SIS a shared copy which may be used jointly by those Member States. Such shared copy shall be considered as the national copy of each of those Member States.

A shared backup N.SIS as referred to in point (b) may be used jointly by two or more Member States. In such cases, the shared backup N.SIS shall be considered as the backup N.SIS of each of those Member States. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users.

Member States intending to establish a shared copy or shared backup N.SIS to be used jointly shall agree their respective responsibilities in writing. They shall notify their arrangement to the Commission.

The Communication Infrastructure shall support and contribute to ensuring the uninterrupted availability of SIS. It shall include redundant and separated paths for the connections between CS-SIS and the backup CS-SIS and shall also include redundant and separated paths for the connections between each SIS national network access point and CS-SIS and backup CS-SIS.

2. Member States shall enter, update, delete and search SIS data through their own N.SIS. The Member States using a partial or a complete national copy or a partial or complete shared copy shall make that copy available for the purpose of carrying out automated searches in the territory of each of those Member States. The partial national or shared copy shall contain at least the data listed in points (a) to (v) of Article 20 (3). It shall not be possible to search the data files of other Member States' N.SIS except in the case of shared copies.

3. CS-SIS shall perform technical supervision and administration functions and have a backup CS-SIS, capable of ensuring all functionalities of the principal CS-SIS in the event of failure of that system. CS-SIS and the backup CS-SIS shall be located in the two technical sites of eu-LISA.

4. eu-LISA shall implement technical solutions to reinforce the uninterrupted availability of SIS either through the simultaneous operation of CS-SIS and the backup CS-SIS, provided that the backup CS-SIS remains capable of ensuring the operation of SIS in the event of a failure of CS-SIS, or through duplication of the system or its components. Notwithstanding the procedural requirements laid down in Article 10 of Regulation (EU) 2018/1726 eu-LISA shall no later than 28 December 2019, prepare a study on the options for technical solutions, containing an independent impact assessment and cost-benefit analysis.

5. Where necessary in exceptional circumstances, eu-LISA may temporarily develop an additional copy of the SIS database.

6. CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. For the Member States which use a national or shared copy, CS-SIS shall:

(a)provide online updates for the national copies;

(b)ensure synchronisation of and consistency between the national copies and the SIS database; and

(c)provide the operation for initialisation and restoration of the national copies.

7. CS-SIS shall provide uninterrupted availability.

Article 5

Costs

1. The costs of operating, maintaining and further developing Central SIS and the Communication Infrastructure shall be borne by the general budget of the Union. Those costs shall include work done with respect to CS-SIS, in order to ensure the provision of the services referred to in Article 4(6).

2. The costs of setting up, operating, maintaining and further developing each N.SIS shall be borne by the Member State concerned.

CHAPTER II - Responsibilities of the Member States


Article 6

National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting it to NI-SIS.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS data to end-users.

Each Member State shall transmit its alerts through its N.SIS.

Article 7

N.SIS Office and SIRENE Bureau

1. Each Member State shall designate an authority (the N.SIS Office), which shall have central responsibility for its N.SIS.

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to SIS and shall take the necessary measures to ensure compliance with this Regulation. It shall be responsible for ensuring that all functionalities of SIS are made available to the end users appropriately.

2. Each Member State shall designate a national authority which shall be operational 24 hours a day, 7 days a week and which shall ensure the exchange and availability of all supplementary information (the SIRENE Bureau) in accordance with the SIRENE Manual. Each SIRENE Bureau shall serve as a single contact point for its Member State to exchange supplementary information regarding alerts and to facilitate the requested actions to be taken when alerts on persons or objects have been entered in SIS and those persons or objects are located following a hit.

Each SIRENE Bureau shall, in accordance with national law, have easy direct or indirect access to all relevant national information, including national databases and all information on its Member States' alerts, and to expert advice, in order to be able to react to requests for supplementary information swiftly and within the deadlines provided for in Article 8.

The SIRENE Bureaux shall coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

3. The Member States shall provide eu-LISA with details of their N.SIS Office and of their SIRENE Bureau. eu-LISA shall publish the list of the N.SIS Offices and the SIRENE Bureaux together with the list referred to in Article 56(7).

Article 8

Exchange of supplementary information

1. Supplementary information shall be exchanged in accordance with the provisions of the SIRENE Manual and using the Communication Infrastructure. Member States shall provide the necessary technical and human resources to ensure the continuous availability and timely and effective exchange of supplementary information. In the event that the Communication Infrastructure is unavailable, Member States shall use other adequately secured technical means to exchange supplementary information. A list of adequately secured technical means shall be laid down in the SIRENE Manual.

2. Supplementary information shall be used only for the purpose for which it was transmitted in accordance with Article 64 unless prior consent for another use is obtained from the issuing Member State.

3. The SIRENE Bureaux shall carry out their tasks in a quick and efficient manner, in particular by replying to a request for supplementary information as soon as possible but not later than 12 hours after the receipt of the request. In case of alerts for terrorist offences, of alerts on persons wanted for arrest for surrender or extradition purposes, and in cases of alerts on children referred to in point (c) of Article 32(1) the SIRENE Bureaux shall act immediately.

Requests for supplementary information with the highest priority shall be marked ‘URGENT’ in the SIRENE forms, and the reason for the urgency shall be specified.

4. The Commission shall adopt implementing acts to lay down detailed rules for the tasks of the SIRENE Bureaux pursuant to this Regulation and the exchange of supplementary information in the form of a manual entitled the ‘SIRENE Manual’. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 9

Technical and functional compliance

1. When setting up its N.SIS, each Member State shall comply with common standards, protocols and technical procedures established to ensure the compatibility of its N.-SIS with Central SIS for the prompt and effective transmission of data.

2. If a Member State uses a national copy, it shall ensure, by means of the services provided by CS-SIS and by means of automatic updates referred to in Article 4(6), that the data stored in the national copy are identical to and consistent with the SIS database and that a search in its national copy produces a result equivalent to that of a search in the SIS database.

3. End-users shall receive the data required to perform their tasks, in particular, and where necessary, all the available data allowing for the identification of the data subject and for the requested action to be taken.

4. Member States and eu-LISA shall undertake regular tests to verify the technical compliance of the national copies referred to in paragraph 2. The results of those tests shall be taken into consideration as part of the mechanism established by Council Regulation (EU) No 1053/2013 (37).

5. The Commission shall adopt implementing acts to lay down and develop common standards, protocols and technical procedures, referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 10

Security — Member States

1. Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make those profiles available to the supervisory authorities referred to in Article 69(1) without delay upon their request (personnel profiles);

(i)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose (input control);

(k)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m)ensure that, in the event of interruption, installed systems can be restored to normal operation (recovery); and

(n)ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity).

2. Member States shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information, including by securing the premises of the SIRENE Bureaux.

3. Member States shall take measures equivalent to those referred to in paragraph 1 of this Article as regards security in respect of the processing of SIS data by the authorities referred to in Article 44.

4. The measures described in paragraphs 1, 2 and 3 may be part of a generic security approach and plan at national level encompassing multiple IT systems. In such cases, the requirements set out in this Article and their applicability to SIS shall be clearly identifiable in and ensured by that plan.

Article 11

Confidentiality — Member States

1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data and supplementary information, in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies.

2. Where a Member State cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

3. The operational management of N.SIS or of any technical copies shall not be entrusted to private companies or private organisations.

Article 12

Keeping of logs at national level

1. Member States shall ensure that every access to and all exchanges of personal data within CS-SIS are logged in their N.SIS for the purposes of checking whether the search was lawful, monitoring the lawfulness of data processing, self-monitoring, ensuring the proper functioning of N.SIS, as well as for data integrity and security. This requirement does not apply to the automatic processes referred to in points (a), (b) and (c) of Article 4(6).

2. The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of both the competent authority and the person processing the data.

3. By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or a facial image in accordance with Article 43, the logs shall show the type of data used to perform the search instead of the actual data.

4. The logs shall only be used for the purpose referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5. Logs may be kept for longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6. The national competent authorities in charge of checking whether searches are lawful, monitoring the lawfulness of data processing, self-monitoring and ensuring the proper functioning of N.SIS and data integrity and security, shall have access, within the limits of their competence and at their request, to the logs for the purpose of fulfilling their duties.

7. Where Member States, in accordance with national law, carry out automated scanned searches of the number plates of motor vehicles, using Automatic Number Plate Recognition systems, Member States shall maintain a log of the search in accordance with national law. If necessary, a full search may be carried out in SIS in order to verify whether a hit has been achieved. Paragraphs 1 to 6 shall apply to any full search.

8. The Commission shall adopt implementing acts to establish the content of the log, referred to in paragraph 7 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 13

Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 14

Staff training

1. Before being authorised to process data stored in SIS and periodically after access to SIS data has been granted, the staff of the authorities having a right to access SIS shall receive appropriate training on data security, on fundamental rights including data -protection, and on the rules and procedures for data processing set out in the SIRENE Manual. The staff shall be informed of any relevant provisions on criminal offences and penalties, including those provided for in Article 73.

2. Member States shall have a national SIS training programme which shall include training for end-users as well as the staff of the SIRENE Bureaux.

That training programme may be part of a general training programme at national level encompassing training in other relevant areas.

3. Common training courses shall be organised at Union level at least once a year to enhance cooperation between SIRENE Bureaux.

CHAPTER III - Responsibilities of eu-LISA


Article 15

Operational management

1. eu-LISA shall be responsible for the operational management of Central SIS. eu-LISA shall, in cooperation with the Member States, ensure that at all times the best available technology is used for Central SIS, subject to a cost-benefit analysis.

2. eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a)supervision;

(b)security;

(c)the coordination of relations between the Member States and the provider;

(d)tasks relating to implementation of the budget;

(e)acquisition and renewal; and

(f)contractual matters.

3. eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a)the coordination, management and support of testing activities;

(b)the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c)managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

4. eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

5. eu-LISA shall also perform tasks related to providing training on the technical use of SIS and on measures for improving the quality of SIS data.

6. The operational management of Central SIS shall consist of all the tasks necessary to keep Central SIS functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS and the N.SIS that ensure that Central SIS and the N.SIS operate in accordance with the requirements for technical and functional compliance set out in Article 9.

7. The Commission shall adopt implementing acts to set out the technical requirements for the Communication Infrastructure. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 16

Security — eu-LISA

1. eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(k)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m)ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(n)ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity); and

(o)ensure the security of its technical sites.

2. eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information through the Communication Infrastructure.

Article 17

Confidentiality — eu-LISA

1. Without prejudice to Article 17 of the Staff Regulations, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of a comparable standard to those laid down in Article 11 of this Regulation to all its staff required to work with SIS data. That obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2. eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards confidentiality in respect of the exchange of supplementary information through the Communication Infrastructure.

3. Where eu-LISA cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4. The operational management of CS-SIS shall not be entrusted to private companies or private organisations.

Article 18

Keeping of logs at central level

1. eu-LISA shall ensure that every access to and all exchanges of personal data within CS-SIS are logged for the purposes stated in Article 12(1).

2. The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of the competent authority processing the data.

3. By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or facial images in accordance with Article 43, the logs shall show the type of data used to perform the search instead of the actual data.

4. The logs shall only be used for the purposes referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5. Logs may be kept longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6. For the purposes of self-monitoring and ensuring the proper functioning of CS-SIS, data integrity and security, eu-LISA shall have access to the logs within the limits of its competence.

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.

CHAPTER IV - Information to the public


Article 19

SIS information campaigns

At the start of the application of this Regulation, the Commission, in cooperation with the supervisory authorities and the European Data Protection Supervisor, shall carry out a campaign informing the public about the objectives of SIS, the data stored in SIS, the authorities having access to SIS and the rights of data subjects. The Commission shall repeat such campaigns regularly, in cooperation with the supervisory authorities and the European Data Protection Supervisor. The Commission shall maintain a website available to the public providing all relevant information concerning SIS. Member States shall, in cooperation with their supervisory authorities, devise and implement the necessary policies to inform their citizens and residents about SIS generally.

CHAPTER V - Categories of data and flagging


Article 20

Categories of data

1. Without prejudice to Article 8(1) or to the provisions of this Regulation providing for the storage of additional data, SIS shall contain only those categories of data which are supplied by each Member State, as required for the purposes laid down in Articles 26, 32, 34, 36, 38 and 40.

2. The categories of data shall be as follows:

(a)information on persons in relation to whom an alert has been entered;

(b)information on objects referred to in Articles 26, 32, 34, 36 and 38.

3. Any alert in SIS which includes information on persons shall contain only the following data:

(a)surnames;

(b)forenames;

(c)names at birth;

(d)previously used names and aliases;

(e)any specific, objective, physical characteristics not subject to change;

(f)place of birth;

(g)date of birth;

(h)gender;

(i)any nationalities held;

(j)whether the person concerned:

(i)is armed;

(ii)is violent;

(iii)has absconded or escaped;

(iv)poses a risk of suicide;

(v)poses a threat to public health; or

(vi)is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;

(k)the reason for the alert;

(l)the authority which created the alert;

(m)a reference to the decision giving rise to the alert;

(n)the action to be taken in the case of a hit;

(o)links to other alerts pursuant to Article 63;

(p)the type of offence;

(q)the person's registration number in a national register;

(r)for alerts referred to in Article 32(1), a categorisation of the type of case;

(s)the category of the person's identification documents;

(t)the country of issue of the person's identification documents;

(u)the number(s) of the person's identification documents;

(v)the date of issue of the person's identification documents;

(w)photographs and facial images;

(x)in accordance with Article 42(3), relevant DNA profiles;

(y)dactyloscopic data;

(z)a copy of the identification documents, in colour wherever possible.

4. The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching the data referred to in paragraphs 2 and 3 of this Article and the common standards referred to in paragraph 5 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

5. Technical rules shall be similar for searches in CS-SIS, in national or shared copies and in technical copies made under Article 56(2). They shall be based on common standards.

Article 21

Proportionality

1. Before entering an alert and when extending the period of validity of an alert, Member States shall determine whether the case is adequate, relevant and important enough to warrant an alert in SIS.

2. Where a person or an object is sought under an alert related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.

Article 22

Requirement for an alert to be entered

1. The minimum set of data necessary in order to enter an alert into SIS shall be the data referred to in points (a), (g), (k) and (n) of Article 20(3), except for in the situations referred to in Article 40. The other data referred to in that paragraph shall also be entered into SIS, if available.

2. The data referred to in point (e) of Article 20(3) of this Regulation shall only be entered when this is strictly necessary for the identification of the person concerned. When such data are entered, Member States shall ensure that Article 10 of Directive (EU) 2016/680 is complied with.

Article 23

Compatibility of alerts

1. Before entering an alert, the Member State shall check whether the person or the object concerned is already the subject of an alert in SIS. To check whether the person is already the subject of an alert, a check with dactyloscopic data shall also be carried out if such data are available.

2. Only one alert per person or per object per Member State shall be entered into SIS. Where necessary, new alerts may be entered on the same person or object by other Member States, in accordance with paragraph 3.

3. Where a person or an object is already the subject of an alert in SIS, a Member State wishing to enter a new alert shall check that there is no incompatibility between the alerts. If there is no incompatibility, the Member State may enter the new alert. If the alerts are incompatible, the SIRENE Bureaux of the Member States concerned shall consult each other by exchanging supplementary information in order to reach an agreement. Rules on the compatibility of alerts shall be laid down in the SIRENE Manual. Departures from the compatibility rules may be made after consultation between the Member States if essential national interests are at stake.

4. In the case of hits on multiple alerts on the same person or object, the executing Member State shall observe the priority rules for alerts laid down in the SIRENE Manual.

If a person is subject to multiple alerts entered by different Member States, alerts for arrest entered in accordance with Article 26 shall be executed as a priority, subject to Article 25.

Article 24

General provisions on flagging

1. Where a Member State considers that to give effect to an alert entered in accordance with Article 26, 32 or 36 is incompatible with its national law, its international obligations or essential national interests, it may require that a flag be added to the alert to the effect that the action to be taken on the basis of the alert will not be taken in its territory. The flag shall be added by the SIRENE Bureau of the issuing Member State.

2. In order to enable Member States to require that a flag be added to an alert entered in accordance with Article 26, all Member States shall be notified automatically of any new alert of that category through the exchange of supplementary information.

3. If in particularly urgent and serious cases, an issuing Member State requests the execution of the action, the executing Member State shall examine whether it is able to allow the flag added at its behest to be withdrawn. If the executing Member State is able to do so, it shall take the necessary steps to ensure that the action to be taken can be carried out immediately.

Article 25

Flagging related to alerts for arrest for surrender purposes

1. Where Framework Decision 2002/584/JHA applies, a Member State shall request the issuing Member State to add a flag preventing arrest as a follow-up to an alert for arrest for surrender purposes where the competent judicial authority under national law for the execution of a European Arrest Warrant has refused its execution on the basis of a ground for non-execution and where the addition of the flag has been required.

A Member State may also require that a flag be added to the alert if its competent judicial authority releases the subject of the alert during the surrender process.

2. However, at the behest of a competent judicial authority under national law, either on the basis of a general instruction or in a specific case, a Member State may also require the issuing Member State to add a flag to an alert for arrest for surrender purposes if it is obvious that the execution of the European Arrest Warrant will have to be refused.

CHAPTER VI - Alerts on persons wanted for arrest for surrender or extradition purposes


Article 26

Objectives and conditions for entering alerts

1. Alerts on persons wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, or alerts on persons wanted for arrest for extradition purposes, shall be entered at the request of the judicial authority of the issuing Member State.

2. Alerts for arrest for surrender purposes shall also be entered on the basis of arrest warrants issued, in accordance with agreements concluded between the Union and third countries on the basis of the Treaties, for the purpose of surrender of persons on the basis of an arrest warrant, which provide for the transmission of such an arrest warrant through SIS.

3. Any reference in this Regulation to provisions of Framework Decision 2002/584/JHA shall be construed as including the corresponding provisions of agreements concluded between the Union and third countries on the basis of the Treaties, for the purpose of surrender of persons on the basis of an arrest warrant which provide for the transmission of such an arrest warrant through SIS.

4. In the case of an ongoing operation, the issuing Member State may temporarily make an existing alert for arrest entered in accordance with this Article unavailable for searching by the end-users in the Member States involved in the operation. In such cases the alert shall only be accessible to the SIRENE Bureaux. Member States shall only make an alert unavailable if:

(a)the purpose of the operation cannot be achieved by other measures;

(b)a prior authorisation has been granted by the competent judicial authority of the issuing Member State; and

(c)all Member States involved in the operation have been informed through the exchange of supplementary information.

The functionality provided for in the first subparagraph shall only be used for a period not exceeding 48 hours. However, if operationally necessary, it may be extended by further periods of 48 hours. Member States shall keep statistics on the number of alerts in relation to which this functionality has been used.

5. Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), (j) and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 and 2 of this Article, alerts on those objects may be entered in order to locate the person. In such cases, the alert on the person and the alert on the object shall be linked in accordance with Article 63.

6. The Commission shall adopt implementing acts to lay down and develop rules necessary for entering, updating, deleting and searching the data referred to in paragraph 5 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 27

Additional data on persons wanted for arrest for surrender purposes

1. Where a person is wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, the issuing Member State shall enter into SIS a copy of the original of the European Arrest Warrant.

A Member State may enter the copy of more than one European Arrest Warrant in an alert for arrest for surrender purposes.

2. The issuing Member State may enter a copy of a translation of the European Arrest Warrant in one or more other official languages of the institutions of the Union.

Article 28

Supplementary information on persons wanted for arrest for surrender purposes

The issuing Member State of an alert for arrest for surrender purposes shall communicate the information referred to in Article 8(1) of Framework Decision 2002/584/JHA to the other Member States through the exchange of supplementary information.

Article 29

Supplementary information on persons wanted for arrest for extradition purposes

1. The issuing Member State of an alert for extradition purposes shall communicate the following data to all other Member States through the exchange of supplementary information:

(a)the authority which issued the request for arrest;

(b)whether there is an arrest warrant or a document having the same legal effect, or an enforceable judgment;

(c)the nature and legal classification of the offence;

(d)a description of the circumstances in which the offence was committed, including the time, place and the degree of participation in the offence by the person on whom the alert has been entered;

(e)insofar as possible, the consequences of the offence; and

(f)any other information useful or necessary for the execution of the alert.

2. The data listed in paragraph 1 of this Article shall not be communicated where the data referred to in Article 27 or 28 have already been provided and are considered sufficient for the execution of the alert by the executing Member State.

Article 30

Conversion of an action to be taken concerning alerts for arrest for surrender or extradition purposes

Where an arrest cannot be made, either because the Member State requested to do so refuses to make it in accordance with the procedures on flagging set out in Article 24 or 25, or because, in the case of an alert for arrest for extradition purposes, an investigation has not been completed, the Member State requested to make the arrest shall act on the alert by communicating the whereabouts of the person concerned.

Article 31

Execution of an action based on an alert for arrest for surrender or extradition purposes

1. An alert entered in SIS in accordance with Article 26 and the additional data referred to in Article 27 shall together constitute and have the same effect as a European Arrest Warrant issued in accordance with Framework Decision 2002/584/JHA where that Framework Decision applies.

2. Where Framework Decision 2002/584/JHA does not apply, an alert entered in SIS in accordance with Articles 26 and 29 shall have the same legal force as a request for provisional arrest under Article 16 of the European Convention on Extradition of 13 December 1957 or Article 15 of the Benelux Treaty concerning Extradition and Mutual Assistance in Criminal Matters of 27 June 1962.

CHAPTER VII - Alerts on missing persons or vulnerable persons who need to be prevented from travelling


Article 32

Objectives and conditions for entering alerts

1. Alerts on the following categories of persons shall be entered in SIS at the request of the competent authority of the issuing Member State:

(a)missing persons who need to be placed under protection:

(i)for their own protection;

(ii)in order to prevent a threat to public order or public security;

(b)missing persons who do not need to be placed under protection;

(c)children at risk of abduction by a parent, a family member or a guardian, who need to be prevented from travelling;

(d)children who need to be prevented from travelling owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and:

(i)becoming victims of trafficking in human beings, or of forced marriage, female genital mutilation or other forms of gender-based violence;

(ii)becoming victims of or involved in terrorist offences; or

(iii)becoming conscripted or enlisted into armed groups or being made to participate actively in hostilities;

(e)vulnerable persons who are of age and who need to be prevented from travelling for their own protection owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and becoming victims of trafficking in human beings or gender-based violence.

2. Point (a) of paragraph 1 shall apply in particular to children and to persons who have to be institutionalised following a decision by a competent authority.

3. An alert on a child referred to in point (c) of paragraph 1 shall be entered following a decision by the competent authorities, including judicial authorities of the Member States having jurisdiction in matters of parental responsibility, where a concrete and apparent risk exists that the child may be unlawfully and imminently removed from the Member State where the competent authorities are situated.

4. An alert on persons referred to in points (d) and (e) of paragraph 1 shall be entered following a decision by the competent authorities, including judicial authorities.

5. The issuing Member State shall regularly review the need to maintain the alerts referred to in points (c), (d) and (e) of paragraph 1 of this Article in accordance with Article 53(4).

6. The issuing Member State shall ensure all of the following:

(a)that the data it enters in SIS indicate which of the categories referred to in paragraph 1 the person concerned by the alert falls into;

(b)that the data it enters in SIS indicate which type of case is involved, wherever the type of case is known; and

(c)that, in relation to alerts entered in accordance with points (c), (d) and (e) of paragraph 1, its SIRENE Bureau has all relevant information at its disposal at the time of the creation of the alert.

7. Four months before a child who is the subject of an alert under this Article reaches the age of majority in accordance with the national law of the issuing Member State, CS-SIS shall automatically notify the issuing Member State that either the reason for the alert and the action to be taken have to be updated or the alert has to be deleted.

8. Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 of this Article, alerts on those objects may be entered in order to locate the person. In such cases, the alert on the person and the alert on the object shall be linked in accordance with Article 63.

9. The Commission shall adopt implementing acts to lay down and develop rules on the categorisation of the types of cases and the entering of data referred to in paragraph 6. The types of cases of missing persons who are children shall include, but not be limited to, runaways, unaccompanied children in the context of migration and children at risk of parental abduction.

The Commission shall also adopt implementing acts to lay down and develop technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 8.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 33

Execution of action based on an alert

1. Where a person referred to in Article 32 is located, the competent authorities of the executing Member State shall, subject to the requirements in paragraph 4, communicate his or her whereabouts to the issuing Member State.

2. In the case of persons who need to be placed under protection referred to in points (a), (c), (d) and (e) of Article 32(1), the executing Member State shall immediately consult its own competent authorities and those of the issuing Member State through the exchange of supplementary information in order to agree without delay the measures to be taken. The competent authorities in the executing Member State may, in accordance with national law, move such persons to a safe place in order to prevent them from continuing their journey.

3. In the case of children, any decision on the measures to be taken or any decision to move the child to a safe place as referred to in paragraph 2 shall be made in accordance with the best interests of the child. Such decisions shall be made immediately and not later than 12 hours after the child was located, in consultation with relevant child protection authorities, as appropriate.

4. The communication, other than between the competent authorities, of data on a missing person who has been located and who is of age shall be subject to that person's consent. The competent authorities may, however, communicate the fact that the alert has been deleted because the missing person has been located to the person who reported the person missing.

CHAPTER VIII - Alerts on persons sought to assist with a judicial procedure


Article 34

Objectives and conditions for entering alerts

1. For the purposes of communicating the place of residence or domicile of persons, Member States shall, at the request of a competent authority, enter into SIS alerts on:

(a)witnesses;

(b)persons summoned or persons sought to be summoned to appear before the judicial authorities in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(c)persons who are to be served with a criminal judgment or other documents in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(d)persons who are to be served with a summons to report in order to serve a penalty involving a deprivation of liberty.

2. Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), and (k) of Article 38(2) are connected with a person who is the subject of an alert pursuant to paragraph 1 of this Article, alerts on those objects may be entered in order to locate the person. In such cases the alerts on the person and the alert on the object shall be linked in accordance with Article 63.

3. The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching of the data referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 35

Execution of the action based on an alert

Requested information shall be communicated to the issuing Member State through the exchange of supplementary information.

CHAPTER IX - Alerts on persons and objects for discreet checks, inquiry checks or specific checks


Article 36

Objectives and conditions for entering alerts

1. Alerts on persons, on the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) and on non-cash means of payment shall be entered in accordance with the national law of the issuing Member State, for the purposes of discreet checks, inquiry checks or specific checks in accordance with Article 37(3), (4) and (5).

2. When entering alerts for discreet checks, inquiry checks or specific checks and where the information sought by the issuing Member State is additional to that provided for in points (a) to (h) of Article 37(1), the issuing Member State shall add to the alert all the information that is sought. If that information relates to special categories of personal data referred to in Article 10 of Directive (EU) 2016/680, it shall only be sought if it is strictly necessary for the specific purpose of the alert and in relation to the criminal offence for which the alert has been entered.

3. Alerts on persons for discreet checks, inquiry checks or specific checks may be entered for the purposes of preventing, detecting, investigating or prosecuting criminal offences, executing a criminal sentence and preventing threats to public security in one or more of the following circumstances:

(a)where there is a clear indication that a person intends to commit or is committing any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(b)where the information referred to in Article 37(1) is necessary for the execution of a custodial sentence or detention order regarding a person convicted of any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(c)where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit the offences referred to in Article 2(1) and 2(2) of the Framework Decision 2002/584/JHA in the future.

4. In addition, alerts on persons for discreet checks, inquiry checks or specific checks may be entered in accordance with national law at the request of the authorities responsible for national security where there is a concrete indication that the information referred to in Article 37(1) is necessary in order to prevent a serious threat posed by the person concerned or other serious threats to internal or external national security. The Member State which entered the alert in accordance with this paragraph shall inform the other Member States of such an alert. Each Member State shall determine to which authorities this information shall be transmitted. The information shall be transmitted through the SIRENE Bureaux.

5. Where there is a clear indication that the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment are connected with the serious crimes referred to in paragraph 3 of this Article or the serious threats referred to in paragraph 4 of this Article, alerts on those objects may be entered and linked to the alerts entered in accordance with paragraphs 3 and 4 of this Article.

6. The Commission shall adopt implementing acts to lay down and develop the technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 5 of this Article as well as the additional information referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 37

Execution of the action based on an alert

1. For the purposes of discreet checks, inquiry checks or specific checks, the executing Member State shall collect and communicate to the issuing Member State all or some of the following information:

(a)the fact that the person who is the subject of an alert has been located, or that objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment which are the subject of an alert have been located;

(b)the place, time and reason for the check;

(c)the route of the journey and destination;

(d)the persons accompanying the subject of the alert or the occupants of the vehicle, boat or aircraft, or the persons accompanying the holder of the blank official document or issued identity document who can reasonably be expected to be associated with the subject of the alert;

(e)any identity revealed and any personal description of the person using the blank official document or issued identity document that is the subject of the alert;

(f)the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment used;

(g)objects carried, including travel documents;

(h)the circumstances in which the person, the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or the non-cash means of payment were located;

(i)any other information being sought by the issuing Member State in accordance with Article 36(2).

If the information referred to in point (i) of the first subparagraph of this paragraph relates to special categories of personal data referred to in Article 10 of Directive (EU) 2016/680, it shall be processed in accordance with the conditions set out in that Article and only if it supplements other personal data processed for the same purpose.

2. The executing Member State shall communicate the information referred to in paragraph 1 through the exchange of supplementary information.

3. A discreet check shall comprise the discreet collection of as much information described in paragraph 1 as possible during routine activities carried out by the national competent authorities of the executing Member State. The collection of this information shall not jeopardise the discreet nature of the checks and the subject of the alert shall in no way be made aware of the existence of the alert.

4. An inquiry check shall comprise an interview of the person, including on the basis of information or specific questions added to the alert by the issuing Member State in accordance with Article 36(2). The interview shall be carried out in accordance with the national law of the executing Member State

5. During specific checks, persons, vehicles, boats, aircraft, containers and carried objects may be searched for the purposes referred to in Article 36. Searches shall be carried out in accordance with the national law of the executing Member State.

6. Where specific checks are not authorised by the national law of the executing Member State, they shall be replaced by inquiry checks in that Member State. Where inquiry checks are not authorised by the national law of the executing Member State, they shall be replaced by discreet checks in that Member State. Where Directive 2013/48/EU applies, Member States shall ensure that the right of suspects and accused persons to have access to a lawyer is respected under the conditions set out in that Directive.

7. Paragraph 6 is without prejudice to the obligation of Member States to make available to end-users information sought under Article 36(2).

CHAPTER X - Alerts on objects for seizure or use as evidence in criminal proceedings


Article 38

Objectives and conditions for entering alerts

1. Member States shall enter into SIS alerts on objects sought for the purposes of seizure or for use as evidence in criminal proceedings.

2. Alerts shall be entered on the following categories of readily identifiable objects:

(a)motor vehicles regardless of the propulsion system;

(b)trailers with an unladen weight exceeding 750 kg;

(c)caravans;

(d)industrial equipment;

(e)boats;

(f)boat engines;

(g)containers;

(h)aircraft;

(i)aircraft engines;

(j)firearms;

(k)blank official documents which have been stolen, misappropriated, lost or purport to be such a document but are false;

(l)issued identity documents, such as passports, identity cards, residence permits, travel documents and driving licences which have been stolen, misappropriated, lost or invalidated or purport to be such a document but are false;

(m)vehicle registration certificates and vehicle number plates which have been stolen, misappropriated, lost or invalidated or purport to be such a document or plate but are false;

(n)banknotes (registered notes) and false banknotes;

(o)items of information technology;

(p)identifiable component parts of motor vehicles;

(q)identifiable component parts of industrial equipment;

(r)other identifiable objects of high value, as defined in accordance with paragraph 3.

With regard to the documents referred to in points (k), (l) and (m), the issuing Member State may specify whether such documents are stolen, misappropriated, lost, invalid or false.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 75 to amend this Regulation by defining new sub-categories of objects under points (o), (p), (q) and (r) of paragraph 2 of this Article.

4. The Commission shall adopt implementing acts to lay down and develop technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 39

Execution of the action based on an alert

1. Where a search brings to light an alert on an object which has been located, the competent authority shall in accordance with its national law seize the object and contact the authority of the issuing Member State in order to agree on the measures to be taken. For this purpose, personal data may also be communicated in accordance with this Regulation.

2. The information referred to in paragraph 1 shall be communicated through the exchange of supplementary information.

3. The executing Member State shall take the requested measures in accordance with national law.

CHAPTER XI - Alerts on unknown wanted persons for the purposes of identification under national law


Article 40

Alerts on unknown wanted persons for the purposes of identification under national law

Member States may enter into SIS alerts on unknown wanted persons containing only dactyloscopic data. Those dactyloscopic data shall be either complete or incomplete sets of fingerprints or palm prints discovered at the scenes of terrorist offences or other serious crimes under investigation. They shall only be entered into SIS where it can be established to a very high degree of probability that they belong to a perpetrator of the offence.

If the competent authority of the issuing Member State cannot establish the identity of the suspect on the basis of data from any other relevant national, Union or international database, the dactyloscopic data referred to in the first subparagraph may only be entered in this category of alerts as ‘unknown wanted person’ for the purpose of identifying such a person.

Article 41

Execution of the action based on an alert

In the event of a hit with the data entered pursuant to Article 40, the identity of the person shall be established in accordance with national law, together with expert verification that the dactyloscopic data in SIS belong to the person. The executing Member States shall communicate information on the identity and the whereabouts of the person to the issuing Member State through the exchange of supplementary information in order to facilitate timely investigation of the case.

CHAPTER XII - Specific rules for biometric data


Article 42

Specific rules for entering photographs, facial images, dactyloscopic data and DNA profiles

1. Only photographs, facial images, dactyloscopic data referred to in points (w) and (y) of Article 20(3) which fulfil minimum data quality standards and technical specifications shall be entered into SIS. Before such data are entered, a quality check shall be performed in order to ascertain whether the minimum data quality standards and technical specifications have been met.

2. Dactyloscopic data entered in SIS may consist of one to ten flat fingerprints and one to ten rolled fingerprints. It may also include up to two palm prints.

3. A DNA profile may only be added to alerts in the situations provided for in point (a) of Article 32(1), only following a quality check to ascertain whether the minimum data quality standards and technical specifications have been met and only where photographs, facial images or dactyloscopic data are not available or not suitable for identification. The DNA profiles of persons who are direct ascendants, descendants or siblings of the subject of the alert may be added to the alert provided that those persons give their explicit consent. Where a DNA profile is added to an alert, that profile shall contain the minimum information strictly necessary for the identification of the missing person.

4. Minimum data quality standards and technical specifications shall be established in accordance with paragraph 5 of this Article for the storage of the biometric data referred to in paragraphs 1 and 3 of this Article. Those minimum data quality standards and technical specifications shall set the level of quality required for using the data to verify the identity of a person in accordance with Article 43(1) and for using the data to identify a person in accordance with Article 43(2) to (4).

5. The Commission shall adopt implementing acts to lay down the minimum data quality standards and technical specifications referred to in paragraphs 1, 3 and 4 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 43

Specific rules for verification or search with photographs, facial images, dactyloscopic data and DNA profiles

1. Where photographs, facial images, dactyloscopic data and DNA profiles are available in an alert in SIS, such photographs, facial images, dactyloscopic data and DNA profiles shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS.

2. Dactyloscopic data may be searched in all cases to identify a person. However, dactyloscopic data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS shall contain an Automated Fingerprint Identification System (AFIS).

3. Dactyloscopic data in SIS in relation to alerts entered in accordance with Articles 26, 32, 36 and 40 may also be searched using complete or incomplete sets of fingerprints or palm prints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.

4. As soon as it becomes technically possible, and while ensuring a high degree of reliability of identification, photographs and facial images may be used to identify a person in the context of regular border crossing points.

Before this functionality is implemented in SIS, the Commission shall present a report on the availability, readiness and reliability of the required technology. The European Parliament shall be consulted on the report.

After the start of the use of the functionality at regular border crossing points, the Commission shall be empowered to adopt delegated acts in accordance with Article 75 to supplement this Regulation concerning the determination of other circumstances in which photographs and facial images may be used to identify persons.

CHAPTER XIII - Right of access and review of alerts


Article 44

National competent authorities having a right to access data in SIS

1. National competent authorities shall have access to data entered in SIS and the right to search such data directly or in a copy of the SIS database for the purposes of:

(a)border control, in accordance with Regulation (EU) 2016/399;

(b)police and customs checks carried out within the Member State concerned, and the coordination of such checks by designated authorities;

(c)the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties, within the Member State concerned, provided that Directive (EU) 2016/680 applies;

(d)examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals, as well as carrying out checks on third country nationals who are illegally entering or staying on the territory of the Member States;

(e)security checks on third-country nationals who apply for international protection, insofar as authorities performing the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of Directive 2013/32/EU of the European Parliament and of the Council (38), and, where relevant, providing advice in accordance with Council Regulation (EC) No 377/2004 (39).

2. The right to access data in SIS and the right to search such data directly may be exercised by national competent authorities responsible for naturalisation, as provided for in national law, for the purposes of examining an application for naturalisation.

3. The right to access data entered in SIS and the right to search such data directly may also be exercised by national judicial authorities, including those responsible for the initiation of public prosecutions in criminal proceedings and for judicial inquiries prior to charging a person, in the performance of their tasks, as provided for in national law, and by their coordinating authorities.

4. The competent authorities referred to in this Article shall be included in the list referred to in Article 56(7).

Article 45

Vehicle registration services

1. The services in the Member States responsible for issuing registration certificates for vehicles, as referred to in Council Directive 1999/37/EC (40), shall have access to data entered into SIS in accordance with points (a), (b), (c), (m) and (p) of Article 38(2) of this Regulation for the sole purpose of checking whether vehicles and accompanying vehicle registration certificates and number plates presented to them for registration have been stolen, misappropriated, lost, purport to be such a document but are false or are sought as evidence in criminal proceedings.

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

2. Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

3. Services referred to in paragraph 1 of this Article that are non-government services shall have access to data in SIS only through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and to pass them on to the service concerned. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations on the permissible use of data conveyed to them by the authority.

4. Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 46

Registration services for boats and aircraft

1. The services in the Member States responsible for issuing registration certificates or ensuring traffic management for boats, including boat engines, and aircraft, including aircraft engines, shall have access to the following data entered into SIS in accordance with Article 38(2), for the sole purpose of checking whether boats, including boat engines, and aircraft, including aircraft engines, presented to them for registration or subject to traffic management have been stolen, misappropriated, lost or are sought as evidence in criminal proceedings:

(a)data on boats;

(b)data on boat engines;

(c)data on aircraft;

(d)data on aircraft engines.

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

2. Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

3. Services referred to in paragraph 1 of this Article that are non-government services shall have access to data in SIS only through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and to pass them on to the service concerned. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations on the permissible use of data conveyed to them by the authority.

4. Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 47

Registration services for firearms

1. The services in the Member States responsible for issuing registration certificates for firearms shall have access to data on persons entered into SIS in accordance with Articles 26 and 36 and to data on firearms entered into SIS in accordance with Article 38(2). The access shall be exercised for the purpose of checking whether the person requesting registration is wanted for arrest for surrender or extradition purposes or for the purposes of discreet, inquiry or specific checks or whether firearms presented for registration are sought for seizure or for use as evidence in criminal proceedings.

2. Access to the data by the services referred to in paragraph 1 shall be governed by the national law and shall be limited to the specific competence of the services concerned.

3. Services referred to in paragraph 1 that are government services shall have the right to access the data in SIS directly.

4. Services referred to in paragraph 1 that are non-government services shall only have access to data in SIS through the intermediary of an authority referred to in Article 44. That authority shall have the right to access the data directly and shall inform the service concerned if the firearm can be registered. The Member State concerned shall ensure that the service in question and its employees are required to respect any limitations to the permissible use of data conveyed to them by the intermediating authority.

5. Article 39 shall not apply to access to SIS gained in accordance with this Article. The communication to the police or the judicial authorities by services referred to in paragraph 1 of this Article of any information obtained through access to SIS shall be governed by national law.

Article 48

Access to data in SIS by Europol

1. The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794, shall, where necessary to fulfil its mandate, have the right to access and search data in SIS. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2. Where a search by Europol reveals the existence of an alert in SIS, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3. Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4. Europol's use of information obtained from a search in SIS or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5. Europol shall:

(a)without prejudice to paragraphs 4 and 6, not connect parts of SIS nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS;

(b)notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)limit access to data in SIS, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)ensure that its staff who are authorised to process SIS data receive appropriate training and information in accordance with Article 14(1); and

(f)without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS and in the exchange and processing of supplementary information.

6. Europol shall only copy data from SIS for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Regulation shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS into other Europol systems.

7. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS.

8. Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9. Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

Article 49

Access to data in SIS by Eurojust

1. Only the national members of Eurojust and their assistants shall, where necessary to fulfil their mandate, have the right to access and search data in SIS within their mandate, in accordance with Articles 26, 32, 34, 38 and 40.

2. Where a search by a national member of Eurojust reveals the existence of an alert in SIS, that national member shall inform the issuing Member State. Eurojust shall only communicate information obtained from such a search to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

3. This Article is without prejudice to the provisions of Regulation (EU) 2018/1727 of the European Parliament and of the Council (41) and Regulation (EU) 2018/1725 concerning data protection and the liability for any unauthorised or incorrect processing of such data by national members of Eurojust or their assistants, and to the powers of the European Data Protection Supervisor pursuant to those Regulations.

4. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Eurojust shall keep logs of every access to and search in SIS made by a national member of Eurojust or an assistant in accordance with the provisions of Article 12.

5. No parts of SIS shall be connected to any system for data collection and processing operated by or at Eurojust nor, shall the data in SIS to which the national members or their assistants have access be transferred to such a system. No part of SIS shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS data.

6. Eurojust shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13.

Article 50

Access to data in SIS by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1. In accordance with Article 40(8) of Regulation (EU) 2016/1624, the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 44(1) of this Regulation and have received the required training in accordance with Article 14(1) of this Regulation, have the right to access and search data in SIS insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS shall not be extended to any other team members.

2. Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS.

3. Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS in accordance with the provisions of Article 12.

5. The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6. Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7. Without prejudice to paragraph 2, no parts of SIS shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS to which those teams have access be transferred to such a system. No part of SIS shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS data.

8. The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725.

Article 51

Evaluation of the use of SIS by Europol, Eurojust and the European Border and Coast Guard Agency

1. The Commission shall carry out an evaluation of the operation and the use of SIS by Europol, the national members of Eurojust and their assistants and the teams referred to in Article 50(1) at least every five years.

2. Europol, Eurojust and the European Border and Coast Guard Agency shall ensure adequate follow-up to the findings and recommendations stemming from the evaluation.

3. A report on the results of the evaluation and follow-up to it shall be sent to the European Parliament and to the Council.

Article 52

Scope of access

End-users, including Europol, the national members of Eurojust and their assistants and the members of the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624, shall only access data which they require for the performance of their tasks.

Article 53

Review period for alerts on persons

1. Alerts on persons shall be kept only for the time required to achieve the purposes for which they were entered.

2. A Member State may enter an alert on a person for the purposes of Article 26 and points (a) and (b) of Article 32(1) for a period of five years. The issuing Member State shall review the need to retain the alert within the five year period.

3. A Member State may enter an alert on a person for the purposes of Articles 34 and 40 for a period of three years. The issuing Member State shall review the need to retain the alert within the three year period.

4. A Member State may enter an alert on a person for the purposes of points (c), (d) and (e) of Article 32 (1) and of Article 36 for a period of one year. The issuing Member State shall review the need to retain the alert within the one year period.

5. Each Member State shall, where appropriate, set shorter review periods in accordance with its national law.

6. Within the review period referred to in paragraphs 2, 3 and 4, the issuing Member State may, following a comprehensive individual assessment, which shall be recorded, decide to retain the alert on a person for longer than the review period, where this proves necessary and proportionate for the purposes for which the alert was entered. In such cases paragraph 2, 3 or 4 shall also apply to the extension. Any such extension shall be communicated to CS-SIS.

7. Alerts on persons shall be deleted automatically after the review period referred to in paragraphs 2, 3 and 4 has expired, except where the issuing Member State has informed CS-SIS of an extension pursuant to paragraph 6. CS-SIS shall automatically inform the issuing Member State of the scheduled deletion of data four months in advance.

8. Member States shall keep statistics on the number of alerts on persons the retention periods of which have been extended in accordance with paragraph 6 of this Article and transmit them, upon request, to the supervisory authorities referred to in Article 69.

9. As soon as it becomes clear to a SIRENE Bureau that an alert on a person has achieved its purpose and should therefore be deleted, it shall immediately notify the authority which created the alert. The authority shall have 15 calendar days from the receipt of that notification to reply that the alert has been or shall be deleted or shall state reasons for the retention of the alert. If no reply has been received by the end of the 15-day period, the SIRENE Bureau shall ensure that the alert is deleted. Where permissible under national law, the alert shall be deleted by the SIRENE Bureau. SIRENE Bureaux shall report any recurring issues they encounter when acting under this paragraph to their supervisory authority.

Article 54

Review period for alerts on objects

1. Alerts on objects shall be kept only for the time required to achieve the purposes for which they were entered.

2. A Member State may enter an alert on objects for the purposes of Articles 36 and 38 for a period of ten years. The issuing Member State shall review the need to retain the alert within the ten-year period.

3. Alerts on objects entered in accordance with Articles 26, 32, 34, and 36 shall be reviewed pursuant to Article 53 where they are linked to an alert on a person. Such alerts shall only be kept for as long as the alert on the person is kept.

4. Within the review period referred to in paragraphs 2 and 3, the issuing Member State may decide to retain the alert on an object for longer than the review period, where this proves necessary for the purposes for which the alert was entered. In such cases paragraph 2 or 3 shall apply, as appropriate.

5. The Commission may adopt implementing acts to establish shorter review periods for certain categories of alerts on objects. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

6. Member States shall keep statistics on the number of alerts on objects the retention periods of which have been extended in accordance with paragraph 4.

CHAPTER XIV - Deletion of alerts


Article 55

Deletion of alerts

1. Alerts for arrest for surrender or extradition purposes pursuant to Article 26 shall be deleted when the person has been surrendered or extradited to the competent authorities of the issuing Member State. They shall also be deleted when the judicial decision on which the alert was based has been revoked by the competent judicial authority in accordance with national law. They shall also be deleted upon the expiry of the alert in accordance with Article 53.

2. Alerts on missing persons or vulnerable persons who need to be prevented from travelling pursuant to Article 32 shall be deleted in accordance with the following rules:

(a)concerning missing children and children at risk of abduction, an alert shall be deleted upon:

(i)the resolution of the case, such as when the child has been located or repatriated or the competent authorities in the executing Member State have taken a decision on the care of the child;

(ii)the expiry of the alert in accordance with Article 53; or

(iii)a decision by the competent authority of the issuing Member State;

(b)concerning missing adults, where no protective measures are requested, an alert shall be deleted upon:

(i)the execution of the action to be taken, where their whereabouts are ascertained by the executing Member State;

(ii)the expiry of the alert in accordance with Article 53; or

(iii)a decision by the competent authority of the issuing Member State;

(c)concerning missing adults where protective measures are requested, an alert shall be deleted upon:

(i)the carrying out of the action to be taken, where the person is placed under protection;

(ii)the expiry of the alert in accordance with Article 53; or

(iii)a decision by the competent authority of the issuing Member State;

(d)concerning vulnerable persons who are of age who need to be prevented from travelling for their own protection and children who need to be prevented from travelling, an alert shall be deleted upon:

(i)the carrying out of the action to be taken such as the person's placement under protection;

(ii)the expiry of the alert in accordance with Article 53; or

(iii)a decision by the competent authority of the issuing Member State.

Without prejudice to the national law, where a person has been institutionalised following a decision by a competent authority an alert may be retained until that person has been repatriated.

3. Alerts on persons sought for a judicial procedure pursuant to Article 34 shall be deleted upon:

(a)the communication of the whereabouts of the person to the competent authority of the issuing Member State;

(b)the expiry of the alert in accordance with Article 53; or

(c)a decision by the competent authority of the issuing Member State.

Where the information in the communication referred to in point (a) cannot be acted upon, the SIRENE Bureau of the issuing Member State shall inform the SIRENE Bureau of the executing Member State in order to resolve the problem.

In the event of a hit where the address details were forwarded to the issuing Member State and a subsequent hit in the same executing Member State reveals the same address details, the hit shall be recorded in the executing Member State but neither the address details nor supplementary information shall be resent to the issuing Member State. In such cases the executing Member State shall inform the issuing Member State of the repeated hits and the issuing Member State shall carry out a comprehensive individual assessment of the need to retain the alert.

4. Alerts for discreet, inquiry and specific checks pursuant to Article 36, shall be deleted upon:

(a)the expiry of the alert in accordance with Article 53; or

(b)a decision to delete them by the competent authority of the issuing Member State.

5. Alerts on objects for seizure or use as evidence in criminal proceedings pursuant to Article 38, shall be deleted upon:

(a)the seizure of the object or equivalent measure once the necessary follow-up exchange of supplementary information has taken place between the SIRENE Bureaux concerned or the object becomes the subject of another judicial or administrative procedure;

(b)the expiry of the alert in accordance with Article 53; or

(c)a decision to delete them by the competent authority of the issuing Member State.

6. Alerts on unknown wanted persons pursuant to Article 40 shall be deleted upon:

(a)the identification of the person;

(b)the expiry of the alert in accordance with Article 53; or

(c)a decision to delete them by the competent authority of the issuing Member State.

7. Where it is linked to an alert on a person, an alert on an object entered in accordance with Articles 26, 32, 34 and 36 shall be deleted when the alert on the person is deleted in accordance with this Article.

CHAPTER XV - General data processing rules


Article 56

Processing of SIS data

1. The Member States shall only process the data referred to in Article 20 for the purposes laid down for each category of alert referred to in Articles 26, 32, 34, 36, 38 and 40.

2. Data shall only be copied for technical purposes, where such copying is necessary in order for the competent authorities referred to in Article 44 to carry out a direct search. This Regulation shall apply to those copies. A Member State shall not copy the alert data or additional data entered by another Member State from its N.SIS or from the CS-SIS into other national data files.

3. Technical copies referred to in paragraph 2 which result in offline databases may be retained for a period not exceeding 48 hours.

Member States shall keep an up-to-date inventory of those copies, make that inventory available to their supervisory authorities, and ensure that this Regulation, in particular Article 10, is applied in respect of those copies.

4. Access to data in SIS by national competent authorities referred to in Article 44 shall only be authorised within the limits of their competence and only to duly authorised staff.

5. With regard to the alerts laid down in Articles 26, 32, 34, 36, 38 and 40 of this Regulation, any processing of information in SIS for purposes other than those for which it was entered into SIS has to be linked with a specific case and justified by the need to prevent an imminent and serious threat to public policy and to public security, on serious grounds of national security or for the purposes of preventing a serious crime. Prior authorisation from the issuing Member State shall be obtained for this purpose.

6. Any use of SIS data which does not comply with paragraphs 1 to 5 of this Article shall be considered as misuse under the national law of each Member State and subject to penalties in accordance with Article 73.

7. Each Member State shall send to eu-LISA a list of its competent authorities which are authorised to search the data in SIS directly pursuant to this Regulation, as well as any changes to the list. The list shall specify, for each authority, which data it may search and for what purposes. eu-LISA shall ensure that the list is published in the Official Journal of the European Union annually. eu-LISA shall maintain a continuously updated list on its website containing changes sent by Member States between the annual publications.

8. Insofar as Union law does not lay down specific provisions, the law of each Member State shall apply to data in its N.SIS.

Article 57

SIS data and national files

1. Article 56(2) shall be without prejudice to the right of a Member State to keep in its national files SIS data in connection with which action has been taken on its territory. Such data shall be kept in national files for a maximum period of three years, except if specific provisions in national law provide for a longer retention period.

2. Article 56(2) shall be without prejudice to the right of a Member State to keep in its national files data contained in a particular alert entered in SIS by that Member State.

Article 58

Information in the case of non-execution of an alert

If a requested action cannot be performed, the Member State from which action is requested shall immediately inform the issuing Member State through the exchange of supplementary information.

Article 59

Quality of the data in SIS

1. An issuing Member State shall be responsible for ensuring that the data are accurate, up-to-date, and entered and stored in SIS lawfully.

2. Where an issuing Member State receives relevant additional or modified data as listed in Article 20(3), it shall complete or modify the alert without delay.

3. Only the issuing Member State shall be authorised to modify, add to, correct, update or delete data which it has entered into SIS.

4. Where a Member State other than the issuing Member State has relevant additional or modified data as listed in Article 20(3), it shall transmit them without delay, through the exchange of supplementary information, to the issuing Member State to enable the latter to complete or modify the alert. If the additional or modified data relate to persons they shall only be transmitted if the identity of the person is ascertained.

5. Where a Member State other than the issuing Member State has evidence suggesting that an item of data is factually incorrect or has been unlawfully stored, it shall, through the exchange of supplementary information, inform the issuing Member State as soon as possible and not later than two working days after that evidence has come to its attention. The issuing Member State shall check the information and, if necessary, correct or delete the item in question without delay.

6. Where the Member States are unable to reach an agreement within two months of the time when evidence first came to light as referred to in paragraph 5 of this Article, the Member State which did not enter the alert shall submit the matter to the supervisory authorities concerned and to the European Data Protection Supervisor for a decision, by means of cooperation in accordance with Article 71.

7. The Member States shall exchange supplementary information in cases where a person complains that he or she is not the intended subject of an alert. Where the outcome of the check shows that the intended subject of an alert is not the complainant, the complainant shall be informed of the measures laid down in Article 62 and of the right to redress under Article 68(1).

Article 60

Security incidents

1. Any event that has or may have an impact on the security of SIS or may cause damage or loss to SIS data or to the supplementary information shall be considered to be a security incident, especially where unlawful access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2. Security incidents shall be managed in a way as to ensure a quick, effective and proper response.

3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679 or to Article 30 of Directive (EU) 2016/680, Member States, Europol, Eurojust and the European Border and Coast Guard Agency shall notify the Commission, eu-LISA, the competent supervisory authority and the European Data Protection Supervisor without delay of security incidents. eu-LISA shall notify the Commission and the European Data Protection Supervisor without delay of any security incident concerning Central SIS.

4. Information regarding a security incident that has or may have an impact on the operation of SIS in a Member State or within eu-LISA, on the availability, integrity and confidentiality of the data entered or sent by other Member States or on supplementary information exchanged, shall be provided to all Member States without delay and reported in compliance with the incident management plan provided by eu-LISA.

5. The Member States and eu-LISA shall collaborate in the event of a security incident.

6. The Commission shall report serious incidents immediately to the European Parliament and to the Council. Those reports shall be classified as EU RESTRICTED/RESTREINT UE in accordance with applicable security rules.

7. Where a security incident is caused by the misuse of data, Member States, Europol, Eurojust and the European Border and Coast Guard Agency shall ensure that penalties are imposed in accordance with Article 73.

Article 61

Distinguishing between persons with similar characteristics

1. Where upon a new alert being entered it becomes apparent that there is already an alert in SIS on a person with the same description of identity, the SIRENE Bureau shall contact the issuing Member State through the exchange of supplementary information within 12 hours to cross-check whether the subjects of the two alerts are the same person.

2. Where the cross-check reveals that the subject of the new alert and the person subject to the alert already entered in SIS are indeed one and the same person, the SIRENE Bureau shall apply the procedure for entering multiple alerts referred to in Article 23.

3. Where the outcome of the cross-check is that there are in fact two different persons, the SIRENE Bureau shall approve the request for entering the second alert by adding the data necessary to avoid any misidentifications.

Article 62

Additional data for the purpose of dealing with misused identities

1. Where confusion may arise between the person intended to be the subject of an alert and a person whose identity has been misused, the issuing Member State shall, subject to the explicit consent of the person whose identity has been misused, add data relating to the latter to the alert in order to avoid the negative consequences of misidentification. Any person whose identity has been misused shall have the right to withdraw his or her consent regarding the processing of the added personal data.

2. Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a)to allow the competent authority to distinguish the person whose identity has been misused from the person intended to be the subject of the alert; and

(b)to allow the person whose identity has been misused to prove his or her identity and to establish that his or her identity has been misused.

3. For the purpose of this Article, and subject to the explicit consent of the person whose identity has been misused for each data category, only the following personal data of the person whose identity has been misused may be entered and further processed in SIS:

(a)surnames;

(b)forenames;

(c)names at birth;

(d)previously used names and any aliases possibly entered separately;

(e)any specific objective and physical characteristic not subject to change;

(f)place of birth;

(g)date of birth;

(h)gender;

(i)photographs and facial images;

(j)fingerprints, palm prints or both;

(k)any nationalities held;

(l)the category of the person's identification documents;

(m)the country of issue of the person's identification documents;

(n)the number(s) of the person's identification documents;

(o)the date of issue of a person's identification documents;

(p)address of the person;

(q)person's father's name;

(r)person's mother's name.

4. The Commission shall adopt implementing acts to lay down and develop technical rules necessary for entering and further processing the data referred to in paragraph 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

5. The data referred to in paragraph 3 shall be deleted at the same time as the corresponding alert or earlier where the person so requests.

6. Only the authorities having a right of access to the corresponding alert may access the data referred to in paragraph 3. They may do so for the sole purpose of avoiding misidentification.

Article 63

Links between alerts

1. A Member State may create a link between alerts it enters in SIS. The effect of such a link shall be to establish a relationship between two or more alerts.

2. The creation of a link shall not affect the specific action to be taken on the basis of each linked alert or the review period of each of the linked alerts.

3. The creation of a link shall not affect the rights of access provided for in this Regulation. Authorities with no right of access to certain categories of alerts shall not be able to see the link to an alert to which they do not have access.

4. A Member State shall create a link between alerts when there is an operational need.

5. Where a Member State considers that the creation by another Member State of a link between alerts is incompatible with its national law or its international obligations, it may take the necessary measures to ensure that there can be no access to the link from its national territory or by its authorities located outside its territory.

6. The Commission shall adopt implementing acts to lay down and develop technical rules for linking alerts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 64

Purpose and retention period of supplementary information

1. Member States shall keep a reference to the decisions giving rise to an alert at the SIRENE Bureau in order to support the exchange of supplementary information.

2. Personal data held in files by the SIRENE Bureau as a result of information exchanged shall be kept only for such time as may be required to achieve the purposes for which they were supplied. They shall in any event be deleted at the latest one year after the related alert has been deleted from SIS.

3. Paragraph 2 shall be without prejudice to the right of a Member State to keep in national files data relating to a particular alert which that Member State has entered or to an alert in connection with which action has been taken on its territory. The period for which such data may be kept in those files shall be governed by national law.

Article 65

Transfer of personal data to third parties

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation shall not be transferred or made available to third countries or to international organisations.

CHAPTER XVI - Data protection


Article 66

Applicable legislation

1. Regulation (EU) 2018/1725 shall apply to the processing of personal data by eu-LISA, by the European Border and Coast Guard Agency and by Eurojust under this Regulation. Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol under this Regulation.

2. Directive (EU) 2016/680 shall apply to the processing of personal data under this Regulation by the national competent authorities and services for the purposes of the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3. Regulation (EU) 2016/679 shall apply to the processing of personal data under this Regulation by the national competent authorities and services with the exception of processing for the purposes of the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Article 67

Right of access, rectification of inaccurate data and erasure of unlawfully stored data

1. Data subjects shall be able to exercise the rights laid down in Articles 15, 16 and 17 of Regulation (EU) 2016/679 and in Article 14 and Article 16 (1) and (2) of Directive(EU) 2016/680.

2. A Member State other than the issuing Member State may provide to the data subject information concerning any of the data subject's personal data that are being processed only if it first gives the issuing Member State an opportunity to state its position. The communication between those Member States shall be done through the exchange of supplementary information.

3. A Member State shall take a decision not to provide information to the data subject, in whole or in part, in accordance with national law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:

(a)avoid obstructing official or legal inquiries, investigations or procedures;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security;

(d)protect national security; or

(e)protect the rights and freedoms of others.

In cases referred to in the first subparagraph, the Member State shall inform the data subject in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.

The Member State shall document the factual or legal reasons on which the decision not to provide information to the data subject is based. That information shall be made available to the supervisory authorities.

For such cases, the data subject shall also be able to exercise his or her rights through the competent supervisory authorities.

4. Following an application for access, rectification or erasure, the Member State shall inform the data subject as soon as possible and in any event within the deadlines referred to in Article 12(3) of Regulation (EU) 2016/679 about the follow-up given to the exercise of the rights under this Article.

Article 68

Remedies

1. Without prejudice to the provisions on remedies of Regulation (EU) 2016/679 and of Directive (EU) 2016/680, any person may bring an action before any competent authority, including a court, under the law of any Member State to access, rectify, erase, obtain information or obtain compensation in connection with an alert relating to him or her.

2. The Member States undertake mutually to enforce final decisions handed down by the courts or authorities referred to in paragraph 1 of this Article, without prejudice to Article 72.

3. Member States shall report annually to the European Data Protection Board on:

(a)the number of access requests submitted to the data controller and the number of cases where access to the data was granted;

(b)the number of access requests submitted to the supervisory authority and the number of cases where access to the data was granted;

(c)the number of requests for the rectification of inaccurate data and for the erasure of unlawfully stored data to the data controller and the number of cases where the data were rectified or erased;

(d)the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data submitted to the supervisory authority;

(e)the number of court proceedings initiated;

(f)the number of cases where the court ruled in favour of the applicant;

(g)any observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts entered by the issuing Member State.

A template for the reporting referred to in this paragraph shall be developed by the Commission.

4. The reports from the Member States shall be included in the joint report referred to in Article 71(4).

Article 69

Supervision of N.SIS

1. Member States shall ensure that the independent supervisory authorities designated in each Member State and endowed with the powers referred to in Chapter VI of Regulation (EU) 2016/679 or Chapter VI of Directive (EU) 2016/680 monitor the lawfulness of the processing of personal data in SIS on their territory, its transmission from their territory and the exchange and further processing of supplementary information on their territory.

2. The supervisory authorities shall ensure that an audit of the data processing operations in its N.SIS is carried out in accordance with international auditing standards at least every four years. The audit shall either be carried out by the supervisory authorities, or the supervisory authorities shall directly order the audit from an independent data protection auditor. The supervisory authorities shall at all times retain control over and undertake the responsibilities of the independent auditor.

3. Member States shall ensure that their supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation and have access to advice from persons with sufficient knowledge of biometric data.

Article 70

Supervision of eu-LISA

1. The European Data Protection Supervisor shall be responsible for monitoring the processing of personal data by eu-LISA and for ensuring that it is carried out in accordance with this Regulation. The tasks and powers referred to in Articles 57 and 58 of Regulation (EU) 2018/1725 shall apply accordingly.

2. The European Data Protection Supervisor shall carry out an audit of the processing of personal data by eu-LISA in accordance with international auditing standards at least every four years. A report on that audit shall be sent to the European Parliament, to the Council, to eu-LISA, to the Commission and to the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

Article 71

Cooperation between supervisory authorities and the European Data Protection Supervisor

1. The supervisory authorities and the European Data Protection Supervisor, each acting within the scope of their respective competences, shall actively cooperate within the framework of their responsibilities and shall ensure coordinated supervision of SIS.

2. The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties in the interpretation or application of this Regulation and other applicable Union legal acts, study problems that are revealed through the exercise of independent supervision or through the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3. For the purposes laid down in paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year as part of the European Data Protection Board. The costs and servicing of these meetings shall be borne by the European Data Protection Board. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4. A joint report of activities as regards coordinated supervision shall be sent annually by the European Data Protection Board to the European Parliament, to the Council, and to the Commission.

CHAPTER XVII - Liability and penalties


Article 72

Liability

1. Without prejudice to the right to compensation and to any liability under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

(a)any person or Member State that has suffered material or non-material damage, as a result of an unlawful personal data processing operation through the use of N.SIS or any other act incompatible with this Regulation by a Member State, shall be entitled to receive compensation from that Member State; and

(b)any person or Member State that has suffered material or non-material damage as a result of any act by eu-LISA incompatible with this Regulation shall be entitled to receive compensation from eu-LISA.

A Member State or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

2. If any failure of a Member State to comply with its obligations under this Regulation causes damage to SIS, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in SIS failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of that Member State. Claims for compensation against eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

Article 73

Penalties

Member States shall ensure that any misuse of SIS data or any processing of such data or any exchange of supplementary information contrary to this Regulation, is punishable in accordance with national law.

The penalties provided for shall be effective, proportionate and dissuasive.

CHAPTER XVIII - Final provisions


Article 74

Monitoring and statistics

1. eu-LISA shall ensure that procedures are in place to monitor the functioning of SIS against objectives relating to output, cost-effectiveness, security and quality of service.

2. For the purposes of technical maintenance, reporting, data quality reporting and statistics, eu-LISA shall have access to the necessary information relating to the processing operations performed in Central SIS.

3. eu-LISA shall produce daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate. eu-LISA shall also provide annual reports on the number of hits per category of alert, how many times SIS was searched and how many times SIS was accessed for the purpose of entering, updating or deleting an alert, both for each Member State and in aggregate. The statistics produced shall not contain any personal data. The annual statistical report shall be published.

4. Member States, Europol, Eurojust and the European Border and Coast Guard Agency shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 6, 8 and 9.

5. This information shall include separate statistics on the number of searches carried out by, or on behalf of, the services in the Member States responsible for issuing vehicle registration certificates and the services in the Member States responsible for issuing registration certificates or ensuring traffic management for boats, including boat engines; and aircraft, including aircraft engines; and firearms. The statistics shall also show the number of hits per category of alert.

6. eu-LISA shall provide the European Parliament, the Council, the Member States, the Commission, Europol, Eurojust, the European Border and Coast Guard Agency and the European Data Protection Supervisor with any statistical reports that it produces.

In order to monitor the implementation of Union legal acts, including for the purposes of Regulation (EU) No 1053/2013, the Commission may request that eu-LISA provide additional specific statistical reports, either on a regular or ad hoc basis, on the performance of SIS, the use of SIS and on the exchange of supplementary information.

The European Border and Coast Guard Agency may request that eu-LISA provide additional specific statistical reports for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 11 and 13 of Regulation (EU) 2016/1624, either on a regular or ad hoc basis.

7. For the purpose of Article 15(4) and of paragraphs 3, 4 and 6 of this Article, eu-LISA shall establish, implement and host a central repository in its technical sites containing the data referred to in Article 15(4) and in paragraph 3 of this Article which shall not allow for the identification of individuals and which shall allow the Commission and the agencies referred to in paragraph 6 of this Article to obtain bespoke reports and statistics. Upon request, eu-LISA shall give access to Member States and the Commission, as well as, Europol, Eurojust and the European Border and Coast Guard Agency, to the extent required for the performance of their tasks, to the central repository by means of secured access through the Communication Infrastructure. eu-LISA shall implement access controls and specific user profiles to ensure that the central repository is accessed solely for the purpose of reporting and statistics.

8. Two years after the date of application of this Regulation pursuant to the first subparagraph of Article 79(5) and every two years thereafter, eu-LISA shall submit to the European Parliament and to the Council a report on the technical functioning of Central SIS and of the Communication Infrastructure, including their security, on the AFIS and on the bilateral and multilateral exchange of supplementary information between Member States. This report shall also contain, once the technology is in use, an evaluation of the use of facial images to identify persons.

9. Three years after the date of application of this Regulation pursuant to the first subparagraph of Article 79(5) and every four years thereafter, the Commission shall carry out an overall evaluation of Central SIS and the bilateral and multilateral exchange of supplementary information between Member States. That overall evaluation shall include an examination of results achieved against objectives, and an assessment of the continuing validity of the underlying rationale, the application of this Regulation in respect of Central SIS, the security of Central SIS and any implications for future operations. The evaluation report shall also include an assessment of the AFIS and the SIS information campaigns carried out by the Commission in accordance with Article 19.

The Commission shall transmit the evaluation report to the European Parliament and to the Council.

10. The Commission shall adopt implementing acts to lay down detailed rules on the operation of the central repository referred to in paragraph 7 of this Article and the data protection and security rules applicable to that repository. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 75

Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 38(3) and Article 43(4) shall be conferred on the Commission for an indeterminate period of time from 27 December 2018.

3. The delegation of power referred to in Article 38(3) and Article 43(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6. A delegated act adopted pursuant to Article 38(3) or Article 43(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 76

Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 77

Amendments to Decision 2007/533/JHA

Decision 2007/533/JHA is amended as follows:

(1)Article 6 is replaced by the following:

‘Article 6

National Systems

1. Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS II and connecting it to NI-SIS.

2. Each Member State shall be responsible for ensuring the uninterrupted availability of SIS II data to end-users.’;

(2)Article 11 is replaced by the following:

‘Article 11

Confidentiality — Member States

1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS II data and supplementary information, in accordance with its national legislation. This obligation shall also apply after those people leave office or employment or after the termination of the activities of those bodies.

2. Where a Member State cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Decision, in particular on security, confidentiality and data protection.

3. The operational management of N.SIS II or of any technical copies shall not be entrusted to private companies or private organisations.’;

(3)Article 15 is amended as follows:

(a)the following paragraph is inserted:

‘3a.   The Management Authority shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

The Management Authority shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.’;

(b)paragraph 8 is replaced by the following:

‘8.   The operational management of Central SIS II shall consist of all the tasks necessary to keep Central SIS II functioning 24 hours a day, 7 days a week in accordance with this Decision, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS II and the N.SIS II that ensure that Central SIS II and the N.SIS II operate in accordance with the requirements for technical compliance set out in Article 9.’;

(4)in Article 17, the following paragraphs are added:

‘3.   Where the Management Authority cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Decision, in particular on security, confidentiality and data protection.

4. The operational management of CS-SIS shall not be entrusted to private companies or private organisations.’;

(5)in Article 21, the following paragraph is added:

‘Where a person or an object is sought under an alert related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS II. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.’;

(6)Article 22 is replaced by the following:

‘Article 22

Specific rules for entering, verification or search with photographs and fingerprints

1. Photographs and fingerprints shall only be entered following a special quality check to ascertain whether they fulfil minimum data quality standards. The specification of the special quality check shall be established in accordance with the procedure referred to in Article 67.

2. Where photographs and fingerprint data are available in an alert in SIS II, such photographs and fingerprint data shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS II.

3. Fingerprint data may be searched in all cases to identify a person. However, fingerprint data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS II shall contain an Automated Fingerprint Identification System (AFIS).

4. Fingerprint data in SIS II in relation to alerts entered in accordance with Articles 26, 32 and 36 may also be searched using complete or incomplete sets of fingerprints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.’;

(7)Article 41 is replaced by the following:

‘Article 41

Access to data in SIS II by Europol

1. The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the Council (*1), shall, where necessary to fulfil its mandate, have the right to access and search data in SIS II. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2. Where a search by Europol reveals the existence of an alert in SIS II, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3. Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4. Europol's use of information obtained from a search in SIS II or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5. Europol shall:

(a)without prejudice to paragraphs 4 and 6, not connect parts of SIS II nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS II;

(b)notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)limit access to data in SIS II, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)ensure that its staff who are authorised to process SIS II data receive appropriate training and information in accordance with Article 14; and

(f)without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS II and in the exchange and processing of supplementary information.

6. Europol shall only copy data from SIS II for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Decision shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS II data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS II data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS II into other Europol systems.

7. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS II.

8. Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9. Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

(*1)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).’;"

(8)the following Article is inserted:

‘Article 42a

Access to data in SIS II by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1. In accordance with Article 40(8) of Regulation (EU) 2016/1624 of the European Parliament and of the Council (*2), the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 40(1) of this Decision and have received the required training in accordance with Article 14 of this Decision, have the right to access and search data in SIS II insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS II shall not be extended to any other team members.

2. Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS II in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS II.

3. Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS II, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS II under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4. For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12.

5. The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6. Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7. Without prejudice to paragraph 2, no parts of SIS II shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS II to which those teams have access be transferred to such a system. No part of SIS II shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS II data.

8. The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS II. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council (*3).

(*2)  Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1)."

(*3)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).’."

Article 78

Repeal

Regulation (EC) No 1986/2006 and Decisions 2007/533/JHA and 2010/261/EU are repealed from the date of application of this Regulation as set out in the first subparagraph of Article 79(5).

References to the repealed Regulation (EC) No 1986/2006 and Decision 2007/533/JHA shall be construed as references to this Regulation and shall be read in accordance with the correlation tables in the Annex.

Article 79

Entry into force, start of operation and application

1. This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

2. No later than 28 December 2021 the Commission shall adopt a decision setting the date on which SIS operations start pursuant to this Regulation, after verification that the following conditions have been met:

(a)the implementing acts necessary for the application of this Regulation have been adopted;

(b)Member States have notified the Commission that they have made the necessary technical and legal arrangements to process SIS data and exchange supplementary information pursuant to this Regulation; and

(c)eu-LISA has notified the Commission of the successful completion of all testing activities with regard to CS-SIS and to the interaction between CS-SIS and N.SIS.

3. The Commission shall closely monitor the process of gradual fulfilment of the conditions set out in paragraph 2 and shall inform the European Parliament and the Council about the outcome of the verification referred to in that paragraph.

4. By 28 December 2019 and every year thereafter until the decision of the Commission referred to in paragraph 2 has been taken, the Commission shall submit a report to the European Parliament and to the Council on the state of play of preparations for the full implementation of this Regulation. That report shall contain also detailed information about the costs incurred and information as to any risks which may impact the overall costs.

5. This Regulation shall apply from the date determined in accordance with paragraph 2.

By way of derogation from the first subparagraph:

(a)Article 4(4), Article 5, Article 8(4), Article 9(1) and (5), Article 12(8), Article 15(7), Article 19, Article 20(4) and (5), Article 26(6), Article 32(9), Article 34(3), Article 36(6), Article 38(3) and (4), Article 42(5), Article 43(4), Article 54(5), Article 62(4), Article 63(6), Article 74(7) and (10), Article 75, Article 76, points (1) to (5) of Article 77, and paragraphs 3 and 4 of this Article shall apply from the date of entry into force of this Regulation;

(b)points (7) and (8) of Article 77 shall apply from 28 December 2019;

(c)point 6 of Article 77 shall apply from 28 December 2020.

6. The Commission decision referred to in paragraph 2 shall be published in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.