204 Amendments of Ana GOMES related to 2017/0352(COD)
Amendment 195 #
Proposal for a regulation
Recital 3
Recital 3
(3) In its Resolution of 6 July 2016 on the strategic priorities for the Commission Work Programme 201747 , the European Parliament called for proposals to improve and develop existing EU information systems, address information gaps and move towards their interoperability, as well as proposals for compulsory information sharing at EU level, accompanied by the necessary data protection safeguards. Such safeguards should include the prevention of unauthorized access and sharing of data with unauthorized authorities, logging access and usage by authorized users, the implementation of minimum quality standards, ensuring the right to effective remedy and the practical possibility to rebut false assumptions and inaccurate data held by the relevant authorities. _________________ 47 European Parliament resolution of 6 July 2016 on the strategic priorities for the Commission Work Programme 2017 (2016/2773(RSP).
Amendment 197 #
Proposal for a regulation
Recital 8 a (new)
Recital 8 a (new)
(8a) In his Opinion 4/2018 of 16 April 20181a, the European Data Protection Supervisor emphasised that the decision to make large scale IT systems interoperable would not only permanently and profoundly affect their structure and their way of operating, but would also change the way legal principles have been interpreted in this area so far and would as such mark a ‘point of no return’. _________________ 1a http://edps.europa.eu/sites/edp/files/public ation/2018-04- 16_interoperability_opinion_en.pdf
Amendment 198 #
Proposal for a regulation
Recital 8 b (new)
Recital 8 b (new)
(8b) In its Opinion of 11 April 20182a, the Article 29 Data Protection Working Party reiterated that the process towards interoperability of systems raises fundamental questions regarding the purpose, necessity, proportionality of the data processing as well as concerns regarding the principles of purpose limitation, data minimization, data retention and clear identification of a data controller. _________________ 2a http:// ec.europa.eu/newsroom/article29/docume nt.cfm?action=display&doc_id=51517
Amendment 201 #
Proposal for a regulation
Recital 9
Recital 9
(9) With a view to improve the management of the external borders, to facilitating regular border crossings, to contribute to preventing and combating irregular migration, and to contribute to a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy and safeguarding the security in the, to assist in the prevention, detection and investigation of territoriest of the Member Statfences or other serious criminal offences, interoperability between EU information systems, namely [the Entry/Exit System (EES)], the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and the [European Criminal Records Information System for third-country nationals (ECRIS-TCN)] should be established in sorder foar these EU information systems and their data to supplement each otheras that is possible while respecting the fundamental rights of the individual, in particular, the right to protection of personal data. To achieve this, a European search portal (ESP), a shared biometric matching service (shared BMS), a common identity repository (CIR) and a multiple-identity detector (MID) should be established as interoperability components.
Amendment 203 #
Proposal for a regulation
Recital 10
Recital 10
(10) The interoperability between the EU information systems should allow said systems to supplement each communicate with one another in order to facilitate the correct identification of persons, at external borders, for the purpose of applications of international protection, or in the context of the prevention, detection and investigation of serious criminal offences - including terrorist offences, to contribute to fighting identity fraud, to improve and harmonise data quality requirements of the respective EU information systems, to facilitate the technical and operational implementation by Member States of existing and future EU information systems, to strengthen and simplify the data security and data protection safeguards that govern the respective EU information systems, in particular by ensuring that all Union data protection rules are applicable to all the information systems, and to streamline the law enforcement access to the EES, the VIS, the [ETIAS] and Eurodac, and support the purposes of the EES, the VIS, the [ETIAS], Eurodac, the SIS and the [ECRIS-TCN system].
Amendment 209 #
Proposal for a regulation
Recital 11
Recital 11
(11) The interoperability components should cover the EES, the VIS, the [ETIAS], Eurodac, the SIS, and the [ECRIS-TCN system]. They should also cover the Europol data to the extent of enabling ithat data to be queried simultaneously with these EU information systems.
Amendment 212 #
Proposal for a regulation
Recital 12
Recital 12
(12) The interoperability components should concern persons in respect of whom personal data may be processed in the EU information systems and by Europol, namely third-country nationals whose personal data is processed in the EU information systems and by Europol, and to EU citizens whose personal data is processed in the SIS and by Europol. Interoperability should not concern EU citizens.
Amendment 216 #
Proposal for a regulation
Recital 13
Recital 13
(13) The European search portal (ESP) should be established to facilitate technically the ability of the authorised Member State authorities and EU bodies to have a controlled yet fast, seamless, and efficient, systematic and controlled access to the EU information system access to the relevant EU databases, theo Europol data and theo Interpol databases needed toin so far as this is necessary for the performance of their tasks, and in accordance with their access rights, and to. In that way, the ESP should support the objectives of the EES, the VIS, the [ETIAS], Eurodac, the SIS, the [ECRIS-TCN system] and the Europol data. Enabling the simultaneous querying of all relevant EU information systemdatabases in parallel, as well as of the Europol data and the Interpol databases, the ESP should act as a single window or ‘message broker’ to search various central systems and retrieve the necessary information seamlessly and in full respect of the access control and data protection requirements of the underlying systems.
Amendment 221 #
Proposal for a regulation
Recital 16
Recital 16
(16) To ensure fast and systematiceamless use of all EU information systems, the European search portal (ESP) should be used to query the common identity repository, the EES, the VIS, [the ETIAS], Eurodac and [the ECRIS-TCN system]. However, the national connection to the different EU information systems should remain in order to provide a technical fall back. The ESP should also be used by Union bodies to query the Central SIS in accordance with their access rights and in order to perform their tasks. The ESP should be an additional means to query the Central SIS, the Europol data and the Interpol systems, complementing the existing dedicated interfaces.
Amendment 224 #
Proposal for a regulation
Recital 17
Recital 17
(17) Biometric data, such as fingerprints and facial images, are unique and therefore much more reliable than alphanumeric data for identifying a person. However, biometric data constitute sensitive personal data. This regulation should therefore lay down the basis for and the safeguards for processing of such data for the purpose of uniquely identifying the persons concerned. The shared biometric matching service (shared BMS) should be a technical tool to reinforce and facilitate the work of the relevant EU information systems and the other interoperability components, without duplicating either the storage of the biometric or the storage of biometric templates. The main purpose of the shared BMS should be to facilitate the identification of an individual who may be registered in different databases, by matching their biometric data across different systems and by relying on one unique technological component instead of five different ones in each of the underlying systems. The shared BMS should contribute to security, as well as financial, maintenance and operational benefits by relying on one unique technological component instead of different ones in each of the underlying systems. All automated fingerprint identification systems, including those currently used for Eurodac, the VIS and the SIS, use biometric templates comprised of data derived from a feature extraction of actual biometric samples. The shared BMS should regroup and store all these biometric templates in one single location, facilitating, allow for a cross-system comparisons usingof those biometric data and enabling economies of scale in developing and maintaining the EU central systemstemplates using biometric data.
Amendment 226 #
Proposal for a regulation
Recital 18
Recital 18
Amendment 230 #
Proposal for a regulation
Recital 19
Recital 19
(19) The systems established by Regulation (EU) 2017/2226 of the European Parliament and of the Council54 , Regulation (EC) No 767/2008 of the European Parliament and of the Council55 , [the ETIAS Regulation] for the management of the borders of the Union, the system established by [the Eurodac Regulation] to identify the applicants for international protection and combat irregular migration, and the system established by [the ECRIS-TCN system Regulation] require in order to be effective to rely on the accurate identification of those third-country nationals whose personal data are stored therein. _________________ 54 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (EES Regulation) (OJ L 327, 9.12.2017, p. 20–82). 55 Regulation (EC) No 767/2008 of the Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
Amendment 231 #
Proposal for a regulation
Recital 20
Recital 20
Amendment 236 #
Proposal for a regulation
Recital 21
Recital 21
(21) Personal data stored in these EU information systems may relate to the same persons but under different or incomplete identities. Member States dispose of efficient ways to identify their citizens or registered permanent residents in their territory, but the same is not true for third- country nationals. The interoperability between EU information systems should contribute to thelp correctly identification ofy third-country nationals. The common identity repository (CIR) shouldEach individual information system should continue to store the personal data concerning third-country nationals present in the systems that are necessary to enable the more accurate identification of those individuals, therefore including their identity, travel document and biometric data, regardless of the system in which the data was originally collected. Only the personal data strictly necessary to perform an accurate identity check should be stored in the CIR. The personal data recorded in the CIR should be kept for no longer than is strictly necessary for the purposes of the underlying systems and should be automatically deleted when the data is deleted in the underlying systems in accordance with their logical separationquired under their founding regulations. This information will be made interoperable by virtue of the European Search Portal, the Biometric Matching Service and the Multiple Identity Detector.
Amendment 240 #
Proposal for a regulation
Recital 22
Recital 22
(22) The new processing operation consisting in the storage of such data in the common identity repository (CIR) instead of the storage in each of the separate systems is necessary to increase the accuracy of the identificIn order to ensure respect for the principles of purpose limitation and of data minimisation tha, it is made possible by the automated comparison and matching of such data. The fact that the identity and biometric data of third-country nationals isneither necessary nor proportionate to stored in the CIR should not hinder in any way the processing of data for the purposes of the EES, the VIS, the ETIAS, Eurodac or the ECRIS-TCN system Regulations, as the CIR should be a new shared component of those underlying systems.data in an additional repository above and beyond the information systems which are to be made interoperable
Amendment 243 #
Proposal for a regulation
Recital 23
Recital 23
Amendment 245 #
Proposal for a regulation
Recital 24
Recital 24
Amendment 248 #
Proposal for a regulation
Recital 25
Recital 25
Amendment 253 #
Proposal for a regulation
Recital 26
Recital 26
Amendment 256 #
(27) In order to ensureassist in the correct identification of a person, Member State authorities competent forwhere a travel document or other identity document preoventing and combating irregular migration ands insufficient or is unavailable, Member State competent authorities within the meaning of Article 3(7) of Directive 2016/680 should be allowed to query the common identity repository (CIR) with the biometric data of that person taken during an identityEuropean Search Portal (ESP) or the shared Biometric Matching Service (sBMS) and the underlying Union information systems with the biographical or biometric data of that person taken during an identity check provided always that individual concerned is physically present during such a check.
Amendment 261 #
Proposal for a regulation
Recital 28
Recital 28
Amendment 266 #
Proposal for a regulation
Recital 29
Recital 29
(29) Member States should adopt national legislative measures designating the authorities competent to perform identity checks with the use of the common identity repository (CIR)ESP or the sBMS, subject to the physical presence of the individual concerned, and laying down the procedures, conditions and criteria of such identity checks in line with the principle of proportionality. In particular, the power to collect biometric data during an identitSuch an identity check in respect of third-country nationals should be permitted only cwheck of a person present beforere comparable procedures under equivalent conditions exist in the mMember of those authorities should be provided for by national legislative measureState concerned for Union citizens.
Amendment 269 #
Proposal for a regulation
Recital 30
Recital 30
(30) This Regulation should also introduces a new possibility for streamlined access to data beyond identity data present in the EES, the VIS, [the ETIAS] or Eurodac by Member State designated law enforcement authorities and Europol. Data, including data other than identity data contained in those systems, may be necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious criminal offences in a specific case. where there are reasonable grounds to consider that consultation will substantially contribute to the prevention, detection or investigation of the criminal offences in question; in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under the category of third country nationals whose data are stored in the EES, the VIS, the ETIAS and the Eurodac system. Such streamlined access will be provided after a prior search in the national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched
Amendment 270 #
Proposal for a regulation
Recital 31
Recital 31
(31) Full access to the necessary data contained in the EU information systems necessary for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences, beyond the relevant identity data covered under common identity repository (CIR) obtained using biometric data of that person taken during an identity check, should continue to be governed by the provisions in the respective legal instruments. The designated law enforcement authorities and Europol do not always know in advance which of the EU information systems contains data of the persons they need to inquire upon. This results in delays anerefore, following the necessary checks in national databases and where a query of the automated finefficiencies in the conduct of gerprint identification system of the otheir tasks. TMember States under Decision 2008/615/JHA has been launched, the end-user authorised by the designated authority should therefore be allowed to see in which of the EU information systems the data corresponding to the query introduced are recorded. The concerned system would thus be flagged following the automated verification of the presence of a hit in the system (a so-called hit-flag functionality).
Amendment 274 #
Proposal for a regulation
Recital 31 a (new)
Recital 31 a (new)
(31a) Where such a search is carried out, a hit should not be interpreted as a ground or reason to draw conclusions about or undertake measures towards a person, but may be used only for the purpose of submitting an access request to the underlying EU information systems, subject to the conditions and procedures laid down in the respective legislative instruments governing such access. Any such act will be subject to the provisions measures set out in Chapter VII and the safeguards provided for in Regulation EU2016/679, Directive 2016/680 or Regulation EC 45/2001.
Amendment 277 #
Proposal for a regulation
Recital 32
Recital 32
(32) The logs of the queries of the common identity repositoryEU information systems should indicate the purpose of the query. Where such a query was performed using the two- step data consultation approach, the logs should include a reference to the national file of the investigation or case, therefore indicating that such query was launched for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences.
Amendment 279 #
Proposal for a regulation
Recital 33
Recital 33
(33) The query of the common identity repository (CIR)EU information systems by Member State designated authorities and Europol in order to obtain a hit-flag type of response indicating the data is recorded in the EES, the VIS, [the ETIAS] or Eurodac requires automated processing of personal data. A hit-flag wshould not reveal personal data of the concerned individual other thanonly an indication that some of his or her data are stored in one of the systems, provided the authority making the search has access to that system. No adverse decision for the concerned individual should be made by the authorised end-user solely on the basis of the simple occurrence of a hit-flag, and the hit-flag should be used by the relevant authorities only for the purpose of deciding which database to query. Access by the end-user of a hit-flag would therefore realise a very limitedconstitute an interference with the right to protection of personal data of the concerned individual, while it would be necessary to allow the designated authority and Europol to address its request for access for personal data more effectively directly to the system that was flagged as containing and therefore should comply with the principles of necessity and proportionality.
Amendment 283 #
Proposal for a regulation
Recital 34
Recital 34
(34) The two-step data consultation approach is particularly valuable in cases where the suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence is unknown. In those cases the common identity repository (CIR) should enable, using the European Search Portal or the shared Biometric Matching Service should enable the relevant authority to identifying the information system that knows the person in one single searchsuspect, perpetrator or suspected victim in one single search, following the necessary checks in national databases and once a query of the automated fingerprint identification system of other Member States under Decision 2008/615/JHA has been launched. By creating the obligation to use this new law enforcement access approach in these cases, access to the personal data stored in the EES, the VIS, [the ETIAS] and Eurodac should take place without the requirements of a prior search in national databases and the launch of a prior search in the automated fingerprint identification system (‘AFIS’) of other Member States under Decision 2008/615/JHA. The principle of prior search effectively limits the possibility of Member State’ authorities to consult systems for justified law enforcement purposes and could thereby result in missed opportunities to uncover necessary information. The requirements of a prior search in national databases and the launch of a priin national databases and AFIS which were designed specifically for preventing, detecting and investigating terrorist offences or other serious criminal offences before searching in othe automated fingerprint identification system of other Member States under Decision 2008/615/JHA should only cease to apply oncr EU information systems which do not have that as their primary purpose the alternative safeguard of the two- step approach to law enforcement access through the CIR has become operational. lps to ensure the necessity and proportionality of such a search.
Amendment 287 #
Proposal for a regulation
Recital 35
Recital 35
(35) The multiple-identity detector (MID) should be established to support the functioning of the common identity repository and to support the objectives of the EES, the VIS, [the ETIAS], Eurodac, the SIS and [the ECRIS- TCN system]. In order to be effective in fulfilling their respective objectives, all of these EU information systems require the accurate identification of the persons whose personal data are stored therein.
Amendment 288 #
Proposal for a regulation
Recital 36
Recital 36
(36) The possibility to achievo better realise the objectives of the EU information systems is undermined by the current inability for, the authorities using theose systems should be able to conduct sufficiently reliable verifications of the identities of the third-country nationals whose data are stored in different systems. That inability is determined by the fact that the set of identity data stored in a given individual system may be fraudulent, incorrect, or incomplete of fraudulent, and that there is currently no possibility to detect such fraudulent,way of detecting incorrect or, incomplete or fraudulent identity data by way of comparison with data stored in another system. To remedy this situation it is necessary to have a technical instrument at Union level allowing accurate identification of third-country nationals for these purposes.
Amendment 292 #
Proposal for a regulation
Recital 37
Recital 37
(37) The multiple-identity detector (MID) should create and store links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The creation of those links constitutes automated decision-making as referred to in Regulation (EU) 2016/679 and in Directive(EU) 2016/680 and therefore requires transparency towards the individuals affected and the implementation of necessary safeguards in accordance with EU data protection rules. The MID should only contain the links between individuals present in more than one EU information system, strictly limited to the data necessary to verify that a person is recorded lawfully or unlawfully under different biographical identities in different systems, or to clarify that two persons having similar biographical data may not be the same person. Data processing through the European search portal (ESP) and the shared biometric matching service (shared BMS) in order to link individual files across individual systems should be kept to an absolute minimum and therefore is limited to a multiple-identity detection at the time new data is added to one of the information systems included in the common identity repository and inEES, the VIS, [the ETIAS], Eurodac or the SIS. The MID should include safeguards against potential discrimination or unfavourable decisions for persons with multiple lawful identities.
Amendment 297 #
Proposal for a regulation
Recital 39
Recital 39
(39) The European search portal (ESP) and shared biometric matching service (shared BMS) should compare data in common identity repository (CIR)the EES, the VIS, [the ETIAS], Eurodac and the SIS on persons when new records are created by a national authority or an EU body. Such a comparison should be automated. The CIR and the SISose EU information systems should use the shared BMS to detect possible links on the basis of biometric data. The CIR and the SIS and should use the ESP to detect possible links on the basis of alphanumeric data. The CIR and the SISose EU information systems should be able to identify identical or similar data on the third-country national stored across several systems. Where such is the case, a link indicating that it is the same person should be established. The CIR and the SISNew interoperability components should be configured in such a wayso that small transliteration or spelling mistakes are detected in such a way as not to create any unjustified hindrance to the concernedor interference with the fundamental rights of the third-country national. concerned
Amendment 300 #
Proposal for a regulation
Recital 40
Recital 40
(40) The national authority or EU body that recorded the new data in the respective EU information system should confirm or change these links. This authority should have access to the identity data stored in the common identity repository (CIR) or the SIS and in the multiple-identity detector (MID)ose EU information systems for the purpose of the manual identity verification.
Amendment 303 #
Proposal for a regulation
Recital 41
Recital 41
(41) Access to the multiple-identity detector (MID) by Member State authorities and EU bodies having access to at least one of the relevant EU information system included in the common identity repository (CIR) or to the SIS should be limited to so called red links, where the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner, or where the linked data has similardifferent identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner. Where the linked identity data isare not similar, a yellow link should be established and a manual verification should take place in order to confirm the link or change its colour accordingly.
Amendment 305 #
Proposal for a regulation
Recital 42
Recital 42
(42) The manual verification of multiple identities should be ensured by the authority creating or updating the data that triggered a hit resulting in a link with data already stored in another EU information system as described in this Regulation in full respect of access rights granted under Union and national law. The authority responsible for the verification of multiple identities should assess whether there are multiple lawful or unlawful identities. Such assessment should be performed where possibleonly in the presence of the third-country national and where necessary by requesting additional clarifications or information. Such assessment should be performed without delay, in line with legal requirements for the accuracy of information under Union and national law.
Amendment 307 #
Proposal for a regulation
Recital 43
Recital 43
(43) FBy way of derogation, for the links obtained in relation to the Schengen Information System (SIS) related to the alerts in respect of persons wanted for arrest or for surrender or extradition purposes, on missing or vulnerable persons, on persons sought to assist with a judicial procedure, on persons for discreet checks or specific checks or on unknown wanted persons, the authority responsible for the verification of multiple identities should be the SIRENE Bureau of the Member State that created the alert. Indeed those categories of SIS alerts are sensitive and should not necessarily be shared with the authorities creating or updating the data in one of the other EU information systems. The creation of a link with SIS data should be without prejudice to the actions to be taken in accordance with the [SIS Regulations].
Amendment 309 #
Proposal for a regulation
Recital 44
Recital 44
(44) eu-LISA should establish automated data quality control mechanisms and common data quality indicators. eu- LISA should be responsible tofor developing a central monitoring capacity for data quality, and tofor produceing regular data analysis reports to improve the control ofsupervision of the Member States’ implementation and application by Member States of EU information systems. The common quality indicators should include the minimum quality standards to store data in the EU information systems or the interoperability components. The goal of such a data quality standards should be for the EU information systems and interoperability components to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions.
Amendment 313 #
Proposal for a regulation
Recital 46
Recital 46
(46) The Universal Message Format (UMF) should establish a standard for structured, cross-border information exchange between information systems, authorities and/or organisations in the field of Justice and Home affairs. UMF should define a common vocabulary and logical structures for commonly exchanged information with the objective tof facilitateing interoperability by enabling the creation and reading of the contents of the exchange in a consistent and semantically equivalent manner.
Amendment 317 #
Proposal for a regulation
Recital 47
Recital 47
(47) A central repository for reporting and statistics (CRRS) should be established to generate cross-system statistical data and analytical reporting for policy, operational and data quality purposes in line with the objectives of the underlying systems and inconformity with their respective legal bases. eu-LISA should establish, implement and host the CRRS in its technical sites. The CRRS should containing only anonymous statistical data from the above-menrelevant EU informationed systems, the common identity repository, the multiple-identity detector and the shared biometric matching service (shared BMS). The data contained in the CRRS should not enableallow for the identification of individuals. eu- LISA should immediately render the data anonymous and should record only such anonymousised data in the CRRS. The process for rendering the data anonymous should be automated and no direct access by eu- LISA staff should be granted to any personal data stored in the EU information systems or in the interoperability components.
Amendment 318 #
Proposal for a regulation
Recital 48
Recital 48
(48) Regulation (EU) 2016/679 should apply to the processing of personal data under this Regulation by national authorities unless such processing is carried out by the designated authorities or central access points of the Member States for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences, whenin which case Directive (EU) 2016/680 of the European Parliament and of the Council should apply.
Amendment 319 #
Proposal for a regulation
Recital 49
Recital 49
Amendment 326 #
Proposal for a regulation
Recital 57
Recital 57
(57) The costs for the development of the interoperability components projected under the current Multiannual Financial Framework are lower than the remaining amount on the budget earmarked for Smart Bremaining amount on the budget earmarked for developing IT systems supporting the management of migration flows across the external borders in Regulation (EU) No 515/2014 of the European Parliament and the Council57. Accordingly, should be reallocated to this Regulation, pursuant to Article 5(5)(b) of Regulation (EU) No 515/2014, should reallocate the amount currently attributed for developing IT systems supporting the management of migration flows across the external borders. _________________ 57 Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing as part of the Internal Security Fund, the Instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).
Amendment 329 #
Proposal for a regulation
Recital 58
Recital 58
(58) In order to supplement certain detailed technical aspects of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, power should be delegated to the Commission in respect of the profiles for the users of the European search portal (ESP) and the content and format of the ESP replies,the content and format of the ESP replies, the procedures to determine the cases where identity data can be considered as identical or similar, and the rules on the operation of the Central Repository for Reporting and Statistics, including specific safeguards for processing of personal data and security rules applicable to the repository. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201658 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member State experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. _________________ 58 http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016. 123.01.0001.01.ENG.
Amendment 330 #
Proposal for a regulation
Recital 59
Recital 59
(59) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed rules on: automated data quality control mechanisms, procedures and indicators; development of the UMF standard; procedures for determining cases of similarity of identities; the operation of the central repository for reporting and statistics; and cooperation procedure in case of security incidents. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council59 . _________________ 59 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
Amendment 332 #
Proposal for a regulation
Recital 60
Recital 60
Amendment 334 #
Proposal for a regulation
Recital 60 a (new)
Recital 60 a (new)
(60a) This Regulation should contain clear provisions on liability and right to compensation for unlawful processing of personal data or from any other act incompatible with it, without prejudice to the right to compensation from, and liability of the controller or processor under Regulation (EU) 2016/679, Directive EU 2016/680 and Regulation EU45/2001. With regard to EU-LISA as a data processor, it should be responsible for the damage provoked, if and where it does not comply with the specific obligations of this Regulation, or where it has acted outside or contrary to lawful instructions of the Member State designated as the data controller.
Amendment 336 #
Proposal for a regulation
Recital 68 a (new)
Recital 68 a (new)
(68a) Article 8 (2) of the European Convention on Human Rights states that any interference with the right to respect for private life, must pursue a legitimate aim and must be both necessary and proportionate except in such cases when, in accordance with the law such an action is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Amendment 337 #
Proposal for a regulation
Recital 68 b (new)
Recital 68 b (new)
(68b) Article 52(1) of the Charter of Fundamental Rights states that any limitation on the exercise of rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms and be subject to the principle of proportionality. Limitations may be made only if they are necessary if they genuinely meet the objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
Amendment 338 #
Proposal for a regulation
Recital 68 c (new)
Recital 68 c (new)
(68c) One of the core principles of data protection is data minimisation as highlighted in Article 5 (1)(c) of the GDPR1a which states that the processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed _________________ 1a REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Amendment 339 #
Proposal for a regulation
Recital 68 d (new)
Recital 68 d (new)
Amendment 342 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation, together with [Regulation 2018/xx on interoperability borders and visa], establishes a framework to ensure the interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, and the Schengen Information System (SIS), and [the European Criminal Records Information System for third-country nationals (ECRIS-TCN)] in order for those systems and data to supplement each otherto be interoperable.
Amendment 347 #
Proposal for a regulation
Article 1 – paragraph 2 – point c
Article 1 – paragraph 2 – point c
Amendment 357 #
Proposal for a regulation
Article 2 – paragraph 1 – introductory part
Article 2 – paragraph 1 – introductory part
1. By ensuring interoperability, the purpose of this Regulation shall have the following objectivesbe to support the objectives referred to respectively in Article 6 of Regulation (EU) 2017/226; Articles 2 and 3 of Regulation (EC) No 767/2008;Article 4 of Regulation (EU) 2018/xxx [ETIAS Regulation]; Article 1 of Regulation(EU) No 603/2013; Article 1 of Regulation (EU) 2018/xxx [on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation]; Article 1 of Regulation (EU) 2018/xxx [on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks]; Article 3 of Regulation (EU) 2018/xxx [on the use of the Schengen Information System for the return of illegally-staying third-country nationals], and Article 2 of [the ECRIS- TCN] Regulation; and in particular:
Amendment 358 #
Proposal for a regulation
Article 2 – paragraph 1 – point a
Article 2 – paragraph 1 – point a
(a) to improve the management ofenhance the effectiveness and efficiency of border checks at the external borders;
Amendment 361 #
Proposal for a regulation
Article 2 – paragraph 1 – point b
Article 2 – paragraph 1 – point b
(b) to contribute to preventing and combatingthe management of irregular migration flows;
Amendment 363 #
Proposal for a regulation
Article 2 – paragraph 1 – point b a (new)
Article 2 – paragraph 1 – point b a (new)
(ba) to facilitate the smooth entry into the Union of bona fide third-country travellers;
Amendment 370 #
Proposal for a regulation
Article 2 – paragraph 2 – introductory part
Article 2 – paragraph 2 – introductory part
2. Those objectives of ensuring interoperability shall be achieved by:
Amendment 372 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ensuring the correct identification of persons;third country nationals
Amendment 375 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
(b) contributing to fighcombatting identity fraud;
Amendment 380 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) strengthening and simplifying and making more uniform the data security and data protection conditions that govern the respective EU information systems;, without prejudice to the special protection and safeguards afforded to certain categories of data.
Amendment 385 #
Proposal for a regulation
Article 2 – paragraph 2 – point f
Article 2 – paragraph 2 – point f
(f) streamlining thensuring the necessary and proportionate conditions for law enforcement access to the EES, the VIS, [the ETIAS] and Eurodac;
Amendment 393 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
3. This Regulation applies to persons in respect of whom personal data may be processed in the EU information systems referred to in paragraph 1 and in the Europol data referred to in paragraph 2, only for the purposes as defined in the underlying legal basis for those information systems.
Amendment 401 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19
Article 4 – paragraph 1 – point 19
(19) ‘Europol data’ means personal data providcessed toby Europol for the purpose referred to in Article 18(2)(a) of Regulation (EU) 2016/794;
Amendment 403 #
Proposal for a regulation
Article 4 – paragraph 1 – point 21
Article 4 – paragraph 1 – point 21
(21) ‘match’ means the existence of an exact correspondence established by comparing two or more occurrences of personal data recorded or being recorded in an information system or database;
Amendment 404 #
Proposal for a regulation
Article 4 – paragraph 1 – point 25
Article 4 – paragraph 1 – point 25
(25) ‘terrorist offence’ means an offence under national law which corresponds or is equivalent to one of the offences referred to in Directive (EU) 2017/541;
Amendment 406 #
Proposal for a regulation
Article 4 – paragraph 1 – point 35
Article 4 – paragraph 1 – point 35
Amendment 415 #
Proposal for a regulation
Article 5 – title
Article 5 – title
5 Non-discriminationFundamental Rights
Amendment 419 #
Amendment 423 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 (new)
Article 5 – paragraph 1 – subparagraph 1 (new)
One year after the date of entry into force of this legislation, the Commission shall conduct an ex-post evaluation which aims at assessing the impact of interoperability on the right to non-discrimination
Amendment 425 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
The Commission should be empowered, through a delegated act, to task EU-LISA with the development of pop-up alerts within the system which would help end- users identify when matches have a higher risk of being false, and would thus require manual verification to ascertain if the match is correct or not.
Amendment 427 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A European search portal (ESP) is established for the purposes of ensuring that Member State authorities and EU bodies have fast, seamless, efficient, systematic and controlled access to the EU information systems, the Europol data and the Interpol databases that they need to perform their tasks in accordance with their access rights and of supporting the objectives of those EES, the VIS, [the ETIAS], Eurodac, the SIS, [the ECRIS- TCN system] and the Europol dataU information systems and of the SIS and with their access rights under the relevant legal basis.
Amendment 433 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) a secure communication infrastructure between the ESP and the EES, the VIS, [the ETIAS], Eurodac, the Central-SIS, [the ECRIS-TCN system], the Europol data and the Interpol databases as well as between the ESP and the central infrastructures of the common identity repository (CIR) and the multiple-identity detector.
Amendment 437 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The use of the ESP shall be reserved to the Member State authorities and EU bodies having access to the EES, [the ETIAS], the VIS, the SIS, Eurodac and [the ECRIS-TCN system], to the CIR and the multiple-identity detector as well as the Europol data and the Interpol databases in accordance with Union or national law governing such access.
Amendment 439 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. The authorities referred to in paragraph 1 shall use the ESPWhere they are required under Union law to search data related to persons or their travel documents in the central systems of Eurodac and [the ECRIS-TCN system] in accordance with their accEES, the VIS and [the ETIAS], the authoritiess rights under Union and national law. Theyeferred to in paragraph 1 shall also use the ESP to query the CIRsearch such data in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22Union and national law.
Amendment 442 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. The EU bodWhere they are so required under Union law, EU Agencies shall use the ESP to search data related to persons or their travel documents in the Central SIS.
Amendment 445 #
Proposal for a regulation
Article 7 – paragraph 5
Article 7 – paragraph 5
5. TWhere so required under Union or national law, the authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Europol data in accordance with their access rights under Union and national law.
Amendment 446 #
Proposal for a regulation
Article 7 – paragraph 5 a (new)
Article 7 – paragraph 5 a (new)
5a. The data owners referred in this article shall not be notified that a search has taken place.
Amendment 450 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(ca) the purpose of the use of ESP by this category of user;
Amendment 452 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. eu-LISA shall review regularly – and at least once a year after their creation - the user profiles referred to in paragraph one, and shall update and delete those profiles where necessary.
Amendment 455 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The users of the ESP shall launch a query by introducing data in the ESP in accordance with their user profile and access rights. Where a query has been launched, the ESP shall query simultaneously, with the data introduced by the user of the ESP, the EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system] and the CIR as well as the Europol databases and the Interpol databases.
Amendment 461 #
Proposal for a regulation
Article 9 – paragraph 4
Article 9 – paragraph 4
4. The EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system], the CIR and the multiple-identity detector, as well as the Europol data and the Interpol databases, shall provide the data that they contain resulting from the query of the ESP.
Amendment 462 #
Proposal for a regulation
Article 9 – paragraph 5
Article 9 – paragraph 5
5. When querying the Interpol databases, the design of the ESP shall ensure that the data used by the user of the ESP to launch a query, or any other data, is not shared with the owners of Interpol data. As regards to data on individuals registered in Eurodac, it must be ensured that the database owner does not receive information on whether their databases have been queried through the ESP.
Amendment 466 #
Proposal for a regulation
Article 9 – paragraph 6
Article 9 – paragraph 6
6. The reply to the user of the ESP shall be unique and shall contain all the data to which the user has access under Union law. Where necessary, the reply provided by the ESP shall indicate to which information system or database the data belongsThe ESP shall provide no information regarding data in information systems to which the user has no access under Union law.
Amendment 477 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun.
Amendment 480 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the ESP, the users of the ESP shall be notified by eu- LISA.
Amendment 484 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the national infrastructure in a Member State, that Member State's competent authority shall notify eu-LISA and the Commission.
Amendment 488 #
Proposal for a regulation
Article 11 – paragraph 3
Article 11 – paragraph 3
3. In both scenarios, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States may access the information systems referred to in Article 9(1) or the CIR directly using their respective national uniform interfaces or national communication infrastructures.
Amendment 492 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. A shared biometric matching service (shared BMS) storing biometric templates andhall be established to enablinge querying with biometric data across several EU information systems is established for the purposes of supporting the CIR, the SIS, and the multiple-identity detector and to support the objectives of the EES, the VIS, Eurodac, the SIS and [the ECRIS- TCN system].
Amendment 495 #
Proposal for a regulation
Article 12 – paragraph 2 – point a
Article 12 – paragraph 2 – point a
(a) a central infrastructure, including a search engine and the storage of the data referred to in Article 13;
Amendment 498 #
Proposal for a regulation
Article 12 – paragraph 2 – point b
Article 12 – paragraph 2 – point b
(b) a secure communication infrastructure between the shared BMS, Central-SIS, the EES, the VIS, EURODAC and [the CIRECRIS-TCN system].
Amendment 500 #
3. eu-LISA shall develop the shared BMS and ensure its technical management. It shall not, however, have access to any of the personal data processed through the shared BMS.
Amendment 501 #
Proposal for a regulation
Article 13
Article 13
Amendment 519 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
In order to search the biometric data stored within the CIR andEES, the SVIS, the CIR and the SIEURODAC, [the ECRIS-TCN system] and the SIS, the shared BMS shall uscompare the biometric templatesdata stored in the shared BMSunderlying systems for a match. Queries with biometric data shall take place in accordance with the purposes provided for in this Regulation and in the EES Regulation, the VIS Regulation, the Eurodac Regulation, the [SIS Regulations] and [the ECRIS-TCN Regulation].
Amendment 531 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun. The logs referred to in paragraph 1(a) shall be erased once the data is erased.
Amendment 534 #
Proposal for a regulation
Article 17
Article 17
Amendment 540 #
Proposal for a regulation
Article 18
Article 18
Amendment 547 #
Proposal for a regulation
Article 19
Article 19
Adding, amending and deleting data in the common identity repository 1. deleted in Eurodac or [the ECRIS-TCN system], the data referred to in Article 18 stored in the individual file of the CIR shall be added, amended or deleted accordingly in an automated manner. 2. Where the multiple-identity detector creates a white or red link in accordance with Articles 32 and 33 between the data of two or more of the EU information systems constituting the CIR, instead of creating a new individual file, the CIR shall add the new data to the individual file of the linked data.rticle 19 deleted Where data is added, amended or
Amendment 551 #
Proposal for a regulation
Article 20 – title
Article 20 – title
20 Access to the common identity repositoryUse of the ESP and shared BMS for identification
Amendment 552 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Where a Member State police authority is unable to identify a person on the basis of his/her travel document, or of another credible document proving his/her identity, or with the identity data provided by that person in accordance with rules and procedures laid down in national law, and where a Member State police authority has been so empowered by national legislative measures as referred to in paragraph 2, it may, in the presence of that person, and solely for the purpose of identifying athat person, query the CIR with theESP or the shared BMS with the biographical or biometric data of that person taken during anthe identity check.
Amendment 556 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Where the query indicates that data on that person is stored in the CIREU information systems or the SIS, the Member States police authority shall have access to consult the following data: (a) the data referred to in [Article 18(1)6(1)(a) to (d) and Article 17(1)(a) to (c) of the EES Regulation]; (b) the data referred to in Article 9(4)(a) to (c), (5)and (6) of Regulation (EC) No767/2008; and (c) [the data referred to in Article 15(2)(a) to (e) of the ETIAS Regulation].
Amendment 558 #
Amendment 563 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Member States wishing to avail themselves of the possibility provided for in this Article shall adopt national legislative measures. Such legislative measures shall specify the precise purposes of identity checks within the purposes referred to in Article 2(1)(b) and (c). TWithout prejudice to the first subparagraph of paragraph 1, they shall designate the police authorities competent and lay down the procedures, conditions and criteria ofor such checks.
Amendment 567 #
Proposal for a regulation
Article 21 – title
Article 21 – title
21 Access to the common identity repositoryEU information systems for the detection of multiple identities
Amendment 568 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. Where a query of the CIRcarried out in accordance with Article 20 results in a yellow link in accordance with Article 28(4), the authority responsible for the verification of different identities determined in accordance with Article 29 shall have access, solely for the purpose of that verification, to the identity data stored in the CIR belonging to the various information systems connected to athat yellow link.
Amendment 569 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. Where a query of the CIRcarried out in accordance with Article 20 results in a red link in accordance with Article 32, the authorities referred to in Article 26(2) shall have access, solely for the purposes of fighting identity fraud, to the identity data stored in the CIR belonging to the various information systems connected to a red link.
Amendment 572 #
Proposal for a regulation
Article 22 – title
Article 22 – title
22 Querying the common identity repositoryEU information systems for law enforcement purposes
Amendment 573 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. For the purposes ofWhere there are reasonable grounds to believe that consultation of EU information systems will substantially contribute to the preventiong, detecting andon or investigatingon of the terrorist offences or other serious criminal offences, in a specific case and in order particular where there is a substantiated suspicion that the suspect, perpetrator obtain information on whether data on a specific person is present in Eurodacr victim of a terrorist offence or other serious criminal offence falls under the category of third country nationals whose data are stored in [the EES], the VIS, [the ETIAS] or the Eurodac system, and where a prior search in national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched, the Member States designated authorities and Europol may consult the CIR. use the ESP and the shared BMS in order to obtain information on whether data on a specific person is present in the EES, the VIS and [the ETIAS]
Amendment 575 #
Proposal for a regulation
Article 22 – paragraph 1 a (new)
Article 22 – paragraph 1 a (new)
1a. The central access points established in Article 50(2) [ETIAS Regulation], Article29(3) of Regulation (EU) 2017/2226 and Article 3(2) of Regulation 767/2008 shall monitor the use made of the possibility provided for in paragraph 1. For that purpose, regular ex-post evaluations of this possibility shall be made and used for self-monitoring as referred to in Article 45. The central access points shall transmit a report to the supervisory authorities referred to in Article 49 every two years on the use made of this provision.
Amendment 577 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
2. Member State designated authorities and Europol shall not be entitled to consult data belonging to [the ECRIS-TCN] when consultusing the CIRESP or shared BMS for the purposes listed in paragraph 1.
Amendment 578 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. Where, in reply to a query the CIRESP or the shared BMS indicates that data on that person is present in the Eurodac, the CIRESP or shared BMS shall provide to Member States' designated authorities andor to Europol a reply in the form of a reference indicating which of the information systems contains matching data referred to in the second subparagraph of Article 18(220(1). The CIRESP or shared BMS shall reply in such a way that the security of the data is not compromised. The reply indicating that data on a subject is present in any system may be used only for the purpose of submitting an access request, subject to the conditions and procedures laid down in the respective legislative instruments governing such access.
Amendment 582 #
Proposal for a regulation
Article 23
Article 23
Amendment 585 #
Proposal for a regulation
Article 24
Article 24
Amendment 599 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. A multiple-identity detector (MID) is established to creatinge and storinge links between data in the EU information systems included in the common identity repository (CIR) and the SIS, and as a consequence to detecting multiple identities, with the dual purpose ofin order to facilitatinge identity checks and combating identity fraud, is established for the purpose ofand thus in order to supporting the functioning of the CIR and the objectives of the EES, the VIS, the ETIAS], Eurodac, the SIS and [the ECRIS-TCN system].
Amendment 601 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) a secure communication infrastructure to connect the MID with the SIS and the central infrastructures of the European search portal and the CIR.EES, [the ETIAS], the VIS, Eurodac and [the ECRIS-TCN system
Amendment 602 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. eu-LISA shall develop the MID and ensure its technical management. It shall not, however, have access to any of the personal data processed through the MID.
Amendment 607 #
Proposal for a regulation
Article 26 – paragraph 1 – point e
Article 26 – paragraph 1 – point e
(e) the SIRENE Bureaux of the Member State creating or updating a [Regulation on SIS in the field of law enforcement or Regulation on SIS in the field of illegal return];
Amendment 608 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member State authorities and EU bodies having access to at least one EU information system included in the common identity repository or to the SIS shall have access to the data referred to in Article 34(a) and (b) regarding any red links as referred to in Article 32, only indicating a reference to the information systems to which Member States authorities and EU agencies have access respective of the access rights under Union and national law.
Amendment 611 #
Proposal for a regulation
Article 27 – paragraph 1 – introductory part
Article 27 – paragraph 1 – introductory part
1. A multiple-identity detection in the common identity repository and theEU information systems and SIS shall be launched where:
Amendment 612 #
Proposal for a regulation
Article 27 – paragraph 1 – point e a (new)
Article 27 – paragraph 1 – point e a (new)
(ea) The multiple-identity detection using the data referred to in paragraph 1(c) shall be launched only where an application file in ETIAS can be verified against an individual file in the EES.
Amendment 613 #
Proposal for a regulation
Article 27 – paragraph 2
Article 27 – paragraph 2
2. Where the data contained within an information system as referred to in paragraph 1 contains biometric data, the common identity repository (CIR)at information system and the Central-SIS shall use the shared biometric matching service (shared BMS) in order to perform the multiple-identity detection. The shared BMS shall compare the new biometric templatesdata obtained from any new biometric data to thethe relevant information system against any biometric templatesdata already contained in the shared BMSother information systems in order to verify whether or not data belonging to the same third-country national is already stored in the CIR or in the Central SISanother information system.
Amendment 615 #
Proposal for a regulation
Article 27 – paragraph 3 – introductory part
Article 27 – paragraph 3 – introductory part
3. In addition to the process referred to in paragraph 2, the CIRinformation system and the Central- SIS shall use the European search portal to search the data stored in the CIRall the EU information systems and the Central-SIS using the following data:
Amendment 619 #
Proposal for a regulation
Article 28 – paragraph 2 – subparagraph 1
Article 28 – paragraph 2 – subparagraph 1
Where the query laid down in Article 27(2) and (3) reports one or several hit(s), the common identity repository andEU information systems concerned including, where relevant, the SIS shall create a link between the data used to launch the query and the data triggering the hit.
Amendment 620 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
5. The Commission shall lay down the procedures to determine the cases where identity data can be considered as identical or similar in implementingdelegated acts. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 64(2)Article 63. Such acts must be designed in a manner that ensures the protection of persons with multiple lawful identities against discrimination.
Amendment 625 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 1 – point e
Article 29 – paragraph 1 – subparagraph 1 – point e
(e) the SIRENE Bureaux of the Member State for hits that occurred when creating or updating a SIS alert in accordance with the [Regulations on SIS in the field of law enforcement and on SIS in the field of illegal return];
Amendment 626 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 2
Article 29 – paragraph 1 – subparagraph 2
The multiple-identity detector shall indicate the authority responsible for the verification of different identities in the identity verification file. The authority adding the last data that triggered the link as referred to in Article 30, shall be responsible for the verification of the different identities. In the absence of access rights to be informed of such a link, a competent authority of the Member State having added the last data triggering the link and having access rights to the link data will be informed in an automatic manner as to undertake verification of the different identities in the identity verification confirmation file.
Amendment 627 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 2 a (new)
Article 29 – paragraph 1 – subparagraph 2 a (new)
The authority responsible shall verify the identity as soon as possible and, in any event, within eight hours. If verification proves impossible, the border authorities shall carry out the verification when the person concerned next enters or exits an external border.
Amendment 632 #
Proposal for a regulation
Article 29 – paragraph 3
Article 29 – paragraph 3
3. Without prejudice to paragraph 4, the authority responsible for verification of different identities shall have access to the related data contained in the relevant identity confirmation file and to the identity data linked in the common identity repositoryrelevant information systems and, where relevant, in the SIS, and shall assess the different identities and shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.
Amendment 634 #
Proposal for a regulation
Article 29 – paragraph 4 a (new)
Article 29 – paragraph 4 a (new)
4a. The verification of different identities shall, as a rule, take place in the presence of the person concerned who should be offered the opportunity to explain the circumstances to the authority responsible, which should take those explanations into account.
Amendment 635 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. Where more than one link is obtained, the authority responsible for the verification of different identities shall assess each link separately. The authority responsible must ensure that the data subject is given the possibility to explain plausible reasons why there may be contradicting information within the different IT systems.
Amendment 636 #
Proposal for a regulation
Article 29 – paragraph 6 a (new)
Article 29 – paragraph 6 a (new)
6a. The authority responsible for the manual verification of multiple identities must also assess whether there are plausible arguments presented by the third country national when deciding on the colour of the links. Such assessment should be performed, where possible, in the presence of the third-country national and, where necessary, by requesting additional clarifications or information. Such assessment should be performed without delay, in line with legal requirements for the accuracy of information under Union and national law.
Amendment 639 #
Proposal for a regulation
Article 30 – paragraph 1 – point b
Article 30 – paragraph 1 – point b
(b) the linked data has different identity data, there is no biometric data to compare, and no manual verification of different identity has taken place.
Amendment 643 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Where the common identity repository (CIR) or the SISrelevant information systems are queried and where a green link exists between two or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall indicate that the identity data of the linked data does not correspond to the same person. The queried information system shall reply indicating only the data of the person whose data was used for the query, without triggering a hit against the data that is subject to the green link.
Amendment 647 #
Proposal for a regulation
Article 32 – paragraph 1 – point a
Article 32 – paragraph 1 – point a
(a) the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner;
Amendment 648 #
Proposal for a regulation
Article 32 – paragraph 1 – point b
Article 32 – paragraph 1 – point b
(b) the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner.
Amendment 650 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. Where the CIR or the SIS are queried and where a red link exists between two or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall reply indicating the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law. , only indicating a reference to the information systems to which Member State authorities and EU agencies have access respective of the access rights under Union and national law. Follow-up to a red link shall take place in accordance with Union and national law, basing any legal consequence for the person only on the relevant data on that person and not on the red link itself. No legal consequence for the person or persons concerned shall derive solely from the existence of a red link.
Amendment 651 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
Amendment 652 #
Proposal for a regulation
Article 32 – paragraph 4
Article 32 – paragraph 4
Amendment 656 #
Proposal for a regulation
Article 32 – paragraph 5 a (new)
Article 32 – paragraph 5 a (new)
5a. Where a Member State authority or EU body with access to one of the EU information systems or the SIS obtains evidence showing that a red link recorded in the MID is inaccurate or that the data processed in the MID, the relevant EU information systems and the SIS were processed in breach of this Regulation, that authority shall, where the link relates to EU information systems either rectify or erase the link from the MID immediately, or where the link relates to the SIS, inform the relevant SIRENE Bureau of the Member State that created the SIS alert immediately. That SIRENE Bureau shall verify the evidence provided by the Member State authority and rectify or erase the link from the MID immediately thereafter.
Amendment 661 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
2. Where the CIR or the SISinformation systems are queried and where a white link exists between one or more of those information systems constituting the CIR or with the SIS, the multiple-identity detector shall indicate that the identity data of the linked data correspond to the same person. The queried information systems shall reply indicating, where relevant, all the linked data on the person, hence triggering a hit against the data that is subject to the white link, if the authority launching the query has access to the linked data under Union or national law.
Amendment 662 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
Amendment 663 #
Proposal for a regulation
Article 33 – paragraph 4 a (new)
Article 33 – paragraph 4 a (new)
4a. If a Member State authority has evidence to suggest that a red link/ white link recorded in the MID is factually inaccurate or not up-to-date or that data were processed in the MID, the EU information systems or the SIS in breach of this Regulation, it shall check the relevant data stored in the EU information systems and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification without delay.
Amendment 669 #
Proposal for a regulation
Article 35 – paragraph 1
Article 35 – paragraph 1
The identity confirmation files and its data, including the links, shall be stored in the multiple-identity detector (MID) only for as long as the linked data is stored in two or more EU information systems. Once this condition is no longer met, the identity confirmation files and their data, including all related links, shall be deleted automatically.
Amendment 675 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. The logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun. The logs related to the history of the identity confirmation file shall be erased once the data in the identity confirmation file is erased.
Amendment 676 #
Proposal for a regulation
Article 37 – paragraph 1
Article 37 – paragraph 1
1. eu-LISA shall establish as soon as possible automated data quality control mechanisms and procedures on the data stored in the SIEES, Eurodacthe [ETIAS], [the ECRIS-TCN system], the shared biometric matching service (shared BMS), the common identity repository (CIR) and the multiple-identity detector (MID)VIS and the SIS, and the multiple-identity detector (MID). Those automated data quality control mechanisms should be adequately tested prior to the start of operations of the interoperability components in accordance with Article 62.
Amendment 681 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. eu-LISA shall establish common data quality indicators and the minimum quality standards to store data in the SIS, Eurodac, [the ECRIS-TCN system], the shared BMS, the CIR and the MID.
Amendment 686 #
Proposal for a regulation
Article 37 – paragraph 4
Article 37 – paragraph 4
4. The details of the automated data quality control mechanisms and procedures and the common data quality indicators and the minimum quality standards to store data in the SIS, Eurodac, [the ECRIS-TCN system], the shared BMS, the CIR and the MID, in particular regarding biometric data, shall be laid down in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).
Amendment 687 #
Proposal for a regulation
Article 37 – paragraph 5
Article 37 – paragraph 5
5. One year after the establishment of the automated data quality control mechanisms and procedures and common data quality indicators and every year thereafter, the Commission shall evaluate Member State implementation of data quality and in particular, data quality issues deriving from erroneous historical data in existing EU information systems and in the SIS. The Commission shall make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and shall report on any progress against this action plan until it is fully implemented. The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007.63 _________________ 63 Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).
Amendment 690 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. The UMF standard shall be used in the development of the [Eurodac], the [ECRIS-TCN system], the European search portal, the CIR, the MID and, if appropriate, in the development by eu- LISA or any other EU body of new information exchange models and information systems in the area of Justice and Home Affairs.
Amendment 691 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
Amendment 699 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
3. eu-LISA shall render the data anonymous, by ensuring that the data is non-identifiable, and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated.
Amendment 701 #
Proposal for a regulation
Article 39 – paragraph 5
Article 39 – paragraph 5
5. The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of implementinga delegated acts. Those implementingat delegated acts shall be adopted in accordance with the examination procedure referred to in Article 64(2)3.
Amendment 703 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the Eurodac, SIS and [the ECRIS-TCN system]VIS, EES, and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMSprocessing of biometric data that they enter into respective systems. In relation to information security management of the shared BMS, eu-LISA shall be considered a controller.
Amendment 705 #
Amendment 708 #
Proposal for a regulation
Article 40 – paragraph 3 – point a
Article 40 – paragraph 3 – point a
(a) the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b) of Regulation No 45/2001 in relation to processing of personal data by the ETIAS Central Unit. In relation to information security management of the ETIAS Central System, eu-LISA shall be considered a controller;
Amendment 709 #
Proposal for a regulation
Article 40 – paragraph 3 – point b
Article 40 – paragraph 3 – point b
(b) the Member State authorities adding or modifying the data in the identity confirmation file are also to be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 and shall have responsibility for the processing of the personal data in the multiple-identity detector. In relation to information security management of the multiple- identity detector, eu-LISA shall be considered a controller;
Amendment 712 #
Proposal for a regulation
Article 41
Article 41
Amendment 714 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Both eu-LISA and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu-LISA shall be responsible for the central systems and Member State authorities shall be responsible for the security at the end-points controlling access to the systems, [the ETIAS Central Unit] and the Member State authorities shall cooperate on security-related tasks.
Amendment 715 #
Proposal for a regulation
Article 42 – paragraph 3 – point i
Article 42 – paragraph 3 – point i
(i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.
Amendment 722 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu- LISA, the national supervisory authority and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor.
Amendment 731 #
Proposal for a regulation
Article 46 – title
Article 46 – title
46 Right tof information
Amendment 732 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Without prejudice to the right tof information referred to in Articles 11 and 12 of Regulation (EC) 45/2001 and, Articles 13 and 14 of Regulation (EU) 2016/679, persons whose data are stored in the shared biometric matching service, the common identity repository orand Article 13 of Directive 2016/680, persons whose data are stored in the one of the EU information systems, the SIS, or in the multiple-identity detector shall be informed by the authority collecting their data, at the time their data are collected, about the processing of personal data for the purposes of this Regulation, including about identity and contact details of the respective data controllers, and about the procedures for exercising their rights of access, rectification and erasure, as well as aboutlaid down in Article 47, about their right to lodge a complaint with the supervisory authority, the purpose of the data processing, the data retention period, the fact that personal data may be accessed by law enforcement authorities, and the contact details of the European Data Protection Supervisor and of the national supervisory authority of the Member State responsible for the collection of the data.
Amendment 737 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. All information must be provided to data subjects in a manner and language which they understand, or are reasonably expected to understand. This must include providing information in an age- appropriate manner for data subjects who are minors.
Amendment 746 #
Proposal for a regulation
Article 47 – title
Article 47 – title
47 Right of access, correction and erasure - Web Service
Amendment 747 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
1. In order to exercise their rights under Articles 13, 14, 15 and 16 of Regulation (EC) 45/2001 and, Articles 15, 16, 17 and 18 of Regulation (EU) 2016/679, and Articles 14 and 16 of Directive (EU)2016/680, any person shall have the right to address him or herself to the Member State responsible for the manual verification of different identities or of any Member State, who shall examine and reply to the request.
Amendment 751 #
Proposal for a regulation
Article 47 – paragraph 1 a (new)
Article 47 – paragraph 1 a (new)
1a. Without prejudice to paragraph 1, and in order to facilitate and better enable the effective exercise of the rights of data subjects as described in paragraph 1 to access, rectify, erase or restrict the processing of their personal data under interoperability components, in particular for those third country nationals who may be outside the territory of the Member States, eu-LISA shall establish a web service, hosted in its technical site, which shall enable data subjects to make a request for access, correction, erasure or rectification of their personal data. The web service shall act as a single point of contact for those third country nationals outside the territory of the Member States. On the basis of such a request, the web service shall immediately transmit the request to the Member State responsible for manual verification of different identities in accordance with Article 29, or, where appropriate, to the Member State responsible for the entry of the data in the underlying information system which is the subject of the request.
Amendment 752 #
Proposal for a regulation
Article 47 – paragraph 1 b (new)
Article 47 – paragraph 1 b (new)
1b. The Commission shall adopt implementing acts concerning the detailed rules on the conditions for the operation of the web service and the data protection and security rules applicable. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64.
Amendment 753 #
Proposal for a regulation
Article 47 – paragraph 2
Article 47 – paragraph 2
2. The Member State responsible for the manual verification of different identities as referred to in Article 29 or the Member State to which the request has been made, either directly from the data subject in accordance with paragraph 1 or via the web service established by eu- LISA in accordance with paragraph 2, shall reply to such requests at the latest within 145 days of receipt of the request.
Amendment 756 #
Proposal for a regulation
Article 47 – paragraph 3
Article 47 – paragraph 3
3. If a request for correction or erasure of personal data is made to a Member State other than the Member State responsible, the Member State to which the request has been made shall contact the authorities of the Member State responsible within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing within 3014 days of such contact. The person concerned shall be informed by the Member State which contacted the authority of the Member State responsible that his or her request was forwarded about the further procedure.
Amendment 761 #
Proposal for a regulation
Article 47 – paragraph 4
Article 47 – paragraph 4
4. Where, following an examination, it is found that the data stored in the multiple-identity detector (MID) are factually inaccurate or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall correct or delete these data. The person concerned shall be informed that his or her data was corrected or deleted.
Amendment 768 #
Proposal for a regulation
Article 47 – paragraph 5
Article 47 – paragraph 5
5. Where data in the MID is amended by the responsible Member State during its validity period, the responsible Member State shall carry out the processing laid down in Article 27 and, where relevant, Article 29 to determine whether the amended data shall be linked. Where the processing does not report any hit, the responsible Member State or, where applicable, the Member State to which the request has been made shall delete the data from the identity confirmation file. Where the automated processing reports one or several hit(s), the responsible Member State shall create or update the relevant link in accordance with the relevant provisions of this Regulation. The person concerned shall be informed of these additional links accordingly.
Amendment 772 #
Proposal for a regulation
Article 47 – paragraph 7
Article 47 – paragraph 7
7. This decision shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request referred in paragraph 3s 1 or 2 and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the competent national supervisory authorities.
Amendment 773 #
Proposal for a regulation
Article 47 – paragraph 8
Article 47 – paragraph 8
8. Any request made pursuant to paragraph 3s 1 or 2 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 31 and shall be erased immediately afterwards.
Amendment 774 #
Proposal for a regulation
Article 47 – paragraph 9
Article 47 – paragraph 9
9. The responsible Member State or, where applicable, the Member State to which the request has been made shall keep a record in the form of a written document that a request referred to in paragraph 3s 1 or 2 was made and how it was addressed, and shall make that document available to competent data protection national supervisory authorities without delay.
Amendment 775 #
Proposal for a regulation
Article 47 a (new)
Article 47 a (new)
Article 47a Liability Without prejudice to the right to compensation from, and liability under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) No 45/2001: (a) any person who has suffered material or non-material damage as a result of an unlawful personal data processing operation through the use of interoperability components or any other act by a Member State which is incompatible with this Regulation shall be entitled to receive compensation from that Member State; (b) any person who has suffered material or non-material damage as a result of an unlawful personal data processing operation through the use of interoperability components or any other act by Europol or by the European Border and Coast Guard Agency which is incompatible with this Regulation shall be entitled to receive compensation from Europol or the European Border and Coast Guard as appropriate. The Member State, Europol or the European Border and Coast Guard Agency shall be exempted from liability, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.
Amendment 776 #
Proposal for a regulation
Article 47 b (new)
Article 47 b (new)
Article 47b Penalties Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive and shall include the possibility for administrative and criminal penalties. Europol and the European Border and Coast Guard Agency shall ensure that members of their staff or members of their teams who misuse, process or exchange data contrary to this Regulation are subject to penalties. Those penalties shall be effective, proportionate and dissuasive.
Amendment 779 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
Personal data stored in, processed or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party.
Amendment 782 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. The supervisory authority or authorities designated pursuant to Article 4951 of Regulation (EU) 2016/679 and Article 41 of Directive(EU) 2016/680 shall ensure that an audit of the data processing operations by the responsible national authorities is carried out in accordance with relevant international auditing standards at least every four years.
Amendment 785 #
Proposal for a regulation
Article 49 – paragraph 1 a (new)
Article 49 – paragraph 1 a (new)
1 a. Member States shall ensure that their supervisory authorities designated pursuant to Article 51 of Regulation 2016/679 and Article 41 of Directive 2016/680 monitor the lawfulness of the processing of personal data under this Regulation carried out by Member States’ relevant auhtorities.
Amendment 789 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall ensure that their supervisory authority has sufficient resourcesadditional resources, including both human and financial resources, to fulfil the tasks entrusted to it under this Regulation.
Amendment 791 #
Proposal for a regulation
Article 50 – paragraph 1
Article 50 – paragraph 1
The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission and the Member States. eu-LISA shall be given an opportunity to make comments before the reports are adopted. The EU Budgetary Authority shall ensure that the European Data Protection Supervisor has sufficient additional resources, including both human and financial resources, to fulfil the tasks entrusted toit under this Regulation.
Amendment 799 #
Proposal for a regulation
Article 52 – paragraph 1
Article 52 – paragraph 1
1. eu-LISA shall ensure that the central infrastructures of the interoperability components are operated in accordance with this Regulation. In that respect, eu-LISA shall follow the principles of data protection by design and by default.
Amendment 801 #
Proposal for a regulation
Article 52 – paragraph 3 – subparagraph 1
Article 52 – paragraph 3 – subparagraph 1
eu-LISA shall be responsible for the development of the interoperability components, for any adaptations required for establishing interoperability between the central systems of the EES, VIS, [ETIAS], SIS, and Eurodac, and [the ECRIS-TCN system], and the European search portal, the shared biometric matching service, the common identity repository and the multiple-identity detector.
Amendment 802 #
Proposal for a regulation
Article 52 – paragraph 3 – subparagraph 4
Article 52 – paragraph 3 – subparagraph 4
The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination. In that regard, the tasks of eu-LISA shall also be: (a) perform a security risk assessment; (b) follow the principles of privacy by design and by default during the entire lifecycle of the development of the interoperability components and; (c) conduct a security risk assessment regarding the interoperability of EU information systems, interoperability components, Europol data and Interpol databases
Amendment 806 #
Proposal for a regulation
Article 53 – paragraph 1 – subparagraph 2 a (new)
Article 53 – paragraph 1 – subparagraph 2 a (new)
Eu.LISA shall perform regular information security risk assessments for the interoperability components, implement a comprehensive information security risk management process and follow the principles of privacy by design and by default during the entire lifecycle of those interoperability components.
Amendment 808 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
Amendment 810 #
Proposal for a regulation
Article 54 – paragraph 1 – point a
Article 54 – paragraph 1 – point a
(a) the connection to the communication infrastructure of the European search portal (ESP) and the common identity repository (CIR);
Amendment 813 #
Proposal for a regulation
Article 54 – paragraph 1 – point b
Article 54 – paragraph 1 – point b
(b) the integration of the existing national systems and infrastructures with the ESP, shared biometric matching service, the CIR and the multiple-identity detector;
Amendment 815 #
Proposal for a regulation
Article 54 – paragraph 1 – point d
Article 54 – paragraph 1 – point d
(d) the management of, and arrangements for, access by the duly authorised staff, and by the duly empowered staff, of the competent national authorities to the ESP, the CIR and the multiple- identity detector in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;
Amendment 817 #
Proposal for a regulation
Article 54 – paragraph 1 – point e
Article 54 – paragraph 1 – point e
(e) the adoption of the legislative measures referred to in Article 20(3) in order to access the CIREU information systems for identification purposes;
Amendment 821 #
Proposal for a regulation
Article 54 – paragraph 2
Article 54 – paragraph 2
Amendment 822 #
Proposal for a regulation
Article 54a – paragraph 2
Article 54a – paragraph 2
2. Europol shall be responsible for the management of, and arrangements for, its duly authorised staff to use and access respectively the ESP and the CIR in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles.
Amendment 857 #
Proposal for a regulation
Article 56 – paragraph 1 – introductory part
Article 56 – paragraph 1 – introductory part
1. The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the European search portal (ESP), solely for the purposes of reporting and statistics without enabling individual identification:
Amendment 860 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
Amendment 870 #
Proposal for a regulation
Article 56 – paragraph 5
Article 56 – paragraph 5
5. For the purpose of paragraph 1 of this Article, eu-LISA shall store the data referred to in paragraph 1 of this Article in the central repository for reporting and statistics referred to in Chapter VII of this Regulation. The data included in the repository shall not enablebe anonymised and shall not be such as to allow for the identification of individuals, but it shall allow the authorities listed in paragraph 1 of this Article to obtain customisable reports and statistics to enhance the efficiency of border checks, to help authorities processing visa applications and to support evidence-based policymaking on migration and security in the Union.
Amendment 875 #
Proposal for a regulation
Article 58 – title
Article 58 – title
58 Transitional period applicable to the provisions on access to the common identity repositoryESP or shared BMS for law enforcement purposes
Amendment 883 #
Proposal for a regulation
Article 60 – paragraph 1
Article 60 – paragraph 1
1. The costs incurred in connection with the establishment and operation of the ESP, the shared biometric matching service, the common identity repository (CIR) and the MID shall be borne by the general budget of the Union.
Amendment 885 #
Proposal for a regulation
Article 60 – paragraph 3
Article 60 – paragraph 3
3. The costs incurred by the designated authorities referred to in Article 4(24) shall be borne, respectively, by each Member State and Europol. The costs for the connection of the designated authorities to the CIR shall be borne by each Member State and Europol, respectively.
Amendment 890 #
Proposal for a regulation
Article 62 – paragraph 1 – point c
Article 62 – paragraph 1 – point c
(c) eu-LISA has validated the technical and legal arrangements to collect and transmit the data referred to in Articles 8(1), 13, 19, 34 and 39 and have notified them to the Commission;
Amendment 894 #
Proposal for a regulation
Article 63 – paragraph 2
Article 63 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 8(2), 9(7), 28(5) and 39(75) shall be conferred on the Commission for an indeterminate period of time from [the date of entry into force of this Regulation].
Amendment 897 #
Proposal for a regulation
Article 63 – paragraph 3
Article 63 – paragraph 3
3. The delegation of power referred to in Articles 8(2), 9(7), 28(5) and 39(75) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 898 #
Proposal for a regulation
Article 63 – paragraph 6
Article 63 – paragraph 6
6. A delegated act adopted pursuant to Articles 8(2), 9(7), 28(5) and 39(75) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.
Amendment 905 #
Proposal for a regulation
Article 68 – paragraph 2
Article 68 – paragraph 2
2. By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council, the Council, and the European Data Protection Supervisor, on the state of play of the development of the interoperability components. Once the development is finalised, a report shall be submitted to the European Parliament and the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
Amendment 910 #
Proposal for a regulation
Article 68 – paragraph 3
Article 68 – paragraph 3
3. For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the interoperability components without having access to any personal data processed by those components.
Amendment 921 #
Proposal for a regulation
Article 68 – paragraph 8 – subparagraph 1 – introductory part
Article 68 – paragraph 8 – subparagraph 1 – introductory part
While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to data stored in the common identity repositoryEU information systems and the SIS for law enforcement purposes, containing information and statistics on: