The Schengen Information System (SIS) constitutes an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union. SIS is one of the major compensatory measures contributing to maintaining a high level of security within the area of freedom, security and justice of the Union by supporting operational cooperation between national competent authorities, in particular border guards, the police, customs authorities, immigration authorities, and authorities responsible for the prevention, detection, investigation or prosecution of criminal offences or execution of criminal penalties.
(2)
SIS was initially set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (2) (the Convention implementing the Schengen Agreement). The development of the second generation of SIS (SIS II) was entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001 (3) and Council Decision 2001/886/JHA (4). It was later established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council (5) and by Council Decision 2007/533/JHA (6). SIS II replaced SIS as created pursuant to the Convention implementing the Schengen Agreement.
(3)
Three years after SIS II was brought into operation, the Commission carried out an evaluation of the system in accordance with Regulation (EC) No 1987/2006 and Decision 2007/533/JHA. On 21 December 2016, the Commission submitted the Report on the Evaluation of the Second Generation Schengen Information System (SIS II) in accordance with Articles 24(5), 43(3) and 50(5) of Regulation (EC) No 1987/2006 and Articles 59(3) and 66(5) of Decision 2007/533/JHA and an accompanying staff working document to the European Parliament and to the Council. The recommendations set out in those documents should be reflected, as appropriate, in this Regulation.
(4)
This Regulation constitutes the legal basis for SIS in respect of matters falling within the scope of Chapter 2 of Title V of Part Three of the Treaty on Functioning of the European Union (TFEU). Regulation (EU) 2018/1862 of the European Parliament and of the Council (7) constitutes the legal basis for SIS in respect of matters falling within the scope of Chapters 4 and 5 of Title V of Part Three TFEU.
(5)
The fact that the legal basis for SIS consists of separate instruments does not affect the principle that SIS constitutes one single information system that should operate as such. It should include a single network of national offices called SIRENE Bureaux for ensuring the exchange of supplementary information. Certain provisions of those instruments should therefore be identical.
(6)
It is necessary to specify the objectives of SIS, certain elements of its technical architecture and its financing, to lay down rules concerning its end-to-end operation and use and to define responsibilities. It is also necessary to determine the categories of data to be entered into the system, the purposes for which the data are to be entered and processed and the criteria for their entry. Rules are also required to govern the deletion of alerts, the authorities authorised to access the data, the use of biometric data and to further determine data protection and data processing rules.
(7)
Alerts in SIS contain only the information necessary to identify a person and for the action to be taken. Member States should therefore exchange supplementary information related to alerts where required.
(8)
SIS includes a central system (Central SIS) and national systems. The national systems might contain a complete or partial copy of the SIS database, which may be shared by two or more Member States. Considering that SIS is the most important information exchange instrument in Europe for ensuring security and effective border management, it is necessary to ensure its uninterrupted operation at central as well as at national level. The availability of SIS should be subject to close monitoring at central and Member State level and any incident of unavailability for end-users should be registered and reported to stakeholders at national and Union level. Each Member State should set up a backup for its national system. Member States should also ensure uninterrupted connectivity with Central SIS by having duplicated and physically and geographically separated connection points. Central SIS and the Communication Infrastructure should be operated in such a way that their functioning 24 hours a day, 7 days a week is ensured. For that reason, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (8) should implement technical solutions to reinforce the uninterrupted availability of SIS, subject to an independent impact assessment and cost-benefit analysis.
(9)
It is necessary to maintain a manual setting out the detailed rules for the exchange of supplementary information concerning the actions called for by alerts (‘the SIRENE Manual’). The SIRENE Bureaux should ensure the exchange of such information in a fast and efficient manner.
(10)
In order to ensure the efficient exchange of supplementary information, including on the action to be taken specified in alerts, it is appropriate to reinforce the functioning of the SIRENE Bureaux by specifying the requirements concerning the available resources and user training and the response time to inquiries they receive from other SIRENE Bureaux.
(11)
Member States should ensure that the staff of their SIRENE Bureau have the linguistic skills and knowledge of relevant law and procedural rules necessary to perform their tasks.
(12)
In order to be able to fully benefit from the functionalities of SIS, Member States should ensure that end-users and the staff of the SIRENE Bureaux regularly receive training, including on data security, data protection and data quality. SIRENE Bureaux should be involved in the development of training programmes. To the extent possible, SIRENE Bureaux should also provide for staff exchanges with other SIRENE Bureaux at least once a year. Member States are encouraged to take appropriate measures to avoid the loss of skills and experience through staff turnover.
(13)
The operational management of the central components of SIS are exercised by eu-LISA. In order to enable eu-LISA to dedicate the necessary financial and personal resources covering all aspects of the operational management of Central SIS and the Communication Infrastructure, this Regulation should set out its tasks in detail, in particular with regard to the technical aspects of the exchange of supplementary information.
(14)
Without prejudice to the responsibility of Member States for the accuracy of data entered into SIS and to the role of the SIRENE Bureaux as quality coordinators, eu-LISA should be responsible for reinforcing data quality by introducing a central data quality monitoring tool, and should provide reports at regular intervals to the Commission and to the Member States. The Commission should report to the European Parliament and to the Council on the data quality issues encountered. To further increase the quality of data in SIS, eu-LISA should also offer training on the use of SIS to national training bodies and, insofar as possible, to the SIRENE Bureaux and to end-users.
(15)
In order to allow better monitoring of the use of SIS and to analyse trends concerning migratory pressure and border management, eu-LISA should be able to develop a state-of-the-art capability for statistical reporting to the Member States, to the European Parliament, to the Council, to the Commission, to Europol and to the European Border and Coast Guard Agency without jeopardising data integrity. Therefore, a central repository should be established. Statistics retained in or obtained from that repository should not contain any personal data. Member States should communicate statistics concerning exercise of the right of access, rectification of inaccurate data and erasure of unlawfully stored data in the framework of cooperation between supervisory authorities and the European Data Protection Supervisor under this Regulation.
(16)
New data categories should be introduced in SIS to allow end-users to take informed decisions based upon an alert without losing time. Therefore, alerts for refusal of entry and stay should contain information concerning the decision on which the alert is based. Furthermore, in order to facilitate identification and detect multiple identities, the alert should, where such information is available, include a reference to the personal identification document of the individual concerned or its number and a copy, if possible in colour, of the document.
(17)
Competent authorities should be able, where strictly necessary, to enter into SIS specific information relating to any specific, objective, physical characteristics of a person which are not subject to change, such as tattoos, marks or scars.
(18)
Where available, all the relevant data, in particular the forename of the individual concerned, should be inserted when creating an alert, in order to minimise the risk of false hits and unnecessary operational activities.
(19)
SIS should not store any data used to carry out searches with the exception of keeping logs to verify whether the search is lawful, for monitoring the lawfulness of data processing, for self-monitoring and for ensuring the proper functioning of the national systems as well as for data integrity and security.
(20)
SIS should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. Any entry of photographs, facial images or dactyloscopic data into SIS and any use of such data should be limited to what is necessary for the objectives pursued, should be authorised by Union law, should respect fundamental rights, including the best interests of the child, and should be in accordance with Union law on data protection, including the relevant provisions on data protection laid down in this Regulation. In the same perspective, in order to avoid inconveniences caused by misidentification, SIS should also allow for the processing of data concerning individuals whose identity has been misused, subject to suitable safeguards, to obtaining the consent of the individual concerned for each data category, in particular palm prints, and to a strict limitation of the purposes for which such personal data can be lawfully processed.
(21)
Member States should make the necessary technical arrangements so that each time end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel, subject to the principles set out in Article 4 of Directive (EU) 2016/680 of the European Parliament and of the Council (9) and Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (10). This should ensure that SIS functions as the main compensatory measure in the area without internal border controls and better addresses the cross-border dimension of criminality and the mobility of criminals.
(22)
This Regulation should set out the conditions for use of dactyloscopic data, photographs and facial images for identification and verification purposes. Facial images and photographs should, for identification purposes, initially be used only in the context of regular border crossing points. Such use should be subject to a report by the Commission confirming the availability, reliability and readiness of the technology.
(23)
It should be allowed to search dactyloscopic data stored in SIS with complete or incomplete sets of fingerprints or palm prints found at a crime scene if it can be established to a high degree of probability that they belong to the perpetrator of the serious crime or terrorist offence, provided that a search is carried out simultaneously in the relevant national fingerprint databases. Particular attention should be given to the establishment of quality standards applicable to the storage of biometric data.
(24)
Wherever the identity of a person cannot be ascertained by any other means, dactyloscopic data should be used to attempt identification. It should be allowed in all cases to identify a person by using dactyloscopic data.
(25)
It should be possible for Member States to establish links between alerts in SIS. The establishment of links between two or more alerts should have no impact on the action to be taken, the review period for alerts or the access rights to the alerts.
(26)
A greater level of effectiveness, harmonisation and consistency can be achieved by making it mandatory to enter into SIS all entry bans issued by the national competent authorities in accordance with procedures respecting Directive 2008/115/EC of the European Parliament and of the Council (11) and by setting common rules for entering alerts for refusal of entry and stay upon the return of an illegally staying third-country national. Member States should take all necessary measures to ensure that no time-gap exists between the moment in which the third-country national concerned leaves the Schengen area and the activation of the alert in SIS. This should ensure the enforcement of entry bans at external border crossing points, effectively preventing re-entry into the Schengen area.
(27)
Persons in respect of whom a decision for refusal of entry and stay is taken should have the right to appeal against that decision. The right of appeal should comply with Directive 2008/115/EC where the decision is related to return.
(28)
This Regulation should set mandatory rules for the consultation and notification of national authorities where a third-country national holds or might obtain a valid residence permit or long-stay visa granted in one Member State, and another Member State intends to or has already entered an alert for refusal of entry and stay on that third-country national. Such situations create serious uncertainties for border guards, police and immigration authorities. Therefore, it is appropriate to provide for a mandatory timeframe for rapid consultation with a definite result in order to ensure that third-country nationals who are entitled to reside lawfully in the territory of the Member States are entitled to enter that territory without difficulty and that those who are not entitled to enter are prevented from doing so.
(29)
When deleting an alert in SIS following a consultation between Member States, the issuing Member State should be able to keep the third-country national concerned on its national list of alerts.
(30)
This Regulation should be without prejudice to the application of Directive 2004/38/EC of the European Parliament and of the Council (12).
(31)
Alerts should not be kept in SIS longer than the time required to fulfil the specific purposes for which they were entered. Within three years of entry of an alert into SIS, the issuing Member State should review the need to retain it. However, if the national decision on which the alert is based provides for a longer period of validity than three years, the alert should be reviewed within five years. Decisions to retain alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons within the prescribed review period and should keep statistics on the number of alerts on persons for which the retention period has been extended.
(32)
Entering an alert into SIS and extending the expiry date of an alert in SIS should be subject to a proportionality requirement involving examination of whether a concrete case is adequate, relevant and important enough to warrant insertion of an alert in SIS. Where terrorist offences are concerned, the case should be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States should be allowed exceptionally to refrain from entering an alert into SIS when it is likely that this would obstruct official or legal inquiries, investigations or procedures.
(33)
The integrity of SIS data is of primary importance. Therefore, appropriate safeguards should be provided to process SIS data at central as well as at national level to ensure the end-to-end security of the data. The authorities involved in the data processing should be bound by the security requirements of this Regulation and be subject to a uniform incident reporting procedure. Their staff should be appropriately trained and be informed of any offences and penalties in this respect.
(34)
Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation should not be transferred or made available to third countries or to international organisations.
(35)
To enhance the efficiency of immigration authorities' work when deciding on the right of third-country nationals to enter and stay in the territories of the Member States and on the return of illegally staying third-country nationals, it is appropriate to grant those authorities access to SIS under this Regulation.
(36)
Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by the Member States under this Regulation unless such processing is carried out by the national competent authorities for the purposes of prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences.
(37)
Without prejudice to more specific rules laid down in this Regulation, the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 should apply to the processing of personal data under this Regulation by the national competent authorities for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties. Access to data entered into SIS and the right to search such data by national competent authorities which are responsible for the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties are to be subject to all relevant provisions of this Regulation and those of Directive (EU) 2016/680 as transposed into national law, and in particular to monitoring by the supervisory authorities referred to in Directive (EU) 2016/680.
(38)
Regulation (EU) 2018/1725 of the European Parliament and of the Council (13) should apply to the processing of personal data by the Union institutions and bodies when carrying out their responsibilities under this Regulation.
(39)
Regulation (EU) 2016/794 of the European Parliament and of the Council (14) should apply to the processing of personal data by Europol under this Regulation.
(40)
When using SIS, the competent authorities should ensure that the dignity and integrity of the person whose data are processed are respected. Processing of personal data for the purposes of this Regulation is not to result in discrimination against persons on any grounds, such as sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.
(41)
Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (15) (‘Staff Regulations’) should apply to officials or other servants employed and working in connection with SIS.
(42)
Both the Member States and eu-LISA should maintain security plans in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.
(43)
The national independent supervisory authorities referred to in Regulation (EU) 2016/679 and Directive (EU) 2016/680 (‘supervisory authorities’) should monitor the lawfulness of the processing of personal data by the Member States under this Regulation, including the exchange of supplementary information. The supervisory authorities should be granted sufficient resources to carry out this task. The rights of data subjects to access, rectify and erase their personal data that is stored in SIS, and any subsequent remedies before national courts as well as the mutual recognition of judgments should be provided for. It is also appropriate to require annual statistics from Member States.
(44)
The supervisory authorities should ensure that an audit of the data processing operations in their Member State's national systems is carried out in accordance with international auditing standards at least every four years. The audit should either be carried out by the supervisory authorities, or the supervisory authorities should directly order the audit from an independent data protection auditor. The independent auditor should remain under the control and responsibility of the supervisory authorities concerned, which therefore should instruct the auditor themselves and provide a clearly defined purpose, scope and methodology for the audit as well as guidance and supervision concerning the audit and its final results.
(45)
The European Data Protection Supervisor should monitor the activities of the Union institutions and bodies in relation to the processing of personal data under this Regulation. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in monitoring SIS.
(46)
The European Data Protection Supervisor should be granted sufficient resources to fulfil the tasks entrusted to it under this Regulation, including assistance from persons with expertise in biometric data.
(47)
Regulation (EU) 2016/794 provides that Europol is to support and strengthen actions carried out by the national competent authorities and their cooperation in combating terrorism and serious crime and to provide analysis and threat assessments. In order to facilitate Europol in carrying out its tasks, in particular within the European Migrant Smuggling Centre, it is appropriate to allow Europol access to categories of alerts as provided for in this Regulation.
(48)
In order to bridge the gap in information sharing on terrorism, in particular on foreign terrorist fighters – where monitoring of their movement is crucial – Member States are encouraged to share information on terrorism-related activity with Europol. This information sharing should be carried out through the exchange of supplementary information with Europol on the alerts concerned. For this purpose Europol should set up a connection with the Communication Infrastructure.
(49)
It is also necessary to set out clear rules for Europol on the processing and downloading of SIS data to allow it to use SIS comprehensively, provided that data protection standards are complied with as provided for in this Regulation and Regulation (EU) 2016/794. In cases where searches carried out by Europol in SIS reveal the existence of an alert entered by a Member State, Europol cannot take the required action. Therefore it should inform the Member State concerned through the exchange of supplementary information with the respective SIRENE Bureau, to allow that Member State to follow up the case.
(50)
Regulation (EU) 2016/1624 of the European Parliament and of the Council (16) provides, for the purpose of that Regulation, that the host Member State is to authorise the members of the teams referred to in point (8) of Article 2 of that Regulation deployed by the European Border and Coast Guard Agency to consult Union databases where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. Other relevant Union agencies, in particular the European Asylum Support Office and Europol, may also deploy experts who are not members of the staff of those Union agencies as part of migration management support teams. The objective of the deployment of the teams referred to in points (8) and (9) of Article 2 of that Regulation is to provide technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. For the teams referred to in points (8) and (9) of Article 2 of that Regulation to fulfil their tasks, they require access to SIS through a technical interface of the European Border and Coast Guard Agency connecting to Central SIS. In cases where searches in SIS carried out by the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624 or by the teams of staff reveal the existence of an alert entered by a Member State, the member of the team or the staff cannot take the required action unless authorised to do so by the host Member State. Therefore, the host Member State should be informed to allow it to follow up the case. The host Member State should notify the issuing Member State of the hit through the exchange of supplementary information.
(51)
Certain aspects of SIS cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical rules on entering data, on updating, deleting and searching data and on data quality and rules related to biometric data, rules on the compatibility and order of priority of alerts, on links between alerts and on the exchange of supplementary information. Implementing powers in respect of those aspects should therefore be conferred on the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications.
(52)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (17). The procedure for adopting implementing acts under this Regulation and Regulation (EU) 2018/1862 should be the same.
(53)
In order to ensure transparency, two years after the start of operations of SIS pursuant to this Regulation, eu-LISA should produce a report on the technical functioning of Central SIS and the Communication Infrastructure, including their security, and on the bilateral and multilateral exchange of supplementary information. An overall evaluation should be issued by the Commission every four years.
(54)
In order to ensure the smooth functioning of SIS, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the determination of the circumstances in which photographs and facial images may be used for the identification of persons other than in the context of regular border crossing points. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (18). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(55)
Since the objectives of this Regulation, namely the establishment and regulation of a Union information system and the exchange of related supplementary information, cannot be sufficiently achieved by the Member States, but can rather, by reason of their nature be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(56)
This Regulation respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. In particular, this Regulation fully respects the protection of personal data in accordance with Article 8 of the Charter of Fundamental Rights of the European Union while seeking to ensure a safe environment for all persons residing on the territory of the Union and protection of irregular migrants from exploitation and trafficking in human beings. In cases concerning children, the best interests of the child should be a primary consideration.
(57)
The estimated costs of the upgrade of the national systems and of the implementation of the new functionalities envisaged in this Regulation, are lower than the remaining amount in the budget line for Smart Borders in Regulation (EU) No 515/2014 of the European Parliament and of the Council (19). Therefore, funding attributed for developing IT systems supporting the management of migration flows across the external borders in accordance with Regulation (EU) No 515/2014 should be allocated to the Member States and eu-LISA. The financial costs of upgrading SIS and the implementation of this Regulation should be monitored. If the estimated costs are higher, Union funding should be made available to support Member States in conformity with the applicable Multiannual Financial Framework.
(58)
In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.
(59)
This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (20); the United Kingdom is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(60)
This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (21); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(61)
As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis (22) which fall within the area referred to in Article 1, point (G) of Council Decision 1999/437/EC (23).
(62)
As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (24), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (25).
(63)
As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (26) which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (27).
(64)
As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU (28) and (EU) 2018/934 (29).
(65)
As regards Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733 (30).
(66)
Concerning Cyprus this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(2) of the 2003 Act of Accession.
(67)
This Regulations introduces a series of improvements to SIS which will increase its effectiveness, strengthen data protection and extend access rights. Certain of those improvements do not require complex technical developments, while others do require technical changes of varying magnitude. In order to enable improvements to the system to become available to end-users as soon as possible, this Regulation introduces amendments to Regulation (EC) No 1987/2006 in several phases. A number of improvements to the system should apply immediately upon entry into force of this Regulation, whereas others should apply either one or two years after its entry into force. This Regulation should apply in its entirety within three years after its entry into force. In order to avoid delays in its application the phased implementation of this Regulation should be closely monitored.
(68)
Regulation (EC) No 1987/2006 should be repealed with effect from the date of full application of this Regulation.
(69)
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (31) and delivered an opinion on 3 May 2017,
