The Schengen Information System (SIS) constitutes an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union. SIS is one of the major compensatory measures contributing to maintaining a high level of security within the area of freedom, security and justice of the Union by supporting operational cooperation between national competent authorities, in particular border guards, the police, customs authorities, immigration authorities, and authorities responsible for the prevention, detection, investigation or prosecution of criminal offences or execution of criminal penalties.
(2)
SIS was initially set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (2) (the Convention implementing the Schengen Agreement). The development of the second generation of SIS (SIS II) was entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001 (3) and Council Decision 2001/886/JHA (4). It was later established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council (5) and by Council Decision 2007/533/JHA (6). SIS II replaced SIS as created pursuant to the Convention implementing the Schengen Agreement.
(3)
Three years after SIS II was brought into operation, the Commission carried out an evaluation of the system in accordance with Regulation (EC) No 1987/2006 and Decision 2007/533/JHA. On 21 December 2016, the Commission submitted the Report on the Evaluation of the Second Generation Schengen Information System (SIS II) in accordance with Articles 24(5), 43(3) and 50(5) of Regulation (EC) No 1987/2006 and Articles 59(3) and 66(5) of Decision 2007/533/JHA and an accompanying staff working document to the European Parliament and to the Council. The recommendations set out in those documents should be reflected, as appropriate, in this Regulation.
(4)
This Regulation constitutes the legal basis for SIS in respect of matters falling within the scope of Chapters 4 and 5 of Title V of Part Three of the Treaty on Functioning of the European Union (TFEU). Regulation (EU) 2018/1861 of the European Parliament and of the Council (7) constitutes the legal basis for SIS in respect of matters falling within the scope of Chapter 2 of Title V of Part Three TFEU.
(5)
The fact that the legal basis for SIS consists of separate instruments does not affect the principle that SIS constitutes one single information system that should operate as such. It should include a single network of national offices called SIRENE Bureaux for ensuring the exchange of supplementary information. Certain provisions of those instruments should therefore be identical.
(6)
It is necessary to specify the objectives of SIS, certain elements of its technical architecture and its financing, to lay down rules concerning its end-to-end operation and use and to define responsibilities. It is also necessary to determine the categories of data to be entered into the system, the purposes for which the data are to be entered and processed and the criteria for their entry. Rules are also required to govern the deletion of alerts, the authorities authorised to access the data, the use of biometric data and to further determine data protection and data processing rules.
(7)
Alerts in SIS contain only the information necessary to identify a person or an object and for the action to be taken. Member States should therefore exchange supplementary information related to alerts where required.
(8)
SIS includes a central system (Central SIS) and national systems. The national systems might contain a complete or partial copy of the SIS database, which may be shared by two or more Member States. Considering that SIS is the most important information exchange instrument in Europe for ensuring security and effective border management, it is necessary to ensure its uninterrupted operation at central as well as at national level. The availability of SIS should be subject to close monitoring at central and Member State level and any incident of unavailability for end-users should be registered and reported to stakeholders at national and Union level. Each Member State should set up a backup for its national system. Member States should also ensure uninterrupted connectivity with Central SIS by having duplicated and physically and geographically separated connection points. Central SIS and the Communication Infrastructure should be operated in such a way that their functioning 24 hours a day, 7 days a week is ensured. For that reason the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’), established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (8) should implement technical solutions to reinforce the uninterrupted availability of SIS, subject to an independent impact assessment and cost-benefit analysis.
(9)
It is necessary to maintain a manual setting out the detailed rules for the exchange of supplementary information concerning the actions called for by alerts (‘the SIRENE Manual’). The SIRENE Bureaux, should ensure the exchange of such information in a fast and efficient manner.
(10)
In order to ensure the efficient exchange of supplementary information, including on the action to be taken specified in alerts, it is appropriate to reinforce the functioning of the SIRENE Bureaux by specifying the requirements concerning the available resources and user training and the response time to inquiries they receive from other SIRENE Bureaux.
(11)
Member States should ensure that the staff of their SIRENE Bureau have the linguistic skills and knowledge of relevant law and procedural rules necessary to perform their tasks.
(12)
In order to be able to fully benefit from the functionalities of SIS, Member States should ensure that end-users and the staff of the SIRENE Bureaux regularly receive training, including on data security, data protection and data quality. SIRENE Bureaux should be involved in the development of training programmes. To the extent possible, SIRENE Bureaux should also provide for staff exchanges with other SIRENE Bureaux at least once a year. Member States are encouraged to take appropriate measures to avoid the loss of skills and experience through staff turnover.
(13)
The operational management of the central components of SIS are exercised by eu-LISA. In order to enable eu-LISA to dedicate the necessary financial and personal resources covering all aspects of the operational management of Central SIS and the Communication Infrastructure, this Regulation should set out its tasks in detail, in particular with regard to the technical aspects of the exchange of supplementary information.
(14)
Without prejudice to the responsibility of Member States for the accuracy of data entered into SIS and to the role of the SIRENE Bureaux as quality coordinators, eu-LISA should be responsible for reinforcing data quality by introducing a central data quality monitoring tool, and should provide reports at regular intervals to the Commission and to the Member States. The Commission should report to the European Parliament and to the Council on the data quality issues encountered. To further increase the quality of data in SIS, eu-LISA should also offer training on the use of SIS to national training bodies and, insofar as possible, to the SIRENE Bureaux and to end-users.
(15)
In order to allow better monitoring of the use of SIS and to analyse trends concerning criminal offences, eu-LISA should be able to develop a state-of-the-art capability for statistical reporting to the Member States, to the European Parliament, to the Council, to the Commission, to Europol, to Eurojust and to the European Border and Coast Guard Agency without jeopardising data integrity. Therefore, a central repository should be established. Statistics retained in or obtained from that repository should not contain any personal data. Member States should communicate statistics concerning exercise of the right of access, rectification of inaccurate data and erasure of unlawfully stored data in the framework of cooperation between supervisory authorities and the European Data Protection Supervisor under this Regulation.
(16)
New data categories should be introduced in SIS to allow end-users to take informed decisions based upon an alert without losing time. Therefore, in order to facilitate identification and detect multiple identities, the alert should, where such information is available, include a reference to the personal identification document of the individual concerned or its number and a copy, if possible in colour, of the document.
(17)
Competent authorities should be able, where strictly necessary, to enter into SIS specific information relating to any specific, objective, physical characteristics of a person which are not subject to change, such as tattoos, marks or scars.
(18)
Where available, all the relevant data, in particular the forename of the individual concerned, should be inserted when creating an alert, in order to minimise the risk of false hits and unnecessary operational activities.
(19)
SIS should not store any data used to carry out searches with the exception of keeping logs to verify whether the search is lawful, for monitoring the lawfulness of data processing, for self-monitoring and for ensuring the proper functioning of the national systems as well as for data integrity and security.
(20)
SIS should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. Any entry of photographs, facial images or dactyloscopic data into SIS and any use of such data should be limited to what is necessary for the objectives pursued, should be authorised by Union law, should respect fundamental rights, including the best interests of the child, and should be in accordance with Union law on data protection, including the relevant provisions on data protection laid down in this Regulation. In the same perspective, in order to avoid inconveniences caused by misidentification, SIS should also allow for the processing of data concerning individuals whose identity has been misused, subject to suitable safeguards, to obtaining the consent of the individual concerned for each data category, in particular palm prints, and to a strict limitation of the purposes for which such personal data can be lawfully processed.
(21)
Member States should make the necessary technical arrangements so that each time end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel, subject to the principles set out in Article 4 of Directive (EU) 2016/680 of the European Parliament and of the Council (9) and Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council (10). This should ensure that SIS functions as the main compensatory measure in the area without internal border controls and better addresses the cross-border dimension of criminality and the mobility of criminals.
(22)
This Regulation should set out the conditions for use of dactyloscopic data, photographs and facial images for identification and verification purposes. Facial images and photographs should, for identification purposes, initially be used only in the context of regular border crossing points. Such use should be subject to a report by the Commission confirming the availability, reliability and readiness of the technology.
(23)
The introduction of an automated fingerprint identification service within SIS complements the existing Prüm mechanism on mutual cross-border online access to designated national DNA databases and automated fingerprint identification systems, as set out in Council Decisions 2008/615/JHA (11) and 2008/616/JHA (12). The SIS dactyloscopic data search allows an active search for the perpetrator. Therefore, it should be possible to upload the dactyloscopic data of an unknown perpetrator into SIS, provided that the owner of that data can be identified with a very high degree of probability as the perpetrator of a serious crime or act of terrorism. This is in particular the case if dactyloscopic data are found on the weapon or on any object used for the offence. The mere presence of the dactyloscopic data at the crime scene should not be considered as indicating a very high degree of probability that the dactyloscopic data are those of the perpetrator. A further precondition for the creation of such an alert should be that the identity of the suspect cannot be established on the basis of data from any other relevant national, Union or international database. Should a dactyloscopic data search lead to a potential match, the Member State should carry out further checks with the involvement of experts to establish whether the suspect is the owner of the prints stored in SIS, and should establish the identity of the person. The procedure should be subject to national law. Such identification could substantially contribute to the investigation and could lead to an arrest provided that all the conditions for an arrest are met.
(24)
It should be allowed to search dactyloscopic data stored in SIS with complete or incomplete sets of fingerprints or palm prints found at a crime scene if it can be established to a high degree of probability that they belong to the perpetrator of the serious crime or terrorist offence, provided that a search is carried out simultaneously in the relevant national fingerprint databases. Particular attention should be given to the establishment of quality standards applicable to the storage of biometric data, including latent dactyloscopic data.
(25)
Wherever the identity of a person cannot be ascertained by any other means, dactyloscopic data should be used to attempt identification. It should be allowed in all cases to identify a person by using dactyloscopic data.
(26)
It should be possible to add a DNA profile to an alert in clearly defined cases where dactyloscopic data are not available. That DNA profile should only be accessible to authorised users. DNA profiles should facilitate the identification of missing persons in need of protection and particularly missing children, including by allowing the use of DNA profiles of direct ascendants, descendants or siblings to enable identification. DNA data should contain only the minimum information necessary for identification of the missing person.
(27)
DNA profiles should only be retrieved from SIS where identification is necessary and proportionate for the purposes laid down in this Regulation. DNA profiles should not be retrieved or processed for any other purpose than those for which they were entered into SIS. The data protection and security rules laid down in this Regulation should apply. Additional safeguards, if necessary, should be put in place when using DNA profiles in order to avoid any risk of false matches, hacking and unauthorised sharing with third parties.
(28)
SIS should contain alerts on persons wanted for arrest for surrender purposes and wanted for arrest for extradition purposes. In addition to alerts, it is appropriate to provide for the exchange of supplementary information through the SIRENE Bureaux which is necessary for the surrender and extradition procedures. In particular, data referred to in Article 8 of Council Framework Decision 2002/584/JHA (13) should be processed in SIS. Due to operational reasons, it is appropriate for the issuing Member State to make an existing alert for arrest temporarily unavailable upon the authorisation of the judicial authorities when a person who is the subject of a European Arrest Warrant is intensively and actively searched and end-users not involved in the concrete search operation may jeopardise the successful outcome. The temporary unavailability of such alerts should in principle not exceed 48 hours.
(29)
It should be possible to add to SIS a translation of the additional data entered for the purpose of surrender under the European Arrest Warrant and for the purpose of extradition.
(30)
SIS should contain alerts on missing persons or on vulnerable persons who need to be prevented from travelling to ensure their protection or to prevent threats to public security or to public order. In the case of children, these alerts and the corresponding procedures should serve the best interests of the child in accordance with Article 24 of the Charter of Fundamental Rights of the European Union and Article 3 of the United Nations Convention on the Rights of the Child of 20 November 1989. Actions and decisions by the competent authorities, including judicial authorities, following an alert on a child should be taken in cooperation with child protection authorities. The national hotline for missing children should be informed, where appropriate.
(31)
Alerts on missing persons who need to be placed under protection should be entered at the request of the competent authority. All children who have gone missing from Member States' reception facilities should be the subject of an alert on missing persons in SIS.
(32)
Alerts on children at risk of parental child abduction should be entered into SIS at the request of competent authorities, including judicial authorities having jurisdiction in matters of parental responsibility under national law. Alerts on children at risk of parental child abduction should only be entered in SIS where this risk is concrete and apparent and in limited circumstances. Therefore it is necessary to provide for strict and appropriate safeguards. In assessing whether a concrete and apparent risk exists that a child may be imminently and unlawfully removed from a Member State, the competent authority should take into account the child's personal circumstances and the environment to which the child is exposed.
(33)
This Regulation should establish a new category of alerts for certain categories of vulnerable persons who need to be prevented from travelling. Persons who, due to their age, disabilities, or their family circumstances require protection should be considered vulnerable.
(34)
Alerts on children who need to be prevented from travelling for their own protection should be entered into SIS if there is a concrete and apparent risk of them being removed from or leaving the territory of a Member State. Such alerts should be entered if the travel would put them at risk of becoming victims of trafficking in human beings or of forced marriage, female genital mutilation or other forms of gender-based violence, of becoming victims or being involved in terrorist offences, of being conscripted or enlisted into armed groups, or of being made to participate actively in hostilities.
(35)
Alerts on vulnerable adults who need to be prevented from travelling for their own protection should be entered if travel would put them at risk of becoming victims of trafficking in human beings or gender-based violence.
(36)
In order to guarantee strict and appropriate safeguards, alerts on children or other vulnerable persons who need to be prevented from travelling should, where required under national law, be entered into SIS following a decision by a judicial authority or a decision by a competent authority confirmed by a judicial authority.
(37)
A new action to be taken should be introduced to allow a person to be stopped and interviewed in order for the issuing Member State to obtain detailed information. This action should apply in cases where, based on a clear indication, a person is suspected of intending to commit or of committing any of the offences referred to in Article 2(1) and (2) of Framework Decision 2002/584/JHA, where further information is needed to execute a custodial sentence or detention order against a person convicted of any of the offences referred to in Article 2(1) and (2) of Framework Decision 2002/584/JHA, or where there is a reason to believe that he or she will commit any of those offences. This action to be taken should also be without prejudice to existing mutual legal assistance mechanisms. It should supply sufficient information to decide upon further actions. This new action should not amount to searching the person nor to his or her arrest. The procedural rights of suspects and accused persons under Union and national law should be preserved, including their right to have access to a lawyer in accordance with Directive 2013/48/EU of the European Parliament and of the Council (14).
(38)
In the case of alerts on objects for seizure or use as evidence in criminal proceedings, the objects concerned should be seized in accordance with national law that determines if and in accordance with which conditions an object is to be seized, particularly if it is in the possession of its rightful owner.
(39)
SIS should contain new categories of objects of high value, such as items of information technology which can be identified and searched with a unique identification number.
(40)
As regards alerts entered into SIS on documents for seizure or use as evidence in criminal proceedings, the term ‘false’ should be construed as encompassing both forged and counterfeit documents.
(41)
It should be possible for a Member State to add an indication, called a flag, to an alert, to the effect that the action to be taken on the basis of the alert will not be taken on its territory. When alerts are entered for arrest for surrender purposes, nothing in this Regulation should be construed so as to derogate from or prevent the application of the provisions contained in the Framework Decision 2002/584/JHA. The decision to add a flag to an alert with a view to the non-execution of a European Arrest Warrant should be based only on the grounds for refusal contained in that Framework Decision.
(42)
When a flag has been added and the whereabouts of the person wanted for arrest for surrender become known, the person's whereabouts should always be communicated to the issuing judicial authority, which may decide to transmit a European Arrest Warrant to the competent judicial authority in accordance with the provisions of the Framework Decision 2002/584/JHA.
(43)
It should be possible for Member States to establish links between alerts in SIS. The establishment of links between two or more alerts should have no impact on the action to be taken, the review period for alerts or the access rights to the alerts.
(44)
Alerts should not be kept in SIS longer than the time required to fulfil the specific purposes for which they were entered. The review periods for different categories of alerts should be appropriate in light of their purpose. Alerts on objects which are linked to an alert on a person should only be kept for as long as the alert on the person is kept. Decisions to retain alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons and objects within the prescribed review periods and should keep statistics on the number of alerts for which the retention period has been extended.
(45)
Entering an alert into SIS and extending the expiry date of an alert in SIS should be subject to a proportionality requirement involving examination of whether a concrete case is adequate, relevant and important enough to warrant insertion of an alert in SIS. Where terrorist offences are concerned, the case should be considered adequate, relevant and important enough to warrant an alert in SIS. For public or national security reasons, Member States should be allowed exceptionally to refrain from entering an alert into SIS when it is likely that this would obstruct official or legal inquiries, investigations or procedures.
(46)
It is necessary to establish rules concerning the deletion of alerts. An alert should be kept only for the time required to achieve the purpose for which it was entered. Considering the diverging practices of Member States in determining the point in time when an alert has fulfilled its purpose, it is appropriate to set out detailed criteria for each category of alert to determine when it should be deleted.
(47)
The integrity of SIS data is of primary importance. Therefore, appropriate safeguards should be provided to process SIS data at central as well as at national level to ensure the end-to-end security of the data. The authorities involved in the data processing should be bound by the security requirements of this Regulation and be subject to a uniform incident reporting procedure. Their staff should be appropriately trained and be informed of any offences and penalties in this respect.
(48)
Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation should not be transferred or made available to third countries or to international organisations.
(49)
It is appropriate to grant access to SIS to services responsible for registering vehicles, boats and aircraft in order to allow them to verify whether the conveyance concerned is being searched for in Member States for seizure. It is also appropriate to grant access to SIS to services responsible for registering firearms in order to allow them to verify whether the firearm concerned is being searched for in Member States for seizure or whether there is an alert on the person requesting the registration.
(50)
Direct access to SIS should only be provided to competent government services. This access should be limited to alerts concerning the respective conveyances and their registration document or number plate or firearms and persons requesting the registration. Any hit in SIS should be reported by such services to the police authorities, who should take further action in line with the particular alert in SIS and notify the issuing Member State of the hit through the SIRENE Bureaux.
(51)
Without prejudice to more specific rules laid down in this Regulation, the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 should apply to the processing, including collection and communication of personal data under this Regulation by the national competent authorities for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties. Access to data entered into SIS and the right to search such data by national competent authorities which are responsible for the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties are to be subject to all relevant provisions of this Regulation and those of Directive (EU) 2016/680 as transposed into national law, and in particular to monitoring by the supervisory authorities referred to in Directive (EU) 2016/680.
(52)
Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by the Member States under this Regulation unless such processing is carried out by the national competent authorities for the purposes of the prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences.
(53)
Regulation (EU) 2018/1725 of the European Parliament and of the Council (15) should apply to the processing of personal data by the institutions and bodies of the Union when carrying out their responsibilities under this Regulation.
(54)
Regulation (EU) 2016/794 of the European Parliament and of the Council (16) should apply to the processing of personal data by Europol under this Regulation.
(55)
In cases when searches carried out in SIS by national members of Eurojust and their assistants reveal the existence of an alert entered by a Member State, Eurojust cannot take the requested action. Therefore, it should inform the Member State concerned to allow it to follow up the case.
(56)
When using SIS, the competent authorities should ensure that the dignity and integrity of the person whose data are processed are respected. Processing of personal data for the purposes of this Regulation is not to result in discrimination against persons on any grounds, such as sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.
(57)
Insofar as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (17) (‘Staff Regulations’) should apply to officials or other servants employed and working in connection with SIS.
(58)
Both the Member States and eu-LISA should maintain security plans in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.
(59)
The national independent supervisory authorities referred to in Regulation (EU) 2016/679 and Directive (EU) 2016/680 (‘supervisory authorities’) should monitor the lawfulness of the processing of personal data by the Member States under this Regulation, including the exchange of supplementary information. The supervisory authorities should be granted sufficient resources to carry out this task. The rights of data subjects to access, rectify and erase their personal data that is stored in SIS, and any subsequent remedies before national courts as well as the mutual recognition of judgments should be provided for. It is also appropriate to require annual statistics from Member States.
(60)
The supervisory authorities should ensure that an audit of the data processing operations in their Member State's national systems is carried out in accordance with international auditing standards at least every four years. The audit should either be carried out by the supervisory authorities, or the supervisory authorities should directly order the audit from an independent data protection auditor. The independent auditor should remain under the control and responsibility of the supervisory authorities concerned which therefore should instruct the auditor themselves and provide a clearly defined purpose, scope and methodology for the audit as well as guidance and supervision concerning the audit and its final results.
(61)
The European Data Protection Supervisor should monitor the activities of the Union institutions and bodies in relation to the processing of personal data under this Regulation. The European Data Protection Supervisor and the supervisory authorities should cooperate with each other in monitoring SIS.
(62)
The European Data Protection Supervisor should be granted sufficient resources to fulfil the tasks entrusted to it under this Regulation, including assistance from persons with expertise in biometric data.
(63)
Regulation (EU) 2016/794 provides that Europol is to support and strengthens actions carried out by the national competent authorities and their cooperation in combating terrorism and serious crime and to provide analysis and threat assessments. The extension of Europol's access rights to alerts on missing persons should further improve Europol's capacity to provide national law enforcement authorities with comprehensive operational and analytical products concerning trafficking in human beings and child sexual exploitation, including online. This would contribute to better prevention of those criminal offences, to the protection of potential victims and to the investigation of perpetrators. Europol's European Cybercrime Centre would also benefit from Europol having access to alerts on missing persons, including in cases of travelling sex offenders and child sexual abuse online, where perpetrators often claim that they have access to children or can get access to children who might have been registered as missing.
(64)
In order to bridge the gap in information sharing on terrorism, in particular on foreign terrorist fighters — where monitoring of their movement is crucial — Member States are encouraged to share information on terrorism-related activity with Europol. This information sharing should be carried out through the exchange of supplementary information with Europol on the alerts concerned. For this purpose Europol should set up a connection with the Communication Infrastructure.
(65)
It is also necessary to set out clear rules for Europol on the processing and downloading of SIS data to allow it to use SIS comprehensively, provided that data protection standards are complied with as provided for in this Regulation and Regulation (EU) 2016/794. In cases where searches carried out by Europol in SIS reveal the existence of an alert entered by a Member State, Europol cannot take the required action. Therefore it should inform the Member State concerned through the exchange of supplementary information with the respective SIRENE Bureau, to allow that Member State to follow up the case.
(66)
Regulation (EU) 2016/1624 of the European Parliament and of the Council (18) provides for the purpose of that Regulation, that the host Member State is to authorise the members of the teams referred to in point (8) of Article 2 of that Regulation, deployed by the European Border and Coast Guard Agency to consult Union databases where this consultation is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return. Other relevant Union agencies, in particular the European Asylum Support Office and Europol, may also deploy experts who are not members of the staff of those Union agencies as part of migration management support teams. The objective of the deployment of the teams referred to in points (8) and (9) of Article 2 of that Regulation is to provide technical and operational reinforcement to the requesting Member States, especially to those facing disproportionate migratory challenges. For the teams referred to in points (8) and (9) of Article 2 of that Regulation to fulfil their tasks, they require access to SIS through a technical interface of the European Border and Coast Guard Agency connecting to Central SIS. In cases where searches in SIS carried out by the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624 or by the teams of staff reveal the existence of an alert entered by a Member State, the member of the team or the staff cannot take the required action unless authorised to do so by the host Member State. Therefore, the host Member State should be informed to allow it to follow up the case. The host Member State should notify the issuing Member State of the hit through the exchange of supplementary information.
(67)
Certain aspects of SIS cannot be covered exhaustively by this Regulation given their technical, highly detailed and frequently changing nature. Those aspects include, for example, technical rules on entering data, on updating, deleting and searching data and on data quality and rules related to biometric data rules on the compatibility and order of priority of alerts, on links between alerts, setting the expiry date of alerts within the maximum time limit and on the exchange of supplementary information. Implementing powers in respect of those aspects should therefore be conferred on the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications.
(68)
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (19). The procedure for adopting implementing acts under this Regulation and Regulation (EU) 2018/1861 should be the same.
(69)
In order to ensure transparency, two years after the start of operations of SIS pursuant to this Regulation, eu-LISA should produce a report on the technical functioning of Central SIS and the Communication Infrastructure, including their security, and on the bilateral and multilateral exchange of supplementary information. An overall evaluation should be issued by the Commission every four years.
(70)
In order to ensure the smooth functioning of SIS, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of new sub-categories of objects to be sought under alerts on objects for seizure or used as evidence in criminal proceedings, and the determination of the circumstances in which photographs and facial images may be used for the identification of persons other than in the context of regular border crossing points. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (20). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(71)
Since the objectives of this Regulation, namely the establishment and regulation of a Union information system and the exchange of related supplementary information, cannot be sufficiently achieved by the Member States, but can rather, by reason of their nature be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(72)
This Regulation respects fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union. In particular, this Regulation fully respects the protection of personal data in accordance with Article 8 of the Charter of Fundamental Rights of the European Union while seeking to ensure a safe environment for all persons residing on the territory of the Union and special protection for children who could be victim of trafficking or abduction. In cases concerning children, the best interests of the child should be a primary consideration.
(73)
In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.
(74)
The United Kingdom is taking part in this Regulation in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union annexed to the TEU and to the TFEU and Article 8(2) of Council Decision 2000/365/EC (21).
(75)
Ireland is taking part in this Regulation in accordance with Article 5(1) of Protocol No 19 annexed to the TEU and to the TFEU and Article 6(2) of Council Decision 2002/192/EC (22).
(76)
As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters' association with the implementation, application and development of the Schengen acquis (23), which fall within the area referred to in Article 1, point (G) of Council Decision 1999/437/EC (24).
(77)
As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (25), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA (26).
(78)
As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis (27), which fall within the area referred to in Article 1, point (G), of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU (28).
(79)
As regards Bulgaria and Romania, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession and should be read in conjunction with Council Decisions 2010/365/EU (29) and (EU) 2018/934 (30).
(80)
As regards Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession and should be read in conjunction with Council Decision (EU) 2017/733 (31).
(81)
Concerning Cyprus this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(2) of the 2003 Act of Accession.
(82)
This Regulation should apply to Ireland on dates determined in accordance with the procedures set out in the relevant instruments concerning the application of the Schengen acquis to this State.
(83)
This Regulation introduces a series of improvements to SIS which will increase its effectiveness, strengthen data protection and extend access rights. Certain of those improvements do not require complex technical developments, while others do require technical changes of varying magnitude. In order to enable improvements to the system to become available to end-users as soon as possible, this Regulation introduces amendments to Decision 2007/533/JHA in several phases. A number of improvements to the system should apply immediately upon entry into force of this Regulation, whereas others should apply either one or two years after its entry into force. This Regulation should apply in its entirety within three years after its entry into force. In order to avoid delays in its application the phased implementation of this Regulation should be closely monitored.
(84)
Regulation (EC) No 1986/2006 of the European Parliament and of the Council (32), Decision 2007/533/JHA and Commission Decision 2010/261/EU (33) should be repealed with effect from the date of full application of this Regulation.
(85)
The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (34) and delivered an opinion on 3 May 2017,
