Legal provisions of COM(2021)784 - Automated data exchange for police cooperation (“Prüm II”)

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2021)784 - Automated data exchange for police cooperation (“Prüm II”).
document COM(2021)784 EN
date March 13, 2024

Contents

CHAPTER 1 - GENERAL PROVISIONS

Article 1 - Subject matter

This Regulation establishes a framework for the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences (Prüm II).

This Regulation lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data, facial images, police records and certain vehicle registration data and the rules regarding the exchange of core data following a match.

Article 2 - Purpose

The purpose of Prüm II shall be to step up cross-border cooperation in matters covered by Part III, Title V, Chapter 5 of the Treaty on the Functioning of the European Union, particularly the exchange of information between authorities responsible for the prevention, detection and investigation of criminal offences.

The purpose of Prüm II shall also be to allow for the search for missing persons and unidentified human remains by authorities responsible for the prevention, detection and investigation of criminal offences.

Article 3 - Scope

This Regulation applies to the national databases used for the automated transfer of the categories of DNA profiles, dactyloscopic data, facial images, police records and certain vehicle registration data.

Article 4 - Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘loci’ means the particular molecular structure at the various DNA locations;

(2) ‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the non-coding part of an analysed human DNA sample, the particular molecular structure at the various DNA locations;

(3) ‘non-coding part of DNA’ means chromosome regions not genetically expressed, i.e. not known to provide for any functional properties of an organism;

(4) ‘DNA reference data’ means DNA profile and the reference number referred to in Article 9;

(5) ‘reference DNA profile’ means the DNA profile of an identified person;

(6) ‘unidentified DNA profile’ means the DNA profile obtained from traces collected during the investigation of criminal offences and belonging to a person not yet identified;

(7) ‘dactyloscopic data’ means fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images (coded minutiae), when they are stored and dealt with in an automated database;

(8) ‘dactyloscopic reference data’ means dactyloscopic data and the reference number referred to in Article 14;

(9) ‘individual case’ means a single investigation file; 

(10) ‘facial image’ means digital image of the face;

(11) ‘biometric data’ means DNA profiles, dactyloscopic data or facial images;

(12) ‘match’ means the existence of a correspondence as a result of an automated comparison between personal data recorded or being recorded in an information system or database;

(13) ‘candidate’ means data with which a match occurred;

(14) ‘requesting Member State’ means the Member State which is conducting a search through Prüm II;

(15) ‘requested Member State’ means the Member State in which databases the search is conducted through Prüm II by the requesting Member State;

(16) ‘police records’ means any information available in the national register or registers recording data of competent authorities, for the prevention, detection and investigation of criminal offences;

(17) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; 

(18) ‘Europol data’ means any personal data processed by Europol in accordance with Regulation (EU) 2016/794;

(19) ‘supervisory authority’ means an independent public authority established by a Member State pursuant to Article 41 of Directive (EU) 2016/680 of the European Parliament and of the Council 40 ;

(20) ‘SIENA’ means the secure information exchange network application, managed by Europol, aimed at facilitating the exchange of information between Member States and Europol; 

(21) ‘significant incident’ means any incident unless it has a limited impact and is likely to be already well understood in terms of method or technology;

(22) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incident;

(23) ‘significant vulnerability’ means a vulnerability that will likely lead to a significant incident if it is exploited;

(24) ‘incident’ means an incident within the meaning of Article 4(5) of Directive (EU) …/… of the European Parliament and of the Council 41 [proposal NIS 2]. 

CHAPTER 2 - EXCHANGE OF DATA

SECTION 1 - DNA profiles


Article 5 - Establishment of national DNA analysis files

1. Member States shall open and keep national DNA analysis files for the investigation of criminal offences.

Processing of data kept in those files, under this Regulation, shall be carried out in accordance with this Regulation, in compliance with the national law of the Member States applicable to the processing of those data.

2. Member States shall ensure the availability of DNA reference data from their national DNA analysis files as referred to in paragraph 1.

DNA reference data shall not contain any data from which an individual can be directly identified.

DNA reference data which is not attributed to any individual (unidentified DNA profiles) shall be recognisable as such.

Article 6 - Automated searching of DNA profiles

1. Member States shall allow national contact points referred to in Article 29 and Europol access to the DNA reference data in their DNA analysis files, to conduct automated searches by comparing DNA profiles for the investigation of criminal offences.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. Should an automated search show that a supplied DNA profile matches DNA profiles entered in the requested Member State's searched file, the national contact point of the requesting Member State shall receive in an automated way the DNA reference data with which a match has been found.

If there is no match, the requesting Member State shall be notified about it in an automated manner.

3. The national contact point of the requesting Member State shall confirm a match of DNA profiles data with DNA reference data held by the requested Member State following the automated supply of the DNA reference data required for confirming a match.

Article 7 - Automated comparison of unidentified DNA profiles

1. Member States may, via their national contact points, compare the DNA profiles of their unidentified DNA profiles with all DNA profiles from other national DNA analysis files for the investigation of criminal offences. Profiles shall be supplied and compared in an automated manner.

2. Should a requested Member State, as a result of the comparison referred to in paragraph 1, find that any DNA profiles supplied match any of those in its DNA analysis files, it shall, without delay, supply the national contact point of the requesting Member State with the DNA reference data with which a match has been found.

3. The confirmation of a match of DNA profiles with DNA reference data held by the requested Member State shall be carried out by the national contact point of the requesting Member State following the automated supply of the DNA reference data required for confirming a match.

Article 8 - Reporting about DNA analysis files

Each Member State shall inform the Commission and eu-LISA of the national DNA analysis files, to which Articles 5 to 7 apply, in accordance with Article 73.

Article 9 - Reference numbers for DNA profiles

The reference numbers for DNA profiles shall be the combination of the following:

(a)a reference number allowing Member States, in case of a match, to retrieve further data and other information in their databases referred to in Article 5 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the DNA profile;

(c)a code to indicate the type of DNA profile (reference DNA profiles or unidentified DNA profiles).

Article 10 - Principles of DNA reference data exchange

1. Appropriate measures shall be taken to ensure confidentiality and integrity for DNA reference data being sent to other Member States, including their encryption.

2. Member States shall take the necessary measures to guarantee the integrity of the DNA profiles made available or sent for comparison to the other Member States and to ensure that those measures comply with the relevant international standards for DNA data exchange.

3. The Commission shall adopt implementing acts to specify the relevant international standards that are to be used by Member States for DNA reference data exchange. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 11 - Rules for requests and answers regarding DNA profiles

1. A request for an automated search or comparison shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)DNA profiles and their reference numbers referred to in Article 9;

(d)the types of DNA profiles transmitted (unidentified DNA profiles or reference DNA profiles).

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches ;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the DNA profiles from the requesting and requested Member States;

(f)the type of DNA profiles transmitted (unidentified DNA profiles or reference DNA profiles);

(g)the matching DNA profiles.

3. Automated notification of a match shall only be provided if the automated search or comparison has resulted in a match of a minimum number of loci. The Commission shall adopt implementing acts to specify this minimum number of loci, in accordance with the procedure referred to in Article 76(2).

4. Where a search or comparison with unidentified DNA profiles results in a match, each requested Member State with matching data may insert a marking in its national database indicating that there has been a match for that DNA profile following another Member State's search or comparison.

5. Member States shall ensure that requests are consistent with declarations sent pursuant to Article 8. Those declarations shall be reproduced in the practical handbook referred to in Article 78.

SECTION 2 - Dactyloscopic data


Article 12 - Dactyloscopic reference data

1. Member States shall ensure the availability of dactyloscopic reference data from the file for the national automated fingerprint identification systems established for the prevention, detection and investigation of criminal offences.

2. Dactyloscopic reference data shall not contain any data from which an individual can be directly identified.

3. Dactyloscopic reference data which is not attributed to any individual (unidentified dactyloscopic data) shall be recognisable as such.

Article 13 - Automated searching of dactyloscopic data

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the dactyloscopic reference data in the automated fingerprint identification systems which they have established for that purpose, to conduct automated searches by comparing dactyloscopic reference data.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The national contact point of the requesting Member State shall confirm a match of dactyloscopic data with dactyloscopic reference data held by the requested Member State following the automated supply of the dactyloscopic reference data required for confirming a match.

Article 14 - Reference numbers for dactyloscopic data

The reference numbers for dactyloscopic data shall be the combination of the following:

(a)a reference number allowing Member States, in the case of a match, to retrieve further data and other information in their databases referred to in Article 12 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the dactyloscopic data.

Article 15 - Principles for the exchange of dactyloscopic data

1. The digitalisation of dactyloscopic data and their transmission to the other Member States shall be carried out in accordance with a uniform data format. The Commission shall adopt implementing acts to specify the uniform data format in accordance with the procedure referred to in Article 76(2).

2. Each Member State shall ensure that the dactyloscopic data it transmits are of sufficient quality for a comparison by the automated fingerprint identification systems.

3. Member States shall take appropriate measures to ensure the confidentiality and integrity of dactyloscopic data being sent to other Member States, including their encryption.

4. The Commission shall adopt implementing acts to specify the relevant existing standards for dactyloscopic data exchange that are to be used by Member States. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 16 - Search capacities for dactyloscopic data

1. Each Member State shall ensure that its search requests do not exceed the search capacities specified by the requested Member State.

Member States shall inform the Commission and eu-LISA in accordance with Article 79(8) and (10) about their maximum search capacities per day for dactyloscopic data of identified persons and for dactyloscopic data of persons not yet identified.

2. The Commission shall adopt implementing acts to specify the maximum numbers of candidates accepted for comparison per transmission in accordance with the procedure referred to in Article 76(2).

Article 17 - Rules for requests and answers regarding dactyloscopic data

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the dactyloscopic data and their reference numbers referred to in Article 14.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the dactyloscopic data from the requesting and requested Member States;

(f)the matching dactyloscopic data.

SECTION 3 - Vehicle registration data


Article 18 - Automated searching of vehicle registration data

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to the following national vehicle registration data, to conduct automated searches in individual cases:

(a)data relating to owners or operators;

(b)data relating to vehicles.

2. Searches may be conducted only with a full chassis number or a full registration number.

3. Searches may be conducted only in compliance with the national law of the requesting Member State.

Article 19 - Principles of automated searching of vehicle registration data

1. For automated searching of vehicle registration data Member States shall use the European Vehicle and Driving Licence Information System (Eucaris).

2. The information exchanged via Eucaris shall be transmitted in encrypted form.

3. The Commission shall adopt implementing acts to specify the data elements of the vehicle registration data to be exchanged. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 20 - Keeping of logs

1. Each Member State shall keep logs of queries that the staff of its authorities duly authorised to exchange vehicle registration data make as well as logs of queries requested by other Member States. Europol shall keep logs of queries that its duly authorised staff make.

Each Member State and Europol shall keep logs of all data processing operations concerning vehicle registration data. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases to which a request for a query was sent; 

(e)the national databases that provided a positive answer.

2. The logs referred to in paragraph 1 may be used only for the collection of statistics and data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

3. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

SECTION 4 - Facial images


Article 21 - Facial images

1. Member States shall ensure the availability of facial images from their national databases established for the prevention, detection and investigation of criminal offences. Those data shall only include facial images and the reference number referred to in Article 23, and shall indicate whether the facial images are attributed to an individual or not.

Member States shall not make available in this context any data from which an individual can be directly identified.

2. Facial images which are not attributed to any individual (unidentified facial images) must be recognisable as such.

Article 22 - Automated searching of facial images

1. For the prevention, detection and investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to facial images stored in their national databases, to conduct automated searches.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The requesting Member State shall receive a list composed of matches concerning likely candidates. That Member State shall review the list to determine the existence of a confirmed match.

3. A minimum quality standard shall be established to allow for search and comparison of facial images. The Commission shall adopt implementing acts to specify that minimum quality standard. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 23 - Reference numbers for facial images

The reference numbers for facial images shall be the combination of the following:

(a)a reference number allowing Member States, in case of a match, to retrieve further data and other information in their databases referred to in Article 21 in order to supply it to one, several or all of the other Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the facial images.

Article 24 - Rules for requests and answers regarding facial images

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the facial images and their reference numbers referred to in Article 23.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States;

(e)the reference numbers of the facial images from the requesting and requested Member States;

(f)the matching facial images.

SECTION 5 - Police records


Article 25 - Police records

1. Member States may decide to participate in the automated exchange of police records. Member States participating in the automated exchange of police records shall ensure the availability of biographical data of suspects and criminals from their national police records indexes established for the investigation of criminal offences. This set of data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)alias(es);

(d)date of birth;

(e)nationality or nationalities;

(f)place and country of birth;

(g)gender.

2. The data referred to in paragraph 1, points (a), (b), (c), (e) and (f) shall be pseudonymised.

Article 26 - Automated searching of police records

1. For the investigation of criminal offences, Member States shall allow national contact points of other Member States and Europol access to data from their national police records indexes, to conduct automated searches.

Searches may be conducted only in individual cases and in compliance with the national law of the requesting Member State.

2. The requesting Member State shall receive the list of matches with an indication of the quality of the matches.

The requesting Member State shall also be informed about the Member State whose database contains data that resulted in the match.

Article 27 - Reference numbers for police records

The reference numbers for police records shall be the combination of the following:

(a)a reference number allowing Member States, in the case of a match, to retrieve personal data and other information in their indexes referred to in Article 25 in order to supply it to one, several or all of the Member States in accordance with Articles 47 and 48;

(b)a code to indicate the Member State which holds the police records.

Article 28 - Rules for requests and answers regarding police records

1. A request for an automated search shall include only the following information:

(a)the code of the requesting Member State;

(b)the date, time and indication number of the request;

(c)the police records and their reference numbers referred to in Article 27.

2. The answer to the request referred to in paragraph 1 shall contain only the following information:

(a)an indication as to whether there were one or more matches or no matches;

(b)the date, time and indication number of the request;

(c)the date, time and indication number of the answer;

(d)the codes of the requesting and requested Member States; 

(e)the reference numbers of the police records from the requested Member States.

SECTION 6 - Common provisions


Article 29 - National contact points

Each Member State shall designate a national contact point.

The national contact points shall be responsible for supplying the data referred to in Articles 6, 7, 13, 18, 22 and 26.

Article 30 - Implementing measures

The Commission shall adopt implementing acts to specify the technical arrangements for the procedures set out in Articles 6, 7, 13, 18, 22 and 26. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 31 - Technical specifications

Member States and Europol shall observe common technical specifications in connection with all requests and answers related to searches and comparisons of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records. The Commission shall adopt implementing acts to specify these technical specifications in accordance with the procedure referred to in Article 76(2).

Article 32 - Availability of automated data exchange at national level

1. Member States shall take all necessary measures to ensure that automated searching or comparison of DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records is possible 24 hours a day and seven days a week.

2. National contact points shall immediately inform each other, the Commission, Europol and eu-LISA of the technical fault causing unavailability of the automated data exchange.

National contact points shall agree on temporary alternative information exchange arrangements in accordance with the applicable Union law and national legislation.

3. National contact points shall re-establish the automated data exchange without delay.

Article 33 - Justification for the processing of data

1. Each Member State shall keep a justification of the queries that its competent authorities make.

Europol shall keep a justification of the queries it makes.

2. The justification referred to in paragraph 1 shall include:

(a)the purpose of the query, including a reference to the specific case or investigation;

(b)an indication on whether the query concerns a suspect or a perpetrator of a criminal offence;

(c)an indication on whether the query aims to identify an unknown person or obtain more data on a known person.

3. The justifications referred to in paragraph 2 shall only be used for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those justifications shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the justification.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to those justifications for self-monitoring as referred to in Article 56.

Article 34 - Use of the universal message format

1. The universal message format (UMF) standard shall be used in the development of the router referred to in Article 35 and EPRIS.

2. Any automated exchange of data in accordance with this Regulation shall use the UMF standard.

CHAPTER 3 - ARCHITECTURE

SECTION 1 - Router


Article 35 - The router

1. A router is established for the purposes of facilitating the establishment of connections between Member States and with Europol for querying with, retrieving and scoring biometric data in accordance with this Regulation.

2. The router shall be composed of:

(a)a central infrastructure, including a search tool enabling the simultaneous querying of Member States’ databases referred to in Articles 5, 12 and 21 as well as of Europol data;

(b)a secure communication channel between the central infrastructure Member States and Union agencies that are entitled to use the router;

(c)a secure communication infrastructure between the central infrastructure and the European Search Portal for the purposes of Article 39.

Article 36 - Use of the router

The use of the router shall be reserved to the Member States’ authorities that have access to the exchange of DNA profiles, dactyloscopic data and facial images, and Europol in accordance with this Regulation and Regulation (EU) 2016/794.

Article 37 - Queries

1. The router users referred to in Article 36 shall request a query by submitting biometric data to the router. The router shall dispatch the request for a query to the Member States’ databases and Europol data simultaneously with the data submitted by the user and in accordance with their access rights.

2. On receiving the request for a query from the router, each requested Member State and Europol shall launch a query of their databases in an automated manner and without delay.

3. Any matches resulting from the query in each Member States’ databases and Europol data shall be sent back in an automated manner to the router.

4. The router shall rank the replies in accordance with the score of the correspondence between the biometric data used for querying and the biometric data stored in the Member States’ databases and Europol data.

5. The list of matching biometric data and their scores shall be returned to the router user by the router.

6. The Commission shall adopt implementing acts to specify the technical procedure for the router to query Member States’ databases and Europol data, the format of the router replies and the technical rules for scoring the correspondence between biometric data. These implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 38 - Quality check

The requested Member State shall check the quality of the transmitted data by means of a fully automated procedure.

Should the data be unsuitable for an automated comparison, the requested Member State shall inform the requesting Member State about it via the router without delay.

Article 39 - Interoperability between the router and the Common Identity Repository for the purposes of law enforcement access

1. The router users referred to in Article 36 may launch a query to Member States’ databases and Europol data simultaneously with a query to the Common Identity Repository where the relevant conditions under Union law are fulfilled and in accordance with their access rights. For this purpose, the router shall query the Common Identity Repository via the European Search Portal.

2. Queries to the Common Identity Repository for law enforcement purposes shall be carried out in accordance with Article 22 of Regulation (EU) 2019/817 and Article 22 of Regulation (EU) 2019/818. Any result from the queries shall be transmitted via the European Search Portal.

Only designated authorities defined in Article 4, point 20, of Regulation (EU) 2019/817 and Article 4, point 20, of Regulation (EU) 2019/818 may launch these simultaneous queries.

Simultaneous queries of the Member States’ databases and Europol data and the Common Identity Repository may only be launched in cases where it is likely that data on a suspect, perpetrator or victim of a terrorist offence or other serious criminal offences as defined respectively in Article 4, points 21 and 22, of Regulation (EU) 2019/817 and Article 4, points 21 and 22, of Regulation (EU) 2019/818 are stored in the Common Identity Repository.

Article 40 - Keeping of logs

1. eu-LISA shall keep logs of all data processing operations in the router. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases or Europol data to which a request for a query was sent;

(e)the national databases or Europol data that provided an answer; 

(f)where applicable, the fact that there was a simultaneous query to the Common Identity Repository. 

2. Each Member State shall keep logs of queries that its competent authorities and the staff of those authorities duly authorised to use the router make as well as logs of queries requested by other Member States.

Europol shall keep logs of queries that its duly authorised staff make.

3. The logs referred to in paragraphs 1 and 2 may be used only for the collection of statistics and data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

Article 41 - Notification procedures in case of technical impossibility to use the router

1. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the router, the router users shall be notified in an automated manner by eu-LISA. eu-LISA shall take measures to address the technical impossibility to use the router without delay.

2. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the national infrastructure in a Member State, that Member State shall notify the other Member States, eu-LISA and the Commission in an automated manner. Member States shall take measures to address the technical impossibility to use the router without delay.

3. Where it is technically impossible to use the router to query one or several national databases or Europol data because of a failure of the infrastructure of Europol, Europol shall notify the Member States, eu-LISA and the Commission in an automated manner. Europol shall take measures to address the technical impossibility to use the router without delay.

SECTION 2 - EPRIS


Article 42 - EPRIS

1. For the automated searching of police records referred to in Article 26, Member States and Europol shall use the European Police Records Index System (EPRIS).

2. EPRIS shall be composed of:

(a)a central infrastructure, including a search tool enabling the simultaneous querying of Member States’ databases;

(b)a secure communication channel between the EPRIS central infrastructure, Member States and Europol.

Article 43 - Use of EPRIS

1. For the purposes of searching police records via EPRIS, the following sets of data shall be used:

(a)first name(s);

(b)family name(s);

(c)date of birth.

2. Where available, the following sets of data may also be used:

(a)alias(es);

(b)nationality or nationalities;

(c)place and country of birth;

(d)gender.

3. The data referred to in points (a) and (b) of paragraph 1 and in points (a), (b) and (c) of paragraph 2 used for queries shall be pseudonymised.

Article 44 - Queries

1. Member States and Europol shall request a query by submitting the data referred to in Article 43.

EPRIS shall dispatch the request for a query to the Member States’ databases with the data submitted by the requesting Member State and in accordance with this Regulation.

2. On receiving the request for a query from EPRIS, each requested Member State shall launch a query of their national police records index in an automated manner and without delay.

3. Any matches resulting from the query in each Member State’s database shall be sent back in an automated manner to EPRIS.

4. The list of matches shall be returned to the requesting Member State by EPRIS. The list of matches shall indicate the quality of the match as well as the Member State whose database contains data that resulted in the match.

5. Upon reception of the list of matches, the requesting Member State shall decide the matches for which a follow-up is necessary and send a reasoned follow-up request containing any additional relevant information to the requested Member State(s) via SIENA.

6. The requested Member State(s) shall process such requests without delay to decide whether to share the data stored in their database.

Upon confirmation, the requested Member State(s) shall share the data referred to in Article 43 where available. This exchange of information shall take place via SIENA.

7. The Commission shall adopt implementing acts to specify the technical procedure for EPRIS to query Member States’ databases and the format of the replies. These implementing acts shall be adopted in accordance with the procedure referred to in Article 76(2).

Article 45 - Keeping of logs

1. Europol shall keep logs of all data processing operations in EPRIS. Those logs shall include the following:

(a)the Member State or Union agency launching the request for a query;

(b)the date and time of the request;

(c)the date and time of the answer;

(d)the national databases to which a request for a query was sent;

(e)the national databases that provided an answer.

2. Each Member State shall keep logs of the requests for queries that its competent authorities and the staff of those authorities duly authorised to use EPRIS make. Europol shall keep logs of requests for queries that its duly authorised staff make.

3. The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity.

Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation.

If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.

4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs for self-monitoring as referred to in Article 56.

Article 46 - Notification procedures in case of technical impossibility to use EPRIS

1. Where it is technically impossible to use EPRIS to query one or several national databases because of a failure of the infrastructure of Europol, Member States shall be notified in an automated manner by Europol. Europol shall take measures to address the technical impossibility to use EPRIS without delay.

2. Where it is technically impossible to use EPRIS to query one or several national databases because of a failure of the national infrastructure in a Member State, that Member State shall notify Europol and the Commission in an automated manner. Member States shall take measures to address the technical impossibility to use EPRIS without delay.

CHAPTER 4 - EXCHANGE OF DATA FOLLOWING A MATCH

Article 47 - Exchange of core data

Where the procedures referred to in Articles 6, 7, 13 or 22 show a match between the data used for the search or comparison and data held in the database of the requested Member State(s), and upon confirmation of this match by the requesting Member State, the requested Member State shall return a set of core data via the router within 24 hours. That set of core data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)date of birth;

(d)nationality or nationalities;

(e)place and country of birth;

(f)gender.

Article 48 - Use of SIENA

Any exchange which is not explicitly provided for in this Regulation between Member States’ competent authorities or with Europol, at any stage of one of the procedures under this Regulation, shall take place via SIENA.

CHAPTER 5 - EUROPOL

Article 49 - Access by Member States to third country-sourced biometric data stored by Europol

1. Member States shall, in accordance with Regulation (EU) 2016/794, have access to, and be able to search via the router, biometric data which has been provided to Europol by third countries for the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2016/794.

2. Where this procedure results in a match between the data used for the search and Europol data, the follow-up shall take place in accordance with Regulation (EU) 2016/794.

Article 50 - Access by Europol to data stored in Member States’ databases

1. Europol shall, in accordance with Regulation (EU) 2016/794, have access to data, which are stored by Member States in their national databases in accordance with this Regulation.

2. Europol queries performed with biometric data as a search criterion shall be carried out using the router.

3. Europol queries performed with vehicle registration data as a search criterion shall be carried out using Eucaris.

4. Europol queries performed with police records as a search criterion shall be carried out using EPRIS.

5. Europol shall carry out the searches in accordance with paragraph 1 only when carrying out its tasks referred to in Regulation (EU) 2016/794.

6. Where the procedures referred to in Articles 6, 7, 13 or 22 show a match between the data used for the search or comparison and data held in the national database of the requested Member State(s), and upon confirmation of that match by Europol, the requested Member State shall decide whether to return a set of core data via the router within 24 hours. That set of core data, if available, shall contain the following data:

(a)first name(s);

(b)family name(s);

(c)date of birth;

(d)nationality or nationalities;

(e)place and country of birth;

(f)gender.

7. Europol's use of information obtained from a search made in accordance with paragraph 1 and from the exchange of core data in accordance with paragraph 6 shall be subject to the consent of the Member State in which database the match occurred. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794.

CHAPTER 6 - DATA PROTECTION

Article 51 - Purpose of the data

1. Processing of personal data by the requesting Member State or Europol shall be permitted solely for the purposes for which the data have been supplied by the requested Member State in accordance with this Regulation. Processing for other purposes shall be permitted solely with the prior authorisation of the requested Member State.

2. Processing of data supplied pursuant to Articles 6, 7, 13, 18 or 22 by the searching or comparing Member State shall be permitted solely in order to:

(a)establish whether the compared DNA profiles, dactyloscopic data, vehicle registration data, facial images and police records match;

(b)prepare and submit a police request for legal assistance if those data match;

(c)logging within the meaning of Articles 40 and 45.

3. The requesting Member State may process the data supplied to it in accordance with Articles 6, 7, 13 or 22 solely where this is necessary for the purposes of this Regulation. The supplied data shall be deleted immediately following data comparison or automated replies to searches unless further processing is necessary by the requesting Member State for the purposes of the prevention, detection and investigation of criminal offences.

4. Data supplied in accordance with Article 18 may be used by the requesting Member State solely where this is necessary for the purposes of this Regulation. The data supplied shall be deleted immediately following automated replies to searches unless further processing is necessary for recording pursuant to Article 20. The requesting Member State shall use the data received in a reply solely for the procedure for which the search was made.

Article 52 - Accuracy, relevance and data retention

1. Member States shall ensure the accuracy and current relevance of personal data. Should a requested Member State become aware that incorrect data or data which should not have been supplied have been supplied, this shall be notified without delay to any requesting Member State. All requesting Member States concerned shall be obliged to correct or delete the data accordingly. Moreover, personal data supplied shall be corrected if they are found to be incorrect. If the requesting Member State has reason to believe that the supplied data are incorrect or should be deleted the requested Member State shall be informed.

2. Where a data subject contested the accuracy of data in possession of a Member State, where the accuracy cannot be reliably established by the Member State concerned and where it is requested by the data subject, the data concerned shall be marked with a flag. Where such a flag exists, Member States may remove it only with the permission of the data subject or based on a decision of the competent court or independent data protection authority.

3. Data supplied which should not have been supplied or received shall be deleted. Data which are lawfully supplied and received shall be deleted:

(a)where they are not or no longer necessary for the purpose for which they were supplied;

(b)following the expiry of the maximum period for keeping data laid down under the national law of the requested Member State where the requested Member State informed the requesting Member State of that maximum period at the time of supplying the data.

Where there is reason to believe that the deletion of data would prejudice the interests of the data subject, the data shall be blocked instead of being deleted. Blocked data may be supplied or used solely for the purpose which prevented their deletion.

Article 53 - Data processor

1. eu-LISA shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data via the router.

2. Europol shall be the processor for the processing of personal data via EPRIS.

Article 54 - Security of processing

1. Europol, eu-LISA and Member States’ authorities shall ensure the security of the processing of personal data that takes place pursuant to this Regulation. Europol, eu-LISA and Member States’ authorities shall cooperate on security-related tasks.

2. Without prejudice to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/794, eu-LISA and Europol shall take the necessary measures to ensure the security of the router and EPRIS respectively as well as their related communication infrastructure.

3. In particular, eu-LISA and Europol shall adopt the necessary measures concerning the router and EPRIS respectively, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing equipment and installations;

(c)prevent the unauthorised reading, copying, modification or removal of data media;

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data;

(e)prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data;

(f)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;

(g)ensure that persons authorised to access the router and EPRIS have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(i)ensure that it is possible to verify and establish what data have been processed in the router and EPRIS, when, by whom and for what purpose;

(j)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the router and EPRIS or during the transport of data media, in particular by means of appropriate encryption techniques;

(k)ensure that, in the event of interruption, installed systems can be restored to normal operation;

(l)ensure reliability by making sure that any faults in the functioning of the router and EPRIS are properly reported;

(m)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.

Article 55 - Security incidents

1. Any event that has or may have an impact on the security of the router or EPRIS and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2. Security incidents shall be managed so as to ensure a quick, effective and proper response.

3. Member States shall notify its competent supervisory authorities of any security incidents without undue delay.

Without prejudice to Article 34 of Regulation (EU) 2016/794, Europol shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

In the event of a security incident in relation to the central infrastructure of the router, eu-LISA shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

4. Information regarding a security incident that has or may have an impact on the operation of the router or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

5. Information regarding a security incident that has or may have an impact on the operation of EPRIS or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States without delay and reported in compliance with the incident management plan to be provided by Europol.

Article 56 - Self-monitoring

1. Member States and the relevant Union agencies shall ensure that each authority entitled to use Prüm II takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority.

2. The data controllers shall take the necessary measures to monitor the compliance of data processing pursuant to this Regulation, including through frequent verification of the logs referred to in Articles 40 and 45, and cooperate, where necessary, with the supervisory authorities and with the European Data Protection Supervisor.

Article 57 - Penalties

Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive.

Article 58 - Burden of proof

1. Member States shall take the necessary measures to ensure that persons who consider themselves as having been discriminated against due to the processing or exchange of their personal data do not bear the burden of proof. In cases where a person considers that he or she has been allegedly discriminated against in the context of an automated comparison in the context of this Regulation in front of a court or other competent judicial authority, the Member State authorities having processed the data shall justify why there was no discrimination.

2. Paragraph 1 shall not apply to criminal procedures.

3. Member States shall not take specific measures in the meaning of paragraph 1 to proceedings in which it is for the court or competent judicial body to investigate the facts of the case.

Article 59 - Liability

If any failure of a Member State to comply with its obligations under this Regulation causes damage to the router or EPRIS, that Member State shall be liable for such damage, unless and insofar as eu-LISA, Europol or another Member State bound by this Regulation failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

Article 60 - Audits by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall ensure that an audit of personal data processing operations by eu-LISA and Europol for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to the Union agency concerned. Europol and eu-LISA shall be given an opportunity to make comments before the reports are adopted.

2. eu-LISA and Europol shall supply information requested by the European Data Protection Supervisor to it, grant the European Data Protection Supervisor access to all the documents it requests and to their logs referred to in Articles 40 and 45 and allow the European Data Protection Supervisor access to all their premises at any time.

Article 61 - Cooperation between supervisory authorities and the European Data Protection Supervisor

1. The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and ensure coordinated supervision of the application of this Regulation, in particular if the European Data Protection Supervisor or a supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the Prüm II communication channels.

2. In the cases referred to in paragraph 1 of this Article, coordinated supervision shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

3. The European Data Protection Board shall send a joint report of its activities under this Article to the European Parliament, to the Council, to the Commission, to Europol and to eu-LISA by [2 years after entry into operation of the router and EPRIS] and every two years thereafter. That report shall include a chapter on each Member State prepared by the supervisory authority of the Member State concerned.

Article 62 - Communication of personal data to third countries and international organisations

Data processed in accordance with this Regulation shall not be transferred or made available to third countries or to international organisations in an automated manner.

CHAPTER 7 - RESPONSIBILITIES

Article 63 - Responsibilities of Member States

1. Each Member State shall be responsible for:

(a)the connection to the infrastructure of the router;

(b)the integration of the existing national systems and infrastructures with the router; 

(c)the organisation, management, operation and maintenance of its existing national infrastructure and of its connection to the router;

(d)the connection to the infrastructure of EPRIS;

(e)the integration of the existing national systems and infrastructures with EPRIS;

(f)the organisation, management, operation and maintenance of its existing national infrastructure and of its connection to EPRIS;

(g)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to the router in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(h)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to EPRIS in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(i)the management of, and arrangements for, access by the duly authorised staff of the competent national authorities to Eucaris in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;

(j)the manual confirmation of a match as referred to in Article 6(3), Article 7(3), Article 13(2), Article 22(2) and Article 26(2);

(k)ensuring the availability of the data necessary for the exchange of data in accordance with Article 6, Article 7, Article 13, Article 18, Article 22 and Article 26;

(l)the exchange of information in accordance with Article 6, Article 7, Article 13, Article 18, Article 22 and Article 26;

(m)deleting any data received from a requested Member State within 48 hours following the notification from the requested Member State that the personal data submitted was incorrect, no longer up-to-date or was unlawfully transmitted.

(n)compliance with the data quality requirements established in this Regulation.

2. Each Member State shall be responsible for connecting their competent national authorities to the router, EPRIS and Eucaris.

Article 64 - Responsibilities of Europol

1. Europol shall be responsible for the management of, and arrangements for the access by its duly authorised staff to the router, EPRIS and Eucaris in accordance with this Regulation.

2. Europol shall also be responsible for the processing of the queries of Europol data by the router. Europol shall adapt its information systems accordingly.

3. Europol shall be responsible for any technical adaptations in Europol infrastructure required for establishing the connection to the router and to Eucaris.

4. Europol shall be responsible for the development of EPRIS in cooperation with the Member States. EPRIS shall provide the functionalities laid down in Articles 42 to 46.

Europol shall provide the technical management of EPRIS. Technical management of EPRIS shall consist of all the tasks and technical solutions necessary to keep the EPRIS central infrastructure functioning and providing uninterrupted services to Member States 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that EPRIS functions are at a satisfactory level of technical quality, in particular as regards the response time for interrogation of the national databases in accordance with the technical specifications.

5. Europol shall provide training on the technical use of EPRIS.

6. Europol shall be responsible for the procedures referred to in Articles 49 and 50.

Article 65 - Responsibilities of eu-LISA during the design and development phase of the router

1. eu-LISA shall ensure that the central infrastructure of the router is operated in accordance with this Regulation.

2. The router shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and performance referred to in Article 66(1).

3. eu-LISA shall be responsible for the development of the router and for any technical adaptations necessary for the operations of the router.

eu-LISA shall not have access to any of the personal data processed through the router.

eu-LISA shall define the design of the physical architecture of the router including its communication infrastructures and the technical specifications and its evolution as regards the central infrastructure and the secure communication infrastructure. This design shall be adopted by the Management Board, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the interoperability components deriving from the establishment of the router as provided for by this Regulation.

eu-LISA shall develop and implement the router as soon as possible after the adoption by the Commission of the measures provided for in Article 37(6).

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination.

4. During the design and development phase, the Interoperability Programme Management Board referred to in Article 54 of Regulation (EU) 2019/817 and in Article 54 of Regulation (EU) 2019/818 shall meet regularly. It shall ensure the adequate management of the design and development phase of the router.

Every month, the Interoperability Programme Management Board shall submit written reports on progress of the project to eu-LISA's Management Board. The Interoperability Programme Management Board shall have no decision-making power, nor any mandate to represent the members of eu-LISA's Management Board.

The Advisory Group referred to in Article 77 shall meet regularly until the start of operations of the router. It shall report after each meeting to the Interoperability Programme Management Board. It shall provide the technical expertise to support the tasks of the Interoperability Programme Management Board and shall follow up on the state of preparation of the Member States.

Article 66 - Responsibilities of eu-LISA following the start of operations of the router

1. Following the entry into operations of the router, eu-LISA shall be responsible for the technical management of the central infrastructure of the router, including its maintenance and technological developments. In cooperation with Member States, it shall ensure that the best available technology is used, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management of the necessary communication infrastructure.

Technical management of the router shall consist of all the tasks and technical solutions necessary to keep the router functioning and providing uninterrupted services to Member States and to Europol 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability and the response time for submitting requests to the national databases and Europol data in accordance with the technical specifications.

The router shall be developed and managed in such a way as to ensure fast, efficient and controlled access, full and uninterrupted availability of the router, and a response time in line with the operational needs of the competent authorities of the Member States and Europol.

2. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 42 , eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with data stored in the interoperability components. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

eu-LISA shall not have access to any of the personal data processed through the router.

3. eu-LISA shall also perform tasks related to providing training on the technical use of the router.

CHAPTER 8 - AMENDMENTS TO OTHER EXISTING INSTRUMENTS

Article 67 - Amendments to Decisions 2008/615/JHA and 2008/616/JHA

1. In Decision 2008/615/JHA, Articles 2 to 6 and Sections 2 and 3 of Chapter 2 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

Therefore, Articles 2 to 6 and Sections 2 and 3 of Chapter 2 of Decision 2008/615/JHA are deleted from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

2. In Decision 2008/616/JHA, Chapters 2 to 5 and Articles 18, 20 and 21 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router as set out in Article 74. 

Therefore, Chapters 2 to 5 and Articles 18, 20 and 21 of Decision 2008/616/JHA are deleted from the date of application of the provisions of this Regulation related to the router as set out in Article 74.

Article 68 - Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1) the following Article 13a is inserted:

“Article 13a

Tasks related to the router 


In relation to Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation], the Agency shall perform the tasks related to the router conferred on it by that Regulation.

___________

* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”


in Article 17, paragraph 3 is replaced by the following:


‘3. The seat of the Agency shall be Tallinn, Estonia.


The tasks relating to development and operational management referred to in Article 1(4) and (5) and Articles 3 to 8 and Articles 9, 11 and 13a shall be carried out at the technical site in Strasbourg, France.


A backup site capable of ensuring the operation of a large-scale IT system in the event of failure of such a system shall be installed in Sankt Johann im Pongau, Austria.’

Article 69 - Amendments to Regulation (EU) 2019/817

In Article 6(2) of Regulation (EU) 2019/817 the following point (d) is added:

“(d) a secure communication infrastructure between the ESP and the router established by Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].

___________

* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”

Article 70 - Amendments to Regulation (EU) 2019/818

Regulation (EU) 2019/818 is amended as follows:

(1) in Article 6(2), the following point (d) is added:

“(d) a secure communication infrastructure between the ESP and the router established by Regulation (EU) …/… of the European Parliament and of the Council* [this Regulation].

___________

* Regulation (EU) [number] of the European Parliament and of the Council of xy on [officially adopted title] (OJ L …)”


(2) In Article 39, paragraphs 1 and 2 are replaced by the following:


“1. A central repository for reporting and statistics (CRRS) is established for the purposes of supporting the objectives of the SIS, Eurodac, ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Prüm II.”


 “2. eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 65(1) of Regulation (EU) …/… * [this Regulation ]. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purpose of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 65(1) of Regulation (EU) …/… * [this Regulation ].”

CHAPTER 9 - FINAL PROVISIONS

Article 71 - Reporting and statistics

1. The duly authorised staff of the competent authorities of Member States, the Commission, Europol and eu-LISA shall have access to consult the following data related to the router, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries per category of data;

(c)number of queries to each of the connected databases;

(d)number of matches against each Member State’s database per category of data;

(e)number of matches against Europol data per category of data;

(f)number of confirmed matches where there were exchanges of core data; and

(g)number of queries to the Common Identity Repository via the router.

It shall not be possible to identify individuals from the data.

2. The duly authorised staff of the competent authorities of Member States, Europol and the Commission shall have access to consult the following data related to Eucaris, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries to each of the connected databases; and

(c)number of matches against each Member State’s database. 

It shall not be possible to identify individuals from the data.

3. The duly authorised staff of the competent authorities of Member States, the Commission and Europol shall have access to consult the following data related to EPRIS, solely for the purposes of reporting and statistics:

(a)number of queries per Member State and by Europol;

(b)number of queries to each of the connected indexes; and

(c)number of matches against each Member State’s database. 

It shall not be possible to identify individuals from the data.

4. eu-LISA shall store the data referred to in those paragraphs.

The data shall allow the authorities referred to in paragraph 1 to obtain customisable reports and statistics to enhance the efficiency of law enforcement cooperation.

Article 72 - Costs

1. Costs incurred in connection with the establishment and operation of the router and EPRIS shall be borne by the general budget of the Union.

2. Costs incurred in connection with the integration of the existing national infrastructures and their connections to the router and EPRIS as well as costs incurred in connection with the establishment of national facial images databases and police national indexes for the prevention, detection and investigation of criminal offences shall be borne by the general budget of the Union.

The following costs shall be excluded:

(a)Member States' project management office (meetings, missions, offices);

(b)hosting of national IT systems (space, implementation, electricity, cooling);

(c)operation of national IT systems (operators and support contracts);

(d)design, development, implementation, operation and maintenance of national communication networks.

3. Each Member State shall bear the costs arising from the administration, use and maintenance of the Eucaris software application referred to in Article 19(1).

4. Each Member State shall bear the costs arising from the administration, use and maintenance of their connections to the router and EPRIS.

Article 73 - Notifications

1. Member States shall notify eu-LISA of the authorities referred to in Article 36, which may use or have access to the router.

2. eu-LISA shall notify the Commission of the successful completion of the tests referred to in Article 74(1), point (b).

3. Member States shall notify the Commission, Europol and eu-LISA of the national contact points.

Article 74 - Start of operations

1. The Commission shall determine the date from which the Member States and the Union agencies may start using router by means of an implementing act once the following conditions have been met:

(a)the measures referred to in Article 37(6) have been adopted; 

(b)eu-LISA has declared the successful completion of a comprehensive test of the router, which it has conducted in cooperation with the Member States authorities’ and Europol.

In that implementing act the Commission shall also determine the date from which the Member States and the Union agencies must start using router. That date shall be one year after the date determined in accordance with the first subparagraph.

The Commission may postpone the date from which the Member States and the Union agencies must start using router by one year at most where an assessment of the implementation of the router has shown that such a postponement is necessary. That implementing act shall be adopted in accordance with the procedure referred to in Article 76(2).

2. The Commission shall determine the date from which the Member States and the Union agencies are to start using EPRIS by means of an implementing act once the following conditions have been met:

(a)the measures referred to in Article 44(7) have been adopted;

(b)Europol has declared the successful completion of a comprehensive test of EPRIS, which it has conducted in cooperation with the Member States’ authorities.

3. The Commission shall determine the date from which Europol is to make available third country-sourced biometric data to Member States in accordance with Article 49 by means of an implementing act once the following conditions have been met:

(a)the router is in operation;

(b)Europol has declared the successful completion of a comprehensive test of the connection, which it has conducted in cooperation with the Member States authorities’ and eu-LISA.

4. The Commission shall determine the date from which Europol is to have access to data stored in Member States’ databases in accordance with Article 50 by means of an implementing act once the following conditions have been met:

(a)the router is in operation;

(b)Europol has declared the successful completion of a comprehensive test of the connection, which it has conducted in cooperation with the Member States authorities’ and eu-LISA.

Article 75 - Transitional provisions and derogations

1. Member States and the Union agencies shall start applying Articles 21 to 24, Article 47 and Article 50(6) from the date determined in accordance with Article 74(1), the first subparagraph with the exception of Member States, which did not start using the router.

2. Member States and the Union agencies shall start applying Articles 25 to 28 and Article 50(4) from the date determined in accordance with Article 74(2).

3. Member States and the Union agencies shall start applying Article 49 from the date determined in accordance with Article 74(3).

4. Member States and the Union agencies shall start applying Article 50(1), (2), (3), (5) and (7) from the date determined in accordance with Article 74(4).

Article 76 - Committee procedure

1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.

Article 77 - Advisory group

The responsibilities of eu-LISA’s Interoperability Advisory Group shall be extended to cover the router. That Interoperability Advisory Group shall provide eu-LISA with expertise related to the router in particular in the context of the preparation of its annual work programme and its annual activity report.

Article 78

Practical handbook

The Commission shall, in close cooperation with the Member States, Europol and eu-LISA, make available a practical handbook for the implementation and management of this Regulation. The practical handbook shall provide technical and operational guidelines, recommendations and best practices. The Commission shall adopt the practical handbook in the form of a recommendation.

Article 79 - Monitoring and evaluation

1. eu-LISA and Europol shall, respectively, ensure that procedures are in place to monitor the development of the router and of EPRIS in light of objectives relating to planning and costs and to monitor the functioning of the router and of EPRIS in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2. By [one year after entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall respectively submit a report to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and information as to any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 72.

Once the development of the router is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

3. By [one year after entry into force of this Regulation] and every year thereafter during the development phase of EPRIS, Europol shall submit a report to the European Parliament and to the Council on the state of preparation for the implementation of this Regulation and on the state of play of the development of EPRIS including detailed information about the costs incurred and information as to any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 72.

Once the development of EPRIS is finalised, Europol shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.

4. For the purposes of technical maintenance, eu-LISA and Europol shall have access to the necessary information relating to the data processing operations performed in the router and EPRIS respectively.

5. Two years after the start of operations of the router and every two years thereafter, eu-LISA shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning of the router, including the security thereof.

6. Two years after the start of operations of EPRIS and every two years thereafter, Europol shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning of EPRIS, including the security thereof.

7. Three years after the start of operations of the router and EPRIS as referred to in Article 74 and every four years thereafter, the Commission shall produce an overall evaluation of Prüm II, including:

(a)an assessment of the application of this Regulation;

(b)an examination of the results achieved against the objectives of this Regulation and its impact on fundamental rights;

(c)the impact, effectiveness and efficiency of Prüm II performance and its working practices in light of its objectives, mandate and tasks;

(d)an assessment of the security of Prüm II.

The Commission shall transmit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights.

8. The Member States and Europol shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 2 and 5. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

9. The Member States shall provide Europol and the Commission with the information necessary to draft the reports referred to in paragraphs 3 and 6. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

10. Member States, eu-LISA and Europol shall provide the Commission with the information necessary to produce the evaluations referred to in paragraph 7. Member States shall also provide the Commission with the number of confirmed matches against each Member State’s database per category of data.

Article 80 - Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.