214 Amendments of Ana GOMES related to 2017/0351(COD)
Amendment 199 #
Proposal for a regulation
Recital 3
Recital 3
(3) In its Resolution of 6 July 2016 on the strategic priorities for the Commission Work Programme 201747 , the European Parliament called for proposals to improve and develop existing EU information systems, address information gaps and move towards their interoperability, as well as proposals for compulsory information sharing at EU level, accompanied by the necessary data protection safeguards. Such safeguards should include the prevention of unauthorized access and sharing of data with unauthorized authorities, logging access and usage by authorized users, the implementation of minimum quality standards, ensuring the right to effective remedy and the practical possibility to rebut false assumptions and inaccurate data held by the relevant authorities. _________________ 47 European Parliament resolution of 6 July 2016 on the strategic priorities for the Commission Work Programme 2017 (2016/2773(RSP).
Amendment 201 #
Proposal for a regulation
Recital 8 a (new)
Recital 8 a (new)
Amendment 202 #
Proposal for a regulation
Recital 8 b (new)
Recital 8 b (new)
(8b) In its Opinion of 11 April 2018,2a the Article 29 Data Protection Working Party reiterated that the process towards interoperability of systems raises fundamental questions regarding the purpose, necessity, proportionality of the data processing as well as concerns regarding the principles of purpose limitation, data minimization, data retention and clear identification of a data controller. _________________ 2a http://ec.europa.eu/newsroom/article29/do cument.cfm?action=display&doc_id=5151 7
Amendment 205 #
Proposal for a regulation
Recital 9
Recital 9
(9) With a view to improve the management of the external borders, to facilitating regular border crossings, to contribute to preventing and combating irregular migration, and to contribute to a high level of security withassist in the aprea of freedom, security and justice of the Union, including the maintenance of public security and public policy and safeguarding the security in thevention, detection and investigation of territoriest of the Member Statfences or other serious criminal offences, interoperability between EU information systems, namely [the Entry/Exit System (EES)], the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, the Schengen Information System (SIS), and the [European Criminal Records Information System for third-country nationals (ECRIS-TCN)] should be established in sorder foar these EU information systems and their data to supplement each otheras that is possible while respecting the fundamental rights of the individual, in particular, the right to protection of personal data. To achieve this, a European search portal (ESP), a shared biometric matching service (shared BMS), a common identity repository (CIR) and a multiple-identity detector (MID) should be established as interoperability components.
Amendment 207 #
Proposal for a regulation
Recital 10
Recital 10
(10) The interoperability between the EU information systems should allow said systems to supplement each communicate with one another in order to facilitate the correct identification of persons, at external borders, for the purpose of applications of international protection, or in the context of the prevention, detection and investigation of serious criminal offences - including terrorist offences, to contribute to fighting identity fraud, to improve and harmonise data quality requirements of the respective EU information systems, to facilitate the technical and operational implementation by Member States of existing and future EU information systems, to strengthen and simplify the data security and data protection safeguards that govern the respective EU information systems, in particular by ensuring that all Union data protection rules are applicable to all the information systems, and to streamline the law enforcement access to the EES, the VIS, the [ETIAS] and Eurodac, and support the purposes of the EES, the VIS, the [ETIAS], Eurodac, the SIS and the [ECRIS-TCN system].
Amendment 211 #
Proposal for a regulation
Recital 11
Recital 11
(11) The interoperability components should cover the EES, the VIS, the [ETIAS], Eurodac, the SIS, and the [ECRIS-TCN system]. They should also cover the Europol data only to the extent of enabling ithat data to be queried simultaneously with these EU information systems.
Amendment 213 #
Proposal for a regulation
Recital 12
Recital 12
(12) The interoperability components should concern persons in respect of whom personal data may be processed in the EU information systems and by Europol, namely third-country nationals whose personal data is processed in the EU information systems and by Europol, and to EU citizens whose personal data is processed in the SIS and by Europol. Interoperability should not concern EU citizens.
Amendment 217 #
Proposal for a regulation
Recital 13
Recital 13
(13) The European search portal (ESP) should be established to facilitate technically the ability of the authorised Member State authorities and EU bodies to have a controlled yet fast, seamless, and efficient, systematic and controlled access to the EU information systems, the access to the relevant EU databases to Europol data and theo Interpol databases needed toin so far as this is necessary for the performance of their tasks, and in accordance with their access rights, and to. In that way, the ESP should support the objectives of the EES, the VIS, the [ETIAS], Eurodac, the SIS, the [ECRIS-TCN system] and the Europol data. Enabling the simultaneous querying of all relevant EU information systemdatabases in parallel, as well as of the Europol data and the Interpol databases, the ESP should act as a single window or ‘message broker’ to search various central systems and retrieve the necessary information seamlessly and in full respect of the access control and data protection requirements of the underlying systems.
Amendment 223 #
Proposal for a regulation
Recital 16
Recital 16
(16) To ensure fast and systematiceamless use of all EU information systems, the European search portal (ESP) should be used to query the common identity repository, the EES, the VIS, [the ETIAS], Eurodac and [the ECRIS-TCN system]. However, the national connection to the different EU information systems should remain in order to provide a technical fall back. The ESP should also be used by Union bodies to query the Central SIS in accordance with their access rights and in order to perform their tasks. The ESP should be an additional means to query the Central SIS, the Europol data and the Interpol systems, complementing the existing dedicated interfaces.
Amendment 226 #
Proposal for a regulation
Recital 17
Recital 17
(17) Biometric data, such as fingerprints and facial images, are unique and therefore much more reliable than alphanumeric data for identifying a person. However, biometric data constitute sensitive personal data. This regulation should therefore lay down the basis for and the safeguards for processing of such data for the purpose of uniquely identifying the persons concerned. The shared biometric matching service (shared BMS) should be a technical tool to reinforce and facilitate the work of the relevant EU information systems and the other interoperability components, without duplicating either the storage of the biometric or the storage of biometric templates. The main purpose of the shared BMS should be to facilitate the identification of an individual who may be registered in different databases, by matching their biometric data across different systems and by relying on one unique technological component instead of five different ones in each of the underlying systems. The shared BMS should contribute to security, as well as financial, maintenance and operational benefits by relying on one unique technological component instead of different ones in each of the underlying systems. All automated fingerprint identification systems, including those currently used for Eurodac, the VIS and the SIS, use biometric templates comprised of data derived from a feature extraction of actual biometric samples. The shared BMS should regroup and store all these biometric templates in one single location, facilitating, allow for a cross-system comparisons usingof those biometric data and enabling economies of scale in developing and maintaining the EU central systemstemplates using biometric data.
Amendment 228 #
Proposal for a regulation
Recital 18
Recital 18
Amendment 232 #
Proposal for a regulation
Recital 19
Recital 19
(19) The systems established by Regulation (EU) 2017/2226 of the European Parliament and of the Council57 , Regulation (EC) No 767/2008 of the European Parliament and of the Council58 , [the ETIAS Regulation] for the management of the borders of the Union, the system established by [the Eurodac Regulation] to identify the applicants for international protection and combat irregular migration, and the system established by [the ECRIS-TCN system Regulation] require in order to be effective to rely on the accurate identification of those third-country nationals whose personal data are stored therein. _________________ 57 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (EES Regulation) (OJ L 327, 9.12.2017, p. 20–82). 58 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
Amendment 233 #
Proposal for a regulation
Recital 20
Recital 20
Amendment 238 #
Proposal for a regulation
Recital 21
Recital 21
(21) Personal data stored in these EU information systems may relate to the same persons but under different or incomplete identities. Member States dispose of efficient ways to identify their citizens or registered permanent residents in their territory, but the same is not true for third- country nationals. The interoperability between EU information systems should contribute to thelp correctly identification ofy third-country nationals. The common identity repository (CIR) shouldEach individual information system should continue to store the personal data concerning third-country nationals present in the systems that are necessary to enable the more accurate identification of those individuals, therefore including their identity, travel document and biometric data, regardless of the system in which the data was originally collected. Only the personal data strictly necessary to perform an accurate identity check should be stored in the CIR. The personal data recorded in the CIR should be kept for no longer than is strictly necessary for the purposes of the underlying systems and should be automatically deleted when the data is deleted in the underlying systems in accordance with their logical separationquired under their founding regulations. This information will be made interoperable by virtue of the European Search Portal, the Biometric Matching Service and the Multiple Identity Detector.
Amendment 245 #
Proposal for a regulation
Recital 23
Recital 23
Amendment 247 #
Proposal for a regulation
Recital 24
Recital 24
Amendment 250 #
Proposal for a regulation
Recital 25
Recital 25
Amendment 255 #
Proposal for a regulation
Recital 26
Recital 26
Amendment 258 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensureassist in the correct identification of a person, Member State authorities competent forwhere a travel document or other identity document preoventing and combating irregular migration ands insufficient or is unavailable, Member State competent authorities within the meaning of Article 3(7) of Directive 2016/680 should be allowed to query the common identity repository (CIR) with the biometric data of that person taken during an identity check. European Search Portal (ESP) or the shared Biometric Matching Service (sBMS) and the underlying Union information systems with the biographical or biometric data of that person taken during an identity check provided always that individual concerned is physically present during such a check.
Amendment 263 #
Proposal for a regulation
Recital 28
Recital 28
Amendment 268 #
Proposal for a regulation
Recital 29
Recital 29
(29) Member States should adopt national legislative measures designating the authorities competent to perform identity checks with the use of the common identity repository (CIR)ESP or the sBMS, subject to the physical presence of the individual concerned, and laying down the procedures, conditions and criteria of such identity checks in line with the principle of proportionality. In particular, the power to collect biometric data during an identitSuch an identity check in respect of third-country nationals should be permitted only cwheck of a person present beforere comparable procedures under equivalent conditions exist in the mMember of those authorities should be provided for by national legislative measureState concerned for Union citizens.
Amendment 271 #
Proposal for a regulation
Recital 30
Recital 30
(30) This Regulation should also introduces a new possibility for streamlined access to data beyond identity data present in the EES, the VIS, [the ETIAS] or Eurodac by Member State designated law enforcement authorities and Europol. Data, including data other than identity data contained in those systems, may be necessary for the prevention, detection, investigation and prosecution of terrorist offences or serious criminal offences in a specific case where there are reasonable grounds to consider that consultation will substantially contribute to the prevention, detection or investigation of the criminal offences in question; in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under the category of third country nationals whose data are stored in the EES, the VIS, the ETIAS and the Eurodac system. Such streamlined access will be provided after a prior search in the national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched.
Amendment 272 #
Proposal for a regulation
Recital 31
Recital 31
(31) Full access to the necessary data contained in the EU information systems necessary for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences, beyond the relevant identity data covered under common identity repository (CIR) obtained using biometric data of that person taken during an identity check, should continue to be governed by the provisions in the respective legal instruments. The designated law enforcement authorities and Europol do not always know in advance which of the EU information systems contains data of the persons they need to inquire upon. This results in delays anerefore, following the necessary checks in national databases and where a query of the automated finefficiencies in the conduct of gerprint identification system of the otheir tasks. TMember States under Decision 2008/615/JHA has been launched, the end-user authorised by the designated authority should therefore be allowed to see in which of the EU information systems the data corresponding to the query introduced are recorded. The concerned system would thus be flagged following the automated verification of the presence of a hit in the system (a so-called hit-flag functionality).
Amendment 276 #
Proposal for a regulation
Recital 31 a (new)
Recital 31 a (new)
(31a) Where such a search is carried out, a hit should not be interpreted as a ground or reason to draw conclusions about or undertake measures towards a person, but may be used only for the purpose of submitting an access request to the underlying EU information systems, subject to the conditions and procedures laid down in the respective legislative instruments governing such access. Any such act will be subject to the provisions measures set out in Chapter VII and the safeguards provided for in Regulation EU 2016/679, Directive 2016/680 or Regulation EC45/2001.
Amendment 279 #
Proposal for a regulation
Recital 32
Recital 32
(32) The logs of the queries of the common identity repositoryEU information systems should indicate the purpose of the query. Where such a query was performed using the two- step data consultation approach, the logs should include a reference to the national file of the investigation or case, therefore indicating that such query was launched for the purposes of preventing, detecting and investigating terrorist offences or other serious criminal offences.
Amendment 281 #
Proposal for a regulation
Recital 33
Recital 33
(33) The query of the common identity repository (CIR)EU information systems by Member State designated authorities and Europol in order to obtain a hit-flag type of response indicating the data is recorded in the EES, the VIS, [the ETIAS] or Eurodac requires automated processing of personal data. A hit-flag wshould not reveal personal data of the concerned individual other thanonly an indication that some of his or her data are stored in one of the systems, provided the authority making the search has access to that system. No adverse decision for the concerned individual should be made by the authorised end-user solely on the basis of the simple occurrence of a hit-flag, and the hit-flag should be used by the relevant authorities only for the purpose of deciding which database to query. Access by the end-user of a hit-flag would therefore realise a very limitedconstitute an interference with the right to protection of personal data of the concerned individual, while it would be necessary to allow the designated authority and Europol to address its request for access for personal data more effectively directly to the system that was flagged as containing and therefore should comply with the principles of necessity and proportionality.
Amendment 285 #
Proposal for a regulation
Recital 34
Recital 34
(34) The two-step data consultation approach is particularly valuable in cases where the suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence is unknown. In those cases the common identity repository (CIR) should enable, using the European Search Portal or the shared Biometric Matching Service should enable the relevant authority to identifying the information system that knows the person in one single searchsuspect, perpetrator or suspected victim in one single search, following the necessary checks in national databases and once a query of the automated fingerprint identification system of other Member States under Decision 2008/615/JHA has been launched. By creating the obligation to use this new law enforcement access approach in these cases, access to the personal data stored in the EES, the VIS, [the ETIAS] and Eurodac should take place without the requirements of a prior search in national databases and the launch of a prior search in the automated fingerprint identification system (‘AFIS’) of other Member States under Decision 2008/615/JHA. The principle of prior search effectively limits the possibility of Member State’ authorities to consult systems for justified law enforcement purposes and could thereby result in missed opportunities to uncover necessary information. The requirements of a prior search in national databases and the launch of a priin national databases and AFIS which were designed specifically for preventing, detecting and investigating terrorist offences or other serious criminal offences before searching in othe automated fingerprint identification system of other Member States under Decision 2008/615/JHA should only cease to apply oncr EU information systems which do not have that as their primary purpose the alternative safeguard of the two- step approach to law enforcement access through the CIR has become operationallps to ensure the necessity and proportionality for such a search.
Amendment 289 #
Proposal for a regulation
Recital 35
Recital 35
(35) The multiple-identity detector (MID) should be established to support the functioning of the common identity repository and to support the objectives of the EES, the VIS, [the ETIAS], Eurodac, the SIS and [the ECRIS- TCN system]. In order to be effective in fulfilling their respective objectives, all of these EU information systems require the accurate identification of the persons whose personal data are stored therein.
Amendment 290 #
Proposal for a regulation
Recital 36
Recital 36
(36) The possibility to achievo better realise the objectives of the EU information systems is undermined by the current inability for, the authorities using theose systems should be able to conduct sufficiently reliable verifications of the identities of the third-country nationals whose data are stored in different systems. That inability is determined by the fact that the set of identity data stored in a given individual system may be fraudulent, incorrect, or incomplete, and that or fraudulent, and there is currently no possibility to detect such fraudulent,way of detecting incorrect or, incomplete or fraudulent identity data by way of comparison with data stored in another system. To remedy this situation it is necessary to have a technical instrument at Union level allowing accurate identification of third-country nationals for these purposes.
Amendment 294 #
Proposal for a regulation
Recital 37
Recital 37
(37) The multiple-identity detector (MID) should create and store links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The MID should only contain the linkscreation of those links constitutes automated decision-making as referred to in Regulation (EU) 2016/679 and in Directive (EU) 2016/680 and therefore requires transparency towards the individuals affected and the implementation of necessary safeguards in accordance with EU data protection rules. The MID should contain links only between individuals present in more than one EU information system, strictly limited to the data necessary to verify that a person is recorded lawfully or unlawfully under different biographical identities in different systems, or to clarify that two persons having similar biographical data may not be the same person. Data processing through the European search portal (ESP) and the shared biometric matching service (shared BMS) in order to link individual files across individual systems should be kept to an absolute minimum and therefore is limited to a multiple-identity detection at the time new data is added to one of the information systems included in the common identity repository and inthe EES, the VIS, [the ETIAS], Eurodac or the SIS. The MID should include safeguards against potential discrimination or unfavourable decisions for persons with multiple lawful identities.
Amendment 296 #
Proposal for a regulation
Recital 38
Recital 38
(38) This Regulation provides for new data processing operations aimed at identifyingensuring the correct identification of the persons concerned correctly. This constitutes an interference with their fundamental rights as protected by Articles 7 and 8 of the Charter of Fundamental Rights. Since the effective implementation of the EUit is necessary to correctly identify those persons inf ormation systems is dependent upon correct identification of the individuals concernedder to fully realise the objectives of those EU information systems, such interference is justified by those same objectives ofor which each of those systems have been established, the effectively management ofing the Union’s borders, theproviding internal security ofin the Union, the effectively implementation ofing the Union’s asylum and visa policies and the fight againstcombatting irregular migration.
Amendment 299 #
Proposal for a regulation
Recital 39
Recital 39
(39) The European search portal (ESP) and shared biometric matching service (shared BMS) should compare data in common identity repository (CIR)the EES, the VIS, [the ETIAS], Eurodac and the SIS on persons when new records are created by a national authority or an EU body. Such a comparison should be automated. The CIR and the SISose EU information systems should use the shared BMS to detect possible links on the basis of biometric data. The CIR and the SIS and should use the ESP to detect possible links on the basis of alphanumeric data. The CIR and the SISose EU information systems should be able to identify identical or similar data on the third-country national stored across several systems. Where such is the case, a link indicating that it is the same person should be established. The CIR and the SISNew interoperability components should be configured in such a wayso that small transliteration or spelling mistakes are detected in such a way as not to create any unjustified hindrance to the concernedor interference with the fundamental rights of the third-country national concerned.
Amendment 302 #
Proposal for a regulation
Recital 40
Recital 40
(40) The national authority or EU body that recorded the new data in the respective EU information system should confirm or change these links. This authority should have access to the identity data stored in the common identity repository (CIR) or the SIS and in the multiple-identity detector (MID)ose EU information systems for the purpose of the manual identity verification.
Amendment 305 #
Proposal for a regulation
Recital 41
Recital 41
(41) Access to the multiple-identity detector (MID) by Member State authorities and EU bodies having access to at least one of the relevant EU information system included in the common identity repository (CIR) or to the SIS should be limited to so called red links, where the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner, or where the linked data has similardifferent identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner. Where the linked identity data isare not similar, a yellow link should be established and a manual verification should take place in order to confirm the link or change its colour accordingly.
Amendment 307 #
Proposal for a regulation
Recital 42
Recital 42
(42) The manual verification of multiple identities should be ensured by the authority creating or updating the data that triggered a hit resulting in a link with data already stored in another EU information system as described in this Regulation in full respect of access rights granted under Union and national law. The authority responsible for the verification of multiple identities should assess whether there are multiple lawful or unlawful identities. Such assessment should be performed where possibleonly in the presence of the third-country national and where necessary by requesting additional clarifications or information. Such assessment should be performed without delay, in line with legal requirements for the accuracy of information under Union and national law.
Amendment 309 #
Proposal for a regulation
Recital 43
Recital 43
(43) FBy way of derogation, for the links obtained in relation to the Schengen Information System (SIS) related to the alerts in respect of persons wanted for arrest or for surrender or extradition purposes, on missing or vulnerable persons, on persons sought to assist with a judicial procedure, on persons for discreet checks or specific checks or on unknown wanted persons, the authority responsible for the verification of multiple identities should be the SIRENE Bureau of the Member State that created the alert. Indeed those categories of SIS alerts are sensitive and should not necessarily be shared with the authorities creating or updating the data in one of the other EU information systems. The creation of a link with SIS data should be without prejudice to the actions to be taken in accordance with the [SIS Regulations].
Amendment 311 #
Proposal for a regulation
Recital 44
Recital 44
(44) eu-LISA should establish automated data quality control mechanisms and common data quality indicators. eu- LISA should be responsible tofor developing a central monitoring capacity for data quality, and tofor produceing regular data analysis reports to improve the control ofsupervision of the Member States’ implementation and application by Member States of EU information systems. The common quality indicators should include the minimum quality standards to store data in the EU information systems or the interoperability components. The goal of such a data quality standards should be for the EU information systems and interoperability components to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions.
Amendment 315 #
Proposal for a regulation
Recital 46
Recital 46
(46) The Universal Message Format (UMF) should establish a standard for structured, cross-border information exchange between information systems, authorities and/or organisations in the field of Justice and Home affairs. UMF should define a common vocabulary and logical structures for commonly exchanged information with the objective tof facilitateing interoperability by enabling the creation and reading of the contents of the exchange in a consistent and semantically equivalent manner.
Amendment 319 #
Proposal for a regulation
Recital 47
Recital 47
(47) A central repository for reporting and statistics (CRRS) should be established to generate cross-system statistical data and analytical reporting for policy, operational and data quality purposes in line with the objectives of the underlying systems and inconformity with their respective legal bases. eu-LISA should establish, implement and host the CRRS in its technical sites. The CRRS should containing only anonymous statistical data from the above-menrelevant EU informationed systems, the common identity repository, the multiple-identity detector and the shared biometric matching service. The data contained in the CRRS should not enableallow for the identification of individuals. eu- LISA should immediately render the data anonymous and should record only such anonymousised data in the CRRS. The process for rendering the data anonymous should be automated and no direct access by eu- LISA staff should be granted to any personal data stored in the EU information systems or in the interoperability components.
Amendment 320 #
Proposal for a regulation
Recital 48
Recital 48
(48) Regulation (EU) 2016/679 should apply to the processing of personal data under this Regulation by national authorities unless such processing is carried out by the designated authorities or central access points of the Member States for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences, whenin which case Directive (EU) 2016/680 of the European Parliament and of the Council should apply.
Amendment 321 #
Proposal for a regulation
Recital 49
Recital 49
Amendment 323 #
Proposal for a regulation
Recital 52
Recital 52
(52) “(...) The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on …16 April 2018 “
Amendment 327 #
Proposal for a regulation
Recital 56
Recital 56
(56) As a consequence of this combined application of the rules, the European search portal (ESP) should constitute the main access point for the compulsory systematic consultation of databases for third-country nationals at border crossing points provided for by the Schengen Borders Code. In addition, the identitWhere a red link exists in respect of a third-country dnata that led to the classification of a linkional seeking to cross an external border into the multiple-identity detector (MID) as aSchengen Area, that red link should be taken into account by the border guards for assessing whether or not the person fulfils the conditions of entry defined in the Schengen Borders Code. However the presence of a red link should not in itself constitute a ground for refusal of entry and the existing grounds for refusal of entry listed in the Schengen Borders Code should therefore not be amended.
Amendment 329 #
Proposal for a regulation
Recital 58
Recital 58
Amendment 339 #
Proposal for a regulation
Recital 62
Recital 62
(62) The costs for the development of the interoperability components projected under the current Multiannual Financial Framework are lower than the remaining amount on the budget earmarked for Smart Bremaining amount on the budget earmarked for developing IT systems supporting the management of migration flows across the external borders in Regulation (EU) No 515/2014 of the European Parliament and the Council61 . Accordingly, should be reallocated to this61 Regulation, pursuant to Article 5(5)(b) of Regulation (EU) No 515/2014, should reallocate the amount currently attributed for developing IT systems supporting the management of migration flows across the external borders. _________________ 61Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing as part of the Internal Security Fund, the Instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).
Amendment 341 #
Proposal for a regulation
Recital 63
Recital 63
(63) In order to supplement certain detailed technical aspects of this Regulation, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, power should be delegated to the Commission in respect of the profiles for the users of the European search portal (ESP) and the content and format of the ESP replies, the content and format of the ESP replies, the procedures to determine the cases where identity data can be considered as identical or similar, and the rules on the operation of the Central Repository for Reporting and Statistics, including specific safeguards for processing of personal data and security rules applicable to the repository. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement on Better Law-Making of 13 April 201662 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member State experts, and their experts should systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. _________________ 62 http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016. 123.01.0001.01.ENG.
Amendment 342 #
Proposal for a regulation
Recital 64
Recital 64
(64) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed rules on: automated data quality control mechanisms, procedures and indicators; development of the UMF standard; procedures for determining cases of similarity of identities; the operation of the central repository for reporting and statistics; and cooperation procedure in case of security incidents. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council63 . _________________ 63 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
Amendment 347 #
Proposal for a regulation
Recital 65 a (new)
Recital 65 a (new)
(65a) This Regulation should contain clear provisions on liability and right to compensation for unlawful processing of personal data or from any other act incompatible with it, without prejudice to the right to compensation from, and liability of the controller or processor under Regulation (EU) 2016/679, Directive EU 2016/680 and Regulation EU 45/2001. With regard to the role of eu- LISA as a data processor, this latter should be responsible for the damage it provoked where it has not complied with the specific obligations of this Regulation directed to it.
Amendment 348 #
Proposal for a regulation
Recital 65 b (new)
Recital 65 b (new)
(65b) Article 8 (2) of the European Convention on Human Rights states that any interference with the right to respect for private life, must pursue a legitimate aim and must be both necessary and proportionate except in such cases when, in accordance with the law such an action is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Amendment 349 #
Proposal for a regulation
Recital 65 c (new)
Recital 65 c (new)
(65c) Article 52(1) of the Charter of Fundamental Rights states that any limitation on the exercise of rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms and be subject to the principle of proportionality. Limitations may be made only if they are necessary if they genuinely meet the objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
Amendment 350 #
Proposal for a regulation
Recital 65 d (new)
Recital 65 d (new)
Amendment 351 #
Proposal for a regulation
Recital 65 e (new)
Recital 65 e (new)
Amendment 354 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation, together with [Regulation 2018/xx on interoperability police and judicial cooperation, asylum and migration], establishes a framework to ensure the interoperability between the Entry/Exit System (EES), the Visa Information System (VIS), [the European Travel Information and Authorisation System (ETIAS)], Eurodac, and the Schengen Information System (SIS), and [the European Criminal Records Information System for third-country nationals (ECRIS-TCN)] in order for those systems and data to supplement each otherto be interoperable.
Amendment 358 #
Proposal for a regulation
Article 1 – paragraph 2 – point c
Article 1 – paragraph 2 – point c
Amendment 368 #
Proposal for a regulation
Article 2 – paragraph 1 – introductory part
Article 2 – paragraph 1 – introductory part
1. By ensuring interoperability, the purpose of this Regulation shall have the following objectivesbe to support the objectives referred to respectively in Article 6 of Regulation (EU) 2017/226; Articles 2 and 3 of Regulation (EC) No 767/2008; Article 4 of Regulation (EU) 2018/xxx [ETIAS Regulation]; Article 1 of Regulation(EU) No 603/2013; Article 1 of Regulation (EU) 2018/xxx [on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation]; Article 1 of Regulation (EU) 2018/xxx [on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks]; Article 3 of Regulation (EU) 2018/xxx [on the use of the Schengen Information System for the return of illegally-staying third-country nationals], and Article 2 of [the ECRIS- TCN] Regulation; and in particular:
Amendment 369 #
Proposal for a regulation
Article 2 – paragraph 1 – point a
Article 2 – paragraph 1 – point a
(a) to improve the management ofenhance the effectiveness and efficiency of border checks at the external borders;
Amendment 380 #
Proposal for a regulation
Article 2 – paragraph 2 – introductory part
Article 2 – paragraph 2 – introductory part
2. Those objectives of ensuring interoperability shall be achieved by:
Amendment 382 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
(a) ensuring the correct identification of personthird country nationals;
Amendment 385 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
(b) contributing to fighcombating identity fraud;
Amendment 390 #
Proposal for a regulation
Article 2 – paragraph 2 – point e
Article 2 – paragraph 2 – point e
(e) strengthening and simplifying and making more uniform the data security and data protection conditions that govern the respective EU information systems, without prejudice to the special protection and safeguards afforded to certain categories of data in accordance with EU data protection rules;
Amendment 394 #
Proposal for a regulation
Article 2 – paragraph 2 – point f
Article 2 – paragraph 2 – point f
(f) streamlining thensuring the necessary and proportionate conditions for law enforcement access to the EES, the VIS, [the ETIAS] and Eurodac;
Amendment 400 #
Proposal for a regulation
Article 3 – paragraph 2
Article 3 – paragraph 2
2. This Regulation applies to persons in respect of whom personal data may be processed in the EU information systems referred to in paragraph 1, only for the purposes as defined in the underlying legal basis for those information systems.
Amendment 408 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19
Article 4 – paragraph 1 – point 19
(19) ‘Europol data’ means personal data providcessed toby Europol for the purpose referred to in Article 18(2)(a) of Regulation (EU) 2016/794;
Amendment 410 #
Proposal for a regulation
Article 4 – paragraph 1 – point 21
Article 4 – paragraph 1 – point 21
(21) ‘match’ means the existence of an exact correspondence established by comparing two or more occurrences of personal data recorded or being recorded in an information system or database;
Amendment 411 #
Proposal for a regulation
Article 4 – paragraph 1 – point 25
Article 4 – paragraph 1 – point 25
(25) ‘terrorist offence’ means an offence under national law which corresponds or is equivalent to one of the offences referred to in Directive (EU) 2017/541;
Amendment 413 #
Proposal for a regulation
Article 4 – paragraph 1 – point 35
Article 4 – paragraph 1 – point 35
Amendment 422 #
Proposal for a regulation
Article 5 – title
Article 5 – title
5 Fundamental Rights and Non- discrimination
Amendment 426 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
This Regulation shall ensure respect of the fundamental rights and the observation of the principles recognized in the Charter of Fundamental Rights of the European Union and shall be applied in accordance with those rights and principles. Processing of personal data for the purposes of this Regulation shall not result, either directly or indirectly, in undue interference with the right to respect for private and family life and the right to protection of personal data. Processing of personal data for the purposes of this Regulation shall not result in discrimination against persons on any grounds such as sex, racial or ethnic origin, religion or beliefe, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. It shall fully respect human dignity and integrity. Particular attention shall be paid to children, the elderly and, persons with a disability and persons in need of international protection.
Amendment 429 #
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1 (new)
Article 5 – paragraph 1 – subparagraph 1 (new)
One year after to the date of entry into force of this legislation, the Commission shall conduct an ex-post evaluation which aims at assessing the impact of interoperability on the right to non- discrimination
Amendment 433 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A European search portal (ESP) is established for the purposes of ensuring that Member State authorities and EU bodies have fast, seamless, efficient, systematic and controlled access to the EU information systems, the Europol data and the Interpol databases that they need to perform their tasks in accordance with their access rights and of supporting the objectives of those EES, the VIS, [the ETIAS], Eurodac, the SIS, [the ECRIS- TCN system] and the Europol dataU information systems and of the SIS and with their access rights under the relevant legal basis.
Amendment 437 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) a secure communication infrastructure between the ESP and the EES, the VIS, [the ETIAS], Eurodac, the Central-SIS, [the ECRIS-TCN system], the Europol data and the Interpol databases as well as between the ESP and the central infrastructures of the common identity repository (CIR) and the multiple-identity detector.
Amendment 438 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. eu-LISA shall develop the ESP and ensure its technical management. It shall not, however, have access to any of the personal data processed through the EPS.
Amendment 441 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The use of the ESP shall be reserved to the Member State authorities and EU bodies having access to the EES, [the ETIAS], the VIS, the SIS, Eurodac and [the ECRIS-TCN system], to the CIR and the multiple-identity detector as well as the Europol data and the Interpol databases in accordance with Union or national law governing such access.
Amendment 443 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. The authorities referred to in paragraph 1 shall use the ESPWhere they are required under Union law to search data related to persons or their travel documents in the central systems of the EES, the VIS and [the ETIAS] in accordance with their access rights under Union and national law. They, the authorities referred to in paragraph 1 shall also use the ESP to query the CIRsearch such data in accordance with their access rights under this Regulation for the purposes referred to in Articles 20, 21 and 22Union and national law.
Amendment 446 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. The EU bodWhere they are so required under Union law, EU Agencies shall use the ESP to search data related to persons or their travel documents in the Central SIS.
Amendment 449 #
Proposal for a regulation
Article 7 – paragraph 5
Article 7 – paragraph 5
5. TWhere so required under Union or national law, the authorities referred to in paragraph 1 may use the ESP to search data related to persons or their travel documents in the Interpol databases in accordance with their access rights under Union and national law.
Amendment 450 #
Proposal for a regulation
Article 7 – paragraph 5 a (new)
Article 7 – paragraph 5 a (new)
5a. The data owners referred in this article shall not be notified that a search has taken place.
Amendment 454 #
Proposal for a regulation
Article 8 – paragraph 1 – point c a (new)
Article 8 – paragraph 1 – point c a (new)
(ca) the purpose of the use of ESP by this category of user.
Amendment 456 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. eu-LISA shall review regularly – and at least once a year after their creation - the user profiles referred to in paragraph one, and shall update and delete those profiles where necessary.
Amendment 459 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The users of the ESP shall launch a query by introducing data in the ESP in accordance with their user profile and access rights. Where a query has been launched, the ESP shall query simultaneously, with the data introduced by the user of the ESP, the EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system] and the CIR as well as the Europol databases and the Interpol databases.
Amendment 463 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. The fields of data used to launch a query via the ESP shall correspond to the fields of data related to persons or travel documents that may be used to query the various EU information systems, the Europol databases and the Interpol databases in accordance with the legal instruments governing them.
Amendment 466 #
Proposal for a regulation
Article 9 – paragraph 4
Article 9 – paragraph 4
4. The EES, [the ETIAS], the VIS, the SIS, Eurodac, [the ECRIS-TCN system], the CIR and the multiple-identity detector, as well as the Europol data and the Interpol databases, shall provide the data that they contain resulting from the query of the ESP.
Amendment 467 #
Proposal for a regulation
Article 9 – paragraph 5
Article 9 – paragraph 5
5. When querying the Interpol databases, the design of the ESP shall ensure that the data used by the user of the ESP to launch a query or any other data, is not shared with the owners of Interpol data. As regards to data on individuals registered in Eurodac, it must be ensured that the database owner does not receive information on whether their databases have been queried through the ESP.
Amendment 471 #
Proposal for a regulation
Article 9 – paragraph 6
Article 9 – paragraph 6
6. The reply to the user of the ESP shall be unique and shall contain all the data to which the user has access under Union law. Where necessary, the reply provided by the ESP shall indicate to which information system or database the data belongsThe ESP shall provide no information regarding data in information systems to which the user has no access under Union law.
Amendment 482 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun.
Amendment 485 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the ESP, the users of the ESP shall be notified by eu- LISA.
Amendment 489 #
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Where it is technically impossible to use the ESP to query one or several EU information systems referred to in Article 9(1) or the CIR, because of a failure of the national infrastructure in a Member State, that Member State's competent authority shall notify eu-LISA and the Commission.
Amendment 493 #
Proposal for a regulation
Article 11 – paragraph 3
Article 11 – paragraph 3
3. In both scenarios, and until the technical failure is addressed, the obligation referred to in Article 7(2) and (4) shall not apply and Member States may access the information systems referred to in Article 9(1) or the CIR directly using their respective national uniform interfaces or national communication infrastructures.
Amendment 497 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. A shared biometric matching service (shared BMS) storing biometric templates and) shall be established to enablinge querying with biometric data across several EU information systems is established for the purposes of supporting the CIR, the SIS and the multiple-identity detector andto support the objectives of the EES, the VIS, Eurodac, the SIS and [the ECRIS-TCN system].
Amendment 500 #
Proposal for a regulation
Article 12 – paragraph 2 – point a
Article 12 – paragraph 2 – point a
(a) a central infrastructure, including a search engine and the storage of the data referred to in Article 13;
Amendment 503 #
Proposal for a regulation
Article 12 – paragraph 2 – point b
Article 12 – paragraph 2 – point b
(b) a secure communication infrastructure between the shared BMS, Central-SIS the EES, the VIS, EURODAC and [the CIRECRIS-TCN system].
Amendment 505 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. eu-LISA shall develop the shared BMS and ensure its technical management. It shall not, however, have access to any of the personal data processed through the shared BMS.
Amendment 506 #
Proposal for a regulation
Article 13
Article 13
Amendment 524 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
In order to search the biometric data stored within the CIR andEES, the SVIS, the CIR and the SIEURODAC, [the ECRIS-TCN system] and the SIS, the shared BMS shall uscompare the biometric templatesdata stored in the shared BMSunderlying systems for a match. Queries with biometric data shall take place in accordance with the purposes provided for in this Regulation and in the EES Regulation, the VIS Regulation, the Eurodac Regulation, the [SIS Regulations] and [the ECRIS-TCN Regulation].
Amendment 527 #
Proposal for a regulation
Article 15
Article 15
Amendment 531 #
Proposal for a regulation
Article 16 – paragraph 1 – point a
Article 16 – paragraph 1 – point a
Amendment 537 #
Proposal for a regulation
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The logs may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. . To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. Those logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun. The logs referred to in paragraph 1(a) shall be erased once the data is erased.
Amendment 540 #
Proposal for a regulation
Article 17
Article 17
Amendment 546 #
Proposal for a regulation
Article 18
Article 18
Amendment 552 #
Proposal for a regulation
Article 19
Article 19
Adding, amending and deleting data inrticle 1.9 deleted in the EES, the VIS and [the ETIAS], the data referred to in Article 18 stored in the individual file of the CIR shall be added, amended or deleted accordingly in an automated manner. 2. detector creates a white or red link in accordance with Articles 32 and 33 between the data of two or more of the EU information systems constituting the CIR, instead of creating a new individual file, the CIR shall add the new data to the individual file of the linked data.common identity repository Where data is added, amended or Where the multiple-identity
Amendment 556 #
Proposal for a regulation
Article 20 – title
Article 20 – title
20 Access to the common identity repositoryUse of the ESP and shared BMS for identification
Amendment 557 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Where a Member State police authority is unable to identify a person on the basis of his/her travel document, or of another credible document proving his/her identity, or with the identity data provided by that person in accordance with rules and procedures laid down in national law, and where a Member State police authority has been so empowered by national legislative measures as referred to in paragraph 2, it may, in the presence of that person, and solely for the purpose of identifying athat person, query the CIR with theESP or the shared BMS with the biographical or biometric data of that person taken during anthe identity check.
Amendment 561 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Where the query indicates that data on that person is stored in the CIREU information systems or the SIS, the Member States police authority shall have access to consult the following data: (a) the data referred to in [Article 18(1)6(1)(a) to (d) and Article 17(1)(a) to (c) of the EES Regulation]; (b) the data referred to in Article 9(4)(a) to (c), (5)and (6) of Regulation (EC) No767/2008; and (c) [the data referred to in Article 15(2)(a) to (e) of the ETIAS Regulation].
Amendment 563 #
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 3
Article 20 – paragraph 1 – subparagraph 3
Amendment 568 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Member States wishing to avail themselves of the possibility provided for in this Article shall adopt national legislative measures. Such legislative measures shall specify the precise purposes of identity checks within the purposes referred to in Article 2(1)(b) and (c). TWithout prejudice to the first subparagraph of paragraph 1, they shall designate the police authorities competent and lay down the procedures, conditions and criteria ofor such checks.
Amendment 572 #
Proposal for a regulation
Article 21
Article 21
Access to the common identity repository for the detection of multiple identities 1. in a yellow link in accordance with Article 28(4), the authority responsible for the verification of different identities determined in accordance with Article 29 shall have access, solely for the purpose of that verification, to the identity data stored in the CIR belonging to the various information systems connected to a yellow link. 2. in a red link in accordance with Article 32, the authorities referred to in Article 26(2) shall have access, solely for the purposes of fighting identity fraud, to the identity data stored in the CIR belonging to the various information systems connected to a red link.rticle 21 deleted Where a query of the CIR results Where a query of the CIR results
Amendment 578 #
Proposal for a regulation
Article 22 – title
Article 22 – title
22 Querying the common identity repositoryEU information systems for law enforcement purposes
Amendment 579 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. For the purposes ofWhere there are reasonable grounds to believe that consultation of EU information systems will substantially contribute to the preventiong, detecting andon or investigatingon of terrorist offences or other serious criminal offences, in a specific case and in order particular where there is a substantiated suspicion that the suspect, perpetrator obtain information on whether data on a specific person is presentr victim of a terrorist offence or other serious criminal offence falls under the category of third-country nationals whose data are stored in [the EES], the VIS and , [the ETIAS] or the Member State designated authorities and Europol may consult the CIREurodac system, and where a prior search in national databases has been carried out and a query of the automated fingerprint identification system of the other Member States under Decision 2008/615/JHA has been launched, the Member States designated authorities and Europol may use the ESP and the shared BMS in order to obtain information on whether data on a specific person is present in the EES, the VIS and [the ETIAS].
Amendment 581 #
Proposal for a regulation
Article 22 – paragraph 1 a (new)
Article 22 – paragraph 1 a (new)
1a. The central access points established in Article 50(2) [ETIAS Regulation], Article 29(3) of Regulation (EU) 2017/2226 and Article 3(2) of Regulation 767/2008 shall monitor the use made of the possibility provided for in paragraph 1. For that purpose, regular ex-post evaluations of this possibility shall be made and used for self-monitoring as referred to in Article 45. The central access points shall transmit a report to the supervisory authorities referred to in Article 49 every two years on the use made of this provision.
Amendment 583 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
2. Member State designated authorities and Europol shall not be entitled to consult data belonging to [the ECRIS-TCN] when consultusing the CIRESP or shared BMS for the purposes listed in paragraph 1.
Amendment 584 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. Where, in reply to a query the CIRESP or the shared BMS indicates that data on that person is present in the EES, the VIS andor [the ETIAS] the CIRESP or shared BMS shall provide to Member States' designated authorities andor to Europol a reply in the form of a reference indicating which of the information systems contains matching data referred to in the second subparagraph of Article 18(220(1). The CIRESP or shared BMS shall reply in such a way that the security of the data is not compromised. A reply indicating that data on that person is present in one of the EU information systems may be used solely for the purpose of submitting a request for access to that information system subject to the conditions and procedures laid down in the legislative instrument governing that information system.
Amendment 588 #
Proposal for a regulation
Article 23
Article 23
Amendment 591 #
Proposal for a regulation
Article 24
Article 24
Amendment 605 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. A multiple-identity detector (MID) is established to creatinge and storinge links between data in the EU information systems included in the common identity repository (CIR) and the SIS, and as a consequence to detecting multiple identities, with the dual purpose ofin order to facilitatinge identity checks and combating identity fraud, is established for the purpose ofand thus in order to supporting the functioning of the CIR and the objectives of the EES, the VIS, the ETIAS], Eurodac, the SIS and [the ECRIS-TCN system].
Amendment 607 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) a secure communication infrastructure to connect the MID with the SIS and the central infrastructures of the European search portal and the CIREES, [the ETIAS], the VIS, Eurodac and [the ECRIS-TCN system].
Amendment 608 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. eu-LISA shall develop the MID and ensure its technical management. It shall not, however, have access to any of the personal data processed through the MID.
Amendment 613 #
Proposal for a regulation
Article 26 – paragraph 1 – point d
Article 26 – paragraph 1 – point d
Amendment 614 #
Proposal for a regulation
Article 26 – paragraph 1 – point e
Article 26 – paragraph 1 – point e
(e) the SIRENE Bureaux of the Member State creating or updating a [SIS alert in accordance with the Regulation on SIS in the field of border checks];
Amendment 615 #
Proposal for a regulation
Article 26 – paragraph 1 – point f
Article 26 – paragraph 1 – point f
Amendment 616 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member State authorities and EU bodies having access to at least one EU information system included in the common identity repository or to the SIS shall have access to the data referred to in Article 34(a) and (b) regarding any red links as referred to in Article 32.
Amendment 619 #
Proposal for a regulation
Article 27 – paragraph 1 – introductory part
Article 27 – paragraph 1 – introductory part
1. A multiple-identity detection in the common identity repository and theEU information systems and SIS shall be launched where:
Amendment 620 #
Proposal for a regulation
Article 27 – paragraph 1 – point d
Article 27 – paragraph 1 – point d
Amendment 621 #
Proposal for a regulation
Article 27 – paragraph 1 – point f
Article 27 – paragraph 1 – point f
Amendment 622 #
Proposal for a regulation
Article 27 – paragraph 1 a (new)
Article 27 – paragraph 1 a (new)
1a. The multiple-identity detection using the data referred to in paragraph 1(c) shall be launched only where an application file in ETIAS can be verified against an individual file in the EES.
Amendment 623 #
Proposal for a regulation
Article 27 – paragraph 2
Article 27 – paragraph 2
2. Where the data contained within an information system as referred to in paragraph 1 contains biometric data, the common identity repository (CIR)at information system and the Central-SIS shall use the shared biometric matching service (shared BMS) in order to perform the multiple-identity detection. The shared BMS shall compare the new biometric templatesdata obtained from any new biometric data to thethe relevant information system against any biometric templatesdata already contained in the shared BMSother information systems in order to verify whether or not data belonging to the same third-country national is already stored in the CIR or in the Central SISanother information system.
Amendment 625 #
Proposal for a regulation
Article 27 – paragraph 3 – introductory part
Article 27 – paragraph 3 – introductory part
3. In addition to the process referred to in paragraph 2, the CIRinformation system and the Central- SIS shall use the European search portal to search the data stored in the CIRall the EU information systems and the Central-SIS using the following data:
Amendment 626 #
Proposal for a regulation
Article 27 – paragraph 3 – point d
Article 27 – paragraph 3 – point d
Amendment 627 #
Proposal for a regulation
Article 27 – paragraph 3 – point f
Article 27 – paragraph 3 – point f
Amendment 628 #
Proposal for a regulation
Article 27 – paragraph 3 – point g
Article 27 – paragraph 3 – point g
Amendment 629 #
Proposal for a regulation
Article 27 – paragraph 3 – point h
Article 27 – paragraph 3 – point h
Amendment 633 #
Proposal for a regulation
Article 28 – paragraph 2 – subparagraph 1
Article 28 – paragraph 2 – subparagraph 1
Where the query laid down in Article 27(2) and (3) reports one or several hit(s), the common identity repository andEU information systems concerned including, where relevant, the SIS shall create a link between the data used to launch the query and the data triggering the hit.
Amendment 634 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
5. The Commission shall lay down the procedures to determine the cases where identity data can be considered as identical or similar in implementingdelegated acts. Those implementingdelegated acts shall be adopted in accordance with the examination procedure referred to in Article 64(2)Article 63. Such acts must be designed in a manner that ensures the protection of persons with multiple lawful identities against discrimination.
Amendment 638 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 1 – point d
Article 29 – paragraph 1 – subparagraph 1 – point d
Amendment 640 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 1 – point e
Article 29 – paragraph 1 – subparagraph 1 – point e
(e) the SIRENE Bureaux of the Member State for hits that occurred when creating or updating a SIS alert in accordance with the [Regulations on SIS in the field of border checks];
Amendment 641 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 1 – point f
Article 29 – paragraph 1 – subparagraph 1 – point f
Amendment 642 #
Proposal for a regulation
Article 29 – paragraph 1 – subparagraph 1 a (new)
Article 29 – paragraph 1 – subparagraph 1 a (new)
The authority responsible shall verify the identity as soon as possible and, in any event, within eight hours. If verification proves impossible, the border authorities shall carry out the verification when the person concerned next enters or exits an external border.
Amendment 643 #
Proposal for a regulation
Article 29 – paragraph 2 – point f
Article 29 – paragraph 2 – point f
Amendment 646 #
Proposal for a regulation
Article 29 – paragraph 2 a (new)
Article 29 – paragraph 2 a (new)
2a. Where the SIRENE Bureau is responsible for manually verifying different identities but has not been involved in the addition of the new identity data which has given rise to a yellow link, it shall be informed immediately by the relevant authority which added the new identity data. The SIRENE Bureau shall carry out the manual verification of different identities as soon as possible and, in any event, within eight hours.
Amendment 647 #
Proposal for a regulation
Article 29 – paragraph 3
Article 29 – paragraph 3
3. Without prejudice to paragraph 4, the authority responsible for verification of different identities shall have access to the related data contained in the relevant identity confirmation file and to the identity data linked in the common identity repository and, where relevant, in the SISrelevant information systems, and shall assess the different identities and shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.
Amendment 649 #
Proposal for a regulation
Article 29 – paragraph 4
Article 29 – paragraph 4
4. Where the authority responsible for the verification of different identities in the identity confirmation file is the border authority creating or updating an individual file in the EES in accordance with Article 14 of the EES Regulation, and where a yellow link is obtained, the border authority shall carry out additional verifications as part of a second-line check. During this . For that purposec ond-line checkly, the border authorities shall have access to the related identity data contained in the relevant identity confirmation file and shall assess the different identities and shall update the link in accordance with Articles 31 to 33 and add it to the identity confirmation file without delay.
Amendment 651 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. Where more than one link is obtained, the authority responsible for the verification of different identities shall assess each link separately. The authority responsible must ensure that the data subject is given the possibility to explain plausible reasons why there may be contradicting information within the different IT systems.
Amendment 652 #
Proposal for a regulation
Article 29 – paragraph 5 a (new)
Article 29 – paragraph 5 a (new)
5a. The authority responsible for the manual verification of multiple identities must also assess whether there are plausible arguments presented by the third country national when deciding on the colour of the links. Such assessment should be performed, where possible, in the presence of the third-country national and, where necessary, by requesting additional clarifications or information. Such assessment should be performed without delay, in line with legal requirements for the accuracy of information under Union and national law.
Amendment 655 #
Proposal for a regulation
Article 30 – paragraph 1 – point b
Article 30 – paragraph 1 – point b
(b) the linked data has different identity data, there is no biometric data to compare, and no manual verification of different identity has taken place.
Amendment 659 #
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Where the common identity repository (CIR) or the SISrelevant information systems are queried and where a green link exists between two or more of those information systems constituting the CIR or with the SIS, the multiple-identity detector shall indicate that the identity data of the linked data does not correspond to the same person. The queried information system shall reply indicating only the data of the person whose data was used for the query, without triggering a hit against the data that is subject to the green link.
Amendment 663 #
Proposal for a regulation
Article 32 – paragraph 1 – point a
Article 32 – paragraph 1 – point a
(a) the linked data shares the same biometric but different identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner;
Amendment 664 #
Proposal for a regulation
Article 32 – paragraph 1 – point b
Article 32 – paragraph 1 – point b
(b) the linked data has similar identity data and the authority responsible for the verification of different identities concluded it refers unlawfully to the same person in an unjustified manner.
Amendment 666 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. Where the CIR orEU information systems and the SIS are queried and where a red link exists between two or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall reply indicating the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law. No legal consequence for the person or persons concerned shall derive solely from the existence of a red link.
Amendment 667 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
Amendment 668 #
Proposal for a regulation
Article 32 – paragraph 4
Article 32 – paragraph 4
4. Without prejudice to the provisions related to the handling of alerts in the SIS referred to in the [Regulations on SIS in the field of border checks, on SIS in the field of law enforcement and on SIS in the field of illegal return], and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that any nalaid down in Article 13(3) if Directive (EU) 680/2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of preventional, investigation will not be jeopardised,, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data where a red link is created, the authority responsible for verification of different identities shall inform the person of the presence of multiple unlawfuljustified identities.
Amendment 672 #
Proposal for a regulation
Article 32 – paragraph 5 a (new)
Article 32 – paragraph 5 a (new)
5a. Where a Member State authority or EU body with access to one of the EU information systems or the SIS obtains evidence showing that a red link recorded in the MID is incorrect or that the data processed in the MID, the relevant EU information systems and the SIS were processed in breach of this Regulation, that authority shall, where the link relates to EU information systems either rectify or erase the link from the MID immediately, or where the link relates to the SIS, inform the relevant SIRENE Bureau of the Member State that created the SIS alert immediately. That SIRENE Bureau shall verify the evidence provided by the Member State authority and rectify or erase the link from the MID immediately thereafter.
Amendment 677 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
2. Where the CIR or the SISinformation systems are queried and where a white link exists between one or more of the information systems constituting the CIR or with the SIS, the multiple-identity detector shall indicate that the identity data of the linked data correspond to the same person. The queried information systems shall reply indicating, where relevant, all the linked data on the person, hence triggering a hit against the data that is subject to the white link, if the authority launching the query has access to the linked data under Union or national law.
Amendment 678 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
Amendment 684 #
Proposal for a regulation
Article 35 – paragraph 1
Article 35 – paragraph 1
The identity confirmation files and its data, including the links, shall be stored in the multiple-identity detector (MID) only for as long as the linked data is stored in two or more EU information systems. Once this condition is no longer met, the identity confirmation files and their data, including all related links, shall be deleted automatically.
Amendment 691 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 42. To that end, access to those logs shall be granted as appropriate to the data controllers identified pursuant to Article 40, to national supervisory authorities designated pursuant to Article 51 of Regulation (EU)2016/679 and Article 41 of Directive (EU) 2016/680, and to the European Data Protection Supervisor. The logs shall be protected by appropriate measures against unauthorised access and erased onetwo years after their creation, unless they are required for monitoring procedures that have already begun. The logs related to the history of the identity confirmation file shall be erased once the data in the identity confirmation file is erased.
Amendment 692 #
Proposal for a regulation
Article 37 – paragraph 1
Article 37 – paragraph 1
1. eu-LISA shall establish as soon as possible automated data quality control mechanisms and procedures on the data stored in the EES, the [ETIAS], the VIS, and the SIS, the shared biometric matching service (shared BMS), the common identity repository (CIR) and the multiple-identity detector (MID)and the multiple-identity detector (MID). Those automated data quality control mechanisms should be adequately tested prior to the start of operations of the interoperability components in accordance with Article 62.
Amendment 695 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
2. eu-LISA shall establish common data quality indicators and the minimum quality standards to store data in the EES, the [ETIAS], the VIS, the SIS, the shared BMS, the CIR and the MID.
Amendment 700 #
Proposal for a regulation
Article 37 – paragraph 4
Article 37 – paragraph 4
4. The details of the automated data quality control mechanisms and procedures and the common data quality indicators and the minimum quality standards to store data in the EES, the [ETIAS], the VIS, the SIS, the shared BMS, the CIR and the MID, in particular regarding biometric data, shall be laid down in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2).
Amendment 701 #
Proposal for a regulation
Article 37 – paragraph 5
Article 37 – paragraph 5
5. One year after the establishment of the automated data quality control mechanisms and procedures and common data quality indicators and every year thereafter, the Commission shall evaluate Member State implementation of data quality and, in particular, data quality issues deriving from erroneous historical data in existing EU information systems and in the SIS. The Commission shall make any necessary recommendations. The Member States shall provide the Commission with an action plan to remedy any deficiencies identified in the evaluation report and shall report on any progress against this action plan until it is fully implemented. The Commission shall transmit the evaluation report to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights established by Council Regulation (EC) No 168/2007.75 _________________ 75 Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).
Amendment 704 #
Proposal for a regulation
Article 38 – paragraph 2
Article 38 – paragraph 2
2. The UMF standard shall be used in the development of the EES, the [ETIAS], , the European search portal, the CIR, the MID and, if appropriate, in the development by eu- LISA or any other EU body of new information exchange models and information systems in the area of Justice and Home Affairs.
Amendment 705 #
Proposal for a regulation
Article 38 – paragraph 3
Article 38 – paragraph 3
Amendment 713 #
Proposal for a regulation
Article 39 – paragraph 3
Article 39 – paragraph 3
3. eu-LISA shall render the data anonymous, by ensuring that the data is non-identifiable, and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated.
Amendment 714 #
Proposal for a regulation
Article 39 – paragraph 4 – point b
Article 39 – paragraph 4 – point b
(b) a secure communication infrastructure to connect the CRRS to the EES, [the ETIAS], the VIS and the SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID.
Amendment 715 #
Proposal for a regulation
Article 39 – paragraph 5
Article 39 – paragraph 5
5. The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of implementinga delegated acts. Those implementingat delegated acts shall be adopted in accordance with the examination procedure referred to in Article 64(2)3.
Amendment 717 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the VIS, EES, and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMSprocessing of biometric data that they enter into respective systems. In relation to information security management of the shared BMS, eu-LISA shall be considered a controller.
Amendment 719 #
Proposal for a regulation
Article 40 – paragraph 2
Article 40 – paragraph 2
Amendment 722 #
Proposal for a regulation
Article 40 – paragraph 3 – point a
Article 40 – paragraph 3 – point a
(a) the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b) of Regulation No 45/2001 in relation to processing of personal data by the ETIAS Central Unit. In relation to information security management of the ETIAS Central System, eu-LISA shall be considered a controller;
Amendment 723 #
Proposal for a regulation
Article 40 – paragraph 3 – point b
Article 40 – paragraph 3 – point b
(b) the Member State authorities adding or modifying the data in the identity confirmation file are also to be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 and shall have responsibility for the processing of the personal data in the multiple-identity detector. In relation to information security management of the multiple- identity detector, eu-LISA shall be considered a controller;
Amendment 726 #
Proposal for a regulation
Article 41
Article 41
Amendment 728 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Both eu-LISA and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu-LISA shall be responsible for the central systems and Member State authorities shall be responsible for the security at the end-points controlling access to the systems, [the ETIAS Central Unit] and the Member State authorities shall cooperate on security-related tasks.
Amendment 729 #
Proposal for a regulation
Article 42 – paragraph 3 – point i
Article 42 – paragraph 3 – point i
(i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments.
Amendment 736 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu- LISA, the national supervisory authority and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor.
Amendment 745 #
Proposal for a regulation
Article 46 – title
Article 46 – title
46 Right tof information
Amendment 746 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Without prejudice to the right tof information referred to in Articles 11 and 12 of Regulation (EC) 45/2001 and, Articles 13 and 14 of Regulation (EU) 2016/679, persons whose data are stored in the shared biometric matching service, the common identity repository orand Article 13 of Directive 2016/680, persons whose data are stored in one of the EU information systems, in the SIS, or in the multiple-identity detector shall be informed by the authority collecting their data, at the time their data are collected, about the processing of personal data for the purposes of this Regulation, including about identity and contact details of the respective data controllers, and about the procedures for exercising their rights of access, rectification and erasure, as well aslaid down in Article 47, and about the contact details of the European Data Protection Supervisor and of the national supervisory authority of the Member State responsible for the collection of the data.
Amendment 751 #
Proposal for a regulation
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
1a. All information must be provided to data subjects in a manner and language which they understand, or are reasonably expected to understand. This must include providing information in an age- appropriate manner for data subjects who are minors.
Amendment 761 #
Proposal for a regulation
Article 47 – paragraph 1
Article 47 – paragraph 1
1. In order to exercise their rights under Articles 13, 14, 15 and 16 of Regulation (EC) 45/2001 and, Articles 15, 16, 17 and 18 of Regulation (EU) 2016/679, and Articles 14 and 16 of Directive (EU) 2016/680, any person shall have the right to address him or herself to the Member State responsible for the manual verification of different identities or of any Member State, who shall examine and reply to the request.
Amendment 765 #
Proposal for a regulation
Article 47 – paragraph 1 a (new)
Article 47 – paragraph 1 a (new)
Amendment 766 #
Proposal for a regulation
Article 47 – paragraph 1 b (new)
Article 47 – paragraph 1 b (new)
1b. The Commission shall adopt implementing acts concerning the detailed rules on the conditions for the operation of the web service and the data protection and security rules applicable. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64.
Amendment 767 #
Proposal for a regulation
Article 47 – paragraph 2
Article 47 – paragraph 2
2. The Member State responsible for the manual verification of different identities as referred to in Article 29 or the Member State to which the request has been made, either directly from the data subject in accordance with paragraph 1 or via the web service established by eu- LISA in accordance with paragraph 2, shall reply to such requests at the latest within 145 days of receipt of the request.
Amendment 770 #
Proposal for a regulation
Article 47 – paragraph 3
Article 47 – paragraph 3
3. If a request for correction or erasure of personal data is made to a Member State other than the Member State responsible, the Member State to which the request has been made shall contact the authorities of the Member State responsible within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing within 3014 days of such contact. The person concerned shall be informed by the Member State which contacted the authority of the Member State responsible that his or her request was forwarded about the further procedure.
Amendment 775 #
Proposal for a regulation
Article 47 – paragraph 4
Article 47 – paragraph 4
4. Where, following an examination, it is found that the data stored in the multiple-identity detector (MID) are factually inaccurate or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall correct or delete these data. The person concerned shall be informed that his or her data was corrected or deleted.
Amendment 786 #
Proposal for a regulation
Article 47 – paragraph 7
Article 47 – paragraph 7
7. This decision shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request referred in paragraph 3s 1 and 2, and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts, and any assistance, including from the competent national supervisory authorities.
Amendment 787 #
Proposal for a regulation
Article 47 – paragraph 8
Article 47 – paragraph 8
8. Any request made pursuant to paragraph 3s 1 or 2 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 31 and shall be erased immediately afterwards.
Amendment 788 #
Proposal for a regulation
Article 47 – paragraph 9
Article 47 – paragraph 9
9. The responsible Member State or, where applicable, the Member State to which the request has been made shall keep a record in the form of a written document that a request referred to in paragraph 3s 1 and 2 was made and how it was addressed, and shall make that document available to competent data protection national supervisory authorities without delay.
Amendment 789 #
Proposal for a regulation
Article 47 a (new)
Article 47 a (new)
Article 47 a Liability Without prejudice to the right to compensation from, and liability under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) No 45/2001: (a) any person who has suffered material or non-material damage as a result of an unlawful personal data processing operation through the use of interoperability components or any other act by a Member State which is incompatible with this Regulation shall be entitled to receive compensation from that Member State; (b) any person who has suffered material or non-material damage as a result of an unlawful personal data processing operation through the use of interoperability components or any other act by Europol or by the European Border and Coast Guard Agency which is incompatible with this Regulation shall be entitled to receive compensation from Europol or the European Border and Coast Guard as appropriate. The Member State, Europol or the European Border and Coast Guard Agency shall be exempted from liability, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.
Amendment 790 #
Proposal for a regulation
Article 47 b (new)
Article 47 b (new)
Article 47 b Penalties Member States shall ensure that any misuse of data, processing of data or exchange of data contrary to this Regulation is punishable in accordance with national law. The penalties provided shall be effective, proportionate and dissuasive and shall include the possibility for administrative and criminal penalties. Europol and the European Border and Coast Guard Agency shall ensure that members of their staff or members of their teams who misuse, process or exchange data contrary to this Regulation are subject to penalties. Those penalties shall be effective, proportionate and dissuasive.
Amendment 793 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
Personal data stored in, processed or accessed by the interoperability components shall not be transferred or made available to any third country, to any international organisation or to any private party, with the exception of transfers to Interpol for the purpose of carrying out the automated processing referred to in [Article 18(2)(b) and (m) of the ETIAS Regulation] or for the purposes of Article 8(2) of Regulation (EU) 2016/399. Such transfers of personal data to Interpol shall be compliant with the provisions of Article 9 of Regulation (EC) No 45/2001 and Chapter V of Regulation (EU) 2016/679.
Amendment 797 #
Proposal for a regulation
Article 49 – paragraph 1
Article 49 – paragraph 1
1. The supervisory authority or authorities designated pursuant to Article 4951 of Regulation (EU) 2016/679 and Article 41 of Directive (EU) 2016/680 shall ensure that an audit of the data processing operations by the responsible national authorities is carried out in accordance with relevant international auditing standards at least every four years.
Amendment 800 #
Proposal for a regulation
Article 49 – paragraph 1 a (new)
Article 49 – paragraph 1 a (new)
1 a. Member States shall ensure that their supervisory authorities designated pursuant to Article 51 of Regulation2016/679 and Article 41 of Directive 2016/680 monitor the lawfulness of the processing of personal data under this Regulation carried out by Member States’ relevant authorities.
Amendment 804 #
Proposal for a regulation
Article 49 – paragraph 2
Article 49 – paragraph 2
2. Member States shall ensure that their supervisory authority has sufficient resourcesadditional resources, including both human and financial resources, to fulfil the tasks entrusted to it under this Regulation.
Amendment 806 #
Proposal for a regulation
Article 50 – paragraph 1
Article 50 – paragraph 1
The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, the Council, eu-LISA, the Commission and the Member States. eu-LISA shall be given an opportunity to make comments before the reports are adopted. The EU Budgetary Authority shall ensure that the European Data Protection Supervisor has sufficient additional resources, including both human and financial resources, to fulfil the tasks entrusted to it under this Regulation.
Amendment 814 #
Proposal for a regulation
Article 52 – paragraph 1
Article 52 – paragraph 1
1. eu-LISA shall ensure that the central infrastructures of the interoperability components are operated in accordance with this Regulation. In that respect, eu-LISA shall follow the principles of data protection by design and by default.
Amendment 816 #
Proposal for a regulation
Article 52 – paragraph 3 – subparagraph 1
Article 52 – paragraph 3 – subparagraph 1
eu-LISA shall be responsible for the development of the interoperability components, for any adaptations required for establishing interoperability between the central systems of the EES, VIS, [ETIAS], SIS, and Eurodac, and [the ECRIS-TCN system], and the European search portal, the shared biometric matching service, the common identity repository and the multiple-identity detector.
Amendment 817 #
Proposal for a regulation
Article 52 – paragraph 3 – subparagraph 4
Article 52 – paragraph 3 – subparagraph 4
The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination. In that regard, the tasks of eu-LISA shall also be: (a) perform a security risk assessment; (b) follow the principles of privacy by design and by default during the entire lifecycle of the development of the interoperability components; and (c) conduct a security risk assessment regarding the interoperability of EU information systems, interoperability components, Europol data and Interpol databases.
Amendment 821 #
Proposal for a regulation
Article 53 – paragraph 1 – subparagraph 1 a (new)
Article 53 – paragraph 1 – subparagraph 1 a (new)
eu-LISA shall perform regular information security risk assessments for the interoperability components, implement a comprehensive information security risk management process and follow the principles of privacy by design and by default during the entire lifecycle of those interoperability components.
Amendment 823 #
Proposal for a regulation
Article 53 – paragraph 3
Article 53 – paragraph 3
Amendment 825 #
Proposal for a regulation
Article 54 – paragraph 1 – point a
Article 54 – paragraph 1 – point a
(a) the connection to the communication infrastructure of the European search portal (ESP) and the common identity repository (CIR);
Amendment 828 #
Proposal for a regulation
Article 54 – paragraph 1 – point b
Article 54 – paragraph 1 – point b
(b) the integration of the existing national systems and infrastructures with the ESP, shared biometric matching service, the CIR and the multiple-identity detector;
Amendment 830 #
Proposal for a regulation
Article 54 – paragraph 1 – point d
Article 54 – paragraph 1 – point d
(d) the management of, and arrangements for, access by the duly authorised staff, and by the duly empowered staff, of the competent national authorities to the ESP, the CIR and the multiple- identity detector in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles;
Amendment 832 #
Proposal for a regulation
Article 54 – paragraph 1 – point e
Article 54 – paragraph 1 – point e
(e) the adoption of the legislative measures referred to in Article 20(3) in order to access the CIREU information systems for identification purposes;
Amendment 836 #
Proposal for a regulation
Article 54 – paragraph 2
Article 54 – paragraph 2
Amendment 946 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
Amendment 951 #
Proposal for a regulation
Article 56 – paragraph 3 – introductory part
Article 56 – paragraph 3 – introductory part
3. The duly authorised staff of the competent authorities of Member States, the Commission and eu-LISA shall have access to consult the following data related to the multiple- identity detector, solely for the purposes of reporting and statistics without enabling individual identification:
Amendment 956 #
Proposal for a regulation
Article 56 – paragraph 5
Article 56 – paragraph 5
5. For the purpose of paragraph 1 of this Article, eu-LISA shall store the data referred to in paragraph 1 of this Article in the central repository for reporting and statistics referred to in Chapter VII of this Regulation. The data included in the repository shall not enablebe anonymised and shall not be such as to allow for the identification of individuals, but it shall allow the authorities listed in paragraph 1 of this Article to obtain customisable reports and statistics to enhance the efficiency of border checks, to help authorities processing visa applications and to support evidence-based policymaking on migration and security in the Union.
Amendment 961 #
Proposal for a regulation
Article 58 – title
Article 58 – title
58 Transitional period applicable to the provisions on access to the common identity repositoryESP or shared BMS for law enforcement purposes
Amendment 969 #
1. The costs incurred in connection with the establishment and operation of the ESP, the shared biometric matching service, the common identity repository (CIR) and the MID shall be borne by the general budget of the Union.
Amendment 971 #
Proposal for a regulation
Article 60 – paragraph 3
Article 60 – paragraph 3
3. The costs incurred by the designated authorities referred to in Article 4(24) shall be borne, respectively, by each Member State and Europol. The costs for the connection of the designated authorities to the CIR shall be borne by each Member State and Europol, respectively.
Amendment 976 #
Proposal for a regulation
Article 62 – paragraph 1 – point c
Article 62 – paragraph 1 – point c
(c) eu-LISA has validated the technical and legal arrangements to collect and transmit the data referred to in Articles 8(1), 13, 19, 34 and 39 and have notified them to the Commission;
Amendment 979 #
Proposal for a regulation
Article 62 – paragraph 1 a (new)
Article 62 – paragraph 1 a (new)
1 a. By way of derogation from paragraph 1, the measures referred to in Article 37 shall apply as of one year after the entry into force of this Regulation.
Amendment 980 #
Proposal for a regulation
Article 63 – paragraph 2
Article 63 – paragraph 2
2. The power to adopt delegated acts referred to in Articles 8(2),9(7), 28(5) and 39(75) shall be conferred on the Commission for an indeterminate period of time from [the date of entry into force of this Regulation].
Amendment 983 #
Proposal for a regulation
Article 63 – paragraph 3
Article 63 – paragraph 3
3. The delegation of power referred to in Articles 8(2),9(7), 28(5) and 39(75) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 984 #
Proposal for a regulation
Article 63 – paragraph 6
Article 63 – paragraph 6
6. A delegated act adopted pursuant to Articles 8(2),9(7), 28(5) and 39(75) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of [two months] of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by [two months] at the initiative of the European Parliament or of the Council.
Amendment 991 #
Proposal for a regulation
Article 68 – paragraph 2
Article 68 – paragraph 2
2. By [Six months after the entry into force of this Regulation — OPOCE, please replace with the actual date] and every six months thereafter during the development phase of the interoperability components, eu-LISA shall submit a report to the European Parliament and the Council, the Council, and the European Data Protection Supervisor, on the state of play of the development of the interoperability components. Once the development is finalised, a report shall be submitted to the European Parliament and the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
Amendment 996 #
Proposal for a regulation
Article 68 – paragraph 3
Article 68 – paragraph 3
3. For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the interoperability components without having access to any personal data processed by those components.
Amendment 1007 #
Proposal for a regulation
Article 68 – paragraph 8 – subparagraph 1 – introductory part
Article 68 – paragraph 8 – subparagraph 1 – introductory part
While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to data stored in the common identity repositoryEU information systems and the SIS for law enforcement purposes, containing information and statistics on: