← Current text · History

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

Current text a fecha 2022-08-01

REGULATION (EU) 2018/1862 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 28 November 2018

on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

CHAPTER I

General provisions

Article 1

General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to ensure the application of the provisions of Chapter 4 and Chapter 5 of Title V of Part Three TFEU relating to the movement of persons on their territories, using information communicated through this system.

Article 2

Subject matter

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘alert’ means a set of data entered into SIS allowing the competent authorities to identify a person or an object with a view to taking specific action;

(2) ‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to alerts in SIS, which is to be exchanged through the SIRENE Bureaux: (a) in order to allow Member States to consult or inform each other when entering an alert; (b) following a hit in order to allow the appropriate action to be taken; (c) when the required action cannot be taken; (d) when dealing with the quality of SIS data; (e) when dealing with the compatibility and priority of alerts; (f) when dealing with rights of access;

(3) ‘additional data’ means the data stored in SIS and connected with alerts in SIS which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of conducting a search in SIS;

(4) ‘personal data’ means personal data as defined in point 1 of Article 4 of Regulation (EU) 2016/679;

(5) ‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(6) a ‘match’ means the occurrence of the following steps: (a) a search has been conducted in SIS by an end-user; (b) that search has revealed an alert entered into SIS by another Member State; and (c) data concerning the alert in SIS match the search data;

(7) a ‘hit’ means any match which fulfils the following criteria: (a) it has been confirmed by: (i) the end-user; or (ii) the competent authority in accordance with national procedures, where the match concerned was based on the comparison of biometric data; and (b) further actions are requested;

(8) ‘flag’ means a suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons, alerts for discreet, inquiry and specific checks and to information alerts;

(9) ‘issuing Member State’ means the Member State which entered the alert into SIS;

(10) ‘executing Member State’ means the Member State which takes or has taken the required actions following a hit;

(11) ‘end-user’ means a member of staff of a competent authority authorised to search directly CS-SIS, N.SIS or a technical copy thereof;

(12) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person, which allow or confirm the unique identification of that natural person, namely photographs, facial images, dactyloscopic data and DNA profile;

(13) ‘dactyloscopic data’ means data on fingerprints and palm prints which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(14) ‘facial image’ means digital images of the face with sufficient image resolution and quality to be used in automated biometric matching;

(15) ‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the noncoding part of an analysed human DNA sample, namely the particular molecular structure at the various DNA locations (loci);

(16) ‘terrorist offences’ means offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (1), or equivalent to one of those offences for the Member States which are not bound by that Directive;

(17) ‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399 of the European Parliament and of the Council (2);

(18) ‘ESP’ means the European search portal established by Article 6(1) of Regulation (EU) 2019/818 of the European Parliament and of the Council (3);

(19) ‘shared BMS’ means the shared biometric matching service established by Article 12(1) of Regulation (EU) 2019/818;

(20) ‘CIR’ means the common identity repository established by Article 17(1) of Regulation (EU) 2019/818;

(21) ‘MID’ means the multiple-identity detector established by Article 25(1) of Regulation (EU) 2019/818;

(22) ‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20(1) TFEU with the exception of persons who are beneficiaries of the right of free movement within the Union in accordance with Directive 2004/38/EC or in accordance with an agreement between the Union or the Union and its Member States on the one hand, and a third country on the other hand.

Article 4

Technical architecture and ways of operating SIS

SIS shall be composed of:

(a) a central system (Central SIS) composed of: (i) a technical support function (‘CS-SIS’) containing a database (the ‘SIS database’), and including a backup CS-SIS; (ii) a uniform national interface (‘NI-SIS’);

(b) a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS;

(c) a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux, as referred to in Article 7(2); and

(d) a secure communication infrastructure between CS-SIS and the central infrastructures of the ESP, the shared BMS and the MID.

An N.SIS as referred to in point (b) may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. Two or more Member States may establish in one of their N.SIS a shared copy which may be used jointly by those Member States. Such shared copy shall be considered as the national copy of each of those Member States.

A shared backup N.SIS as referred to in point (b) may be used jointly by two or more Member States. In such cases, the shared backup N.SIS shall be considered as the backup N.SIS of each of those Member States. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users.

Member States intending to establish a shared copy or shared backup N.SIS to be used jointly shall agree their respective responsibilities in writing. They shall notify their arrangement to the Commission.

The Communication Infrastructure shall support and contribute to ensuring the uninterrupted availability of SIS. It shall include redundant and separated paths for the connections between CS-SIS and the backup CS-SIS and shall also include redundant and separated paths for the connections between each SIS national network access point and CS-SIS and backup CS-SIS.

CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. For the Member States which use a national or shared copy, CS-SIS shall:

(a) provide online updates for the national copies;

(b) ensure synchronisation of and consistency between the national copies and the SIS database; and

(c) provide the operation for initialisation and restoration of the national copies.

Article 5

Costs

CHAPTER II

Responsibilities of the Member States

Article 6

National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting it to NI-SIS.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS data to end-users.

Each Member State shall transmit its alerts through its N.SIS.

Article 7

N.SIS Office and SIRENE Bureau

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to SIS and shall take the necessary measures to ensure compliance with this Regulation. It shall be responsible for ensuring that all functionalities of SIS are made available to the end users appropriately.

Each SIRENE Bureau shall, in accordance with national law, have easy direct or indirect access to all relevant national information, including national databases and all information on its Member States' alerts, and to expert advice, in order to be able to react to requests for supplementary information swiftly and within the deadlines provided for in Article 8.

The SIRENE Bureaux shall coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

Article 8

Exchange of supplementary information

Requests for supplementary information with the highest priority shall be marked ‘URGENT’ in the SIRENE forms, and the reason for the urgency shall be specified.

Article 9

Technical and functional compliance

Article 10

Security — Member States

Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f) prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g) ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identifiers and confidential access modes only (data access control);

(h) ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make those profiles available to the supervisory authorities referred to in Article 69(1) without delay upon their request (personnel profiles);

(i) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose (input control);

(k) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m) ensure that, in the event of interruption, installed systems can be restored to normal operation (recovery); and

(n) ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity).

Article 11

Confidentiality — Member States

Article 12

Keeping of logs at national level

Member States shall ensure that every access to personal data via the ESP is also logged for the purposes of checking whether the search was lawful, monitoring the lawfulness of data processing, self-monitoring, and data integrity and security.

Article 13

Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 14

Staff training

That training programme may be part of a general training programme at national level encompassing training in other relevant areas.

CHAPTER III

Responsibilities of eu-LISA

Article 15

Operational management

eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a) supervision;

(b) security;

(c) the coordination of relations between the Member States and the provider;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal; and

(f) contractual matters.

eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a) the coordination, management and support of testing activities;

(b) the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c) managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

Article 16

Security — eu-LISA

eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f) prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g) ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h) create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(k) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m) ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(n) ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity); and

(o) ensure the security of its technical sites.

Article 17

Confidentiality — eu-LISA

Article 18

Keeping of logs at central level

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.

Article 18b

Keeping of logs for the purposes of interoperability with ETIAS

Logs of each data processing operation carried out within SIS and the European Travel Information and Authorisation System (ETIAS) pursuant to Article 50b of this Regulation shall be kept in accordance with Article 18 of this Regulation and Article 69 of Regulation (EU) 2018/1240 of the European Parliament and of the Council (5).

CHAPTER IV

Information to the public

Article 19

SIS information campaigns

At the start of the application of this Regulation, the Commission, in cooperation with the supervisory authorities and the European Data Protection Supervisor, shall carry out a campaign informing the public about the objectives of SIS, the data stored in SIS, the authorities having access to SIS and the rights of data subjects. The Commission shall repeat such campaigns regularly, in cooperation with the supervisory authorities and the European Data Protection Supervisor. The Commission shall maintain a website available to the public providing all relevant information concerning SIS. Member States shall, in cooperation with their supervisory authorities, devise and implement the necessary policies to inform their citizens and residents about SIS generally.

CHAPTER V

Categories of data and flagging

Article 20

Categories of data

The categories of data shall be as follows:

(a) information on persons in relation to whom an alert has been entered;

(b) information on objects referred to in Articles 26, 32, 34, 36, 37a, and 38.

Any alert in SIS which includes information on persons shall contain only the following data:

(a) surnames;

(b) forenames;

(c) names at birth;

(d) previously used names and aliases;

(e) any specific, objective, physical characteristics not subject to change;

(f) place of birth;

(g) date of birth;

(h) gender;

(i) any nationalities held;

(j) whether the person concerned: (i) is armed; (ii) is violent; (iii) has absconded or escaped; (iv) poses a risk of suicide; (v) poses a threat to public health; or (vi) is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;

(k) the reason for the alert;

(l) the authority which created the alert;

(m) a reference to the decision giving rise to the alert;

(n) the action to be taken in the case of a hit;

(o) links to other alerts pursuant to Article 63;

(p) the type of offence;

(q) the person's registration number in a national register;

(r) for alerts referred to in Article 32(1), a categorisation of the type of case;

(s) the category of the person's identification documents;

(t) the country of issue of the person's identification documents;

(u) the number(s) of the person's identification documents;

(v) the date of issue of the person's identification documents;

(w) photographs and facial images;

(x) in accordance with Article 42(3), relevant DNA profiles;

(y) dactyloscopic data;

(z) a copy of the identification documents, in colour wherever possible.

Article 21

Proportionality

Article 22

Requirement for an alert to be entered

Article 23

Compatibility of alerts

If a person is subject to multiple alerts entered by different Member States, alerts for arrest entered in accordance with Article 26 shall be executed as a priority, subject to Article 25.

Article 24

General provisions on flagging

Article 25

Flagging related to alerts for arrest for surrender purposes

A Member State may also require that a flag be added to the alert if its competent judicial authority releases the subject of the alert during the surrender process.

CHAPTER VI

Alerts on persons wanted for arrest for surrender or extradition purposes

Article 26

Objectives and conditions for entering alerts

In the case of an ongoing operation, the issuing Member State may temporarily make an existing alert for arrest entered in accordance with this Article unavailable for searching by the end-users in the Member States involved in the operation. In such cases the alert shall only be accessible to the SIRENE Bureaux. Member States shall only make an alert unavailable if:

(a) the purpose of the operation cannot be achieved by other measures;

(b) a prior authorisation has been granted by the competent judicial authority of the issuing Member State; and

(c) all Member States involved in the operation have been informed through the exchange of supplementary information.

The functionality provided for in the first subparagraph shall only be used for a period not exceeding 48 hours. However, if operationally necessary, it may be extended by further periods of 48 hours. Member States shall keep statistics on the number of alerts in relation to which this functionality has been used.

Article 27

Additional data on persons wanted for arrest for surrender purposes

A Member State may enter the copy of more than one European Arrest Warrant in an alert for arrest for surrender purposes.

Article 28

Supplementary information on persons wanted for arrest for surrender purposes

The issuing Member State of an alert for arrest for surrender purposes shall communicate the information referred to in Article 8(1) of Framework Decision 2002/584/JHA to the other Member States through the exchange of supplementary information.

Article 29

Supplementary information on persons wanted for arrest for extradition purposes

The issuing Member State of an alert for extradition purposes shall communicate the following data to all other Member States through the exchange of supplementary information:

(a) the authority which issued the request for arrest;

(b) whether there is an arrest warrant or a document having the same legal effect, or an enforceable judgment;

(c) the nature and legal classification of the offence;

(d) a description of the circumstances in which the offence was committed, including the time, place and the degree of participation in the offence by the person on whom the alert has been entered;

(e) insofar as possible, the consequences of the offence; and

(f) any other information useful or necessary for the execution of the alert.

Article 30

Conversion of an action to be taken concerning alerts for arrest for surrender or extradition purposes

Where an arrest cannot be made, either because the Member State requested to do so refuses to make it in accordance with the procedures on flagging set out in Article 24 or 25, or because, in the case of an alert for arrest for extradition purposes, an investigation has not been completed, the Member State requested to make the arrest shall act on the alert by communicating the whereabouts of the person concerned.

Article 31

Execution of an action based on an alert for arrest for surrender or extradition purposes

CHAPTER VII

Alerts on missing persons or vulnerable persons who need to be prevented from travelling

Article 32

Objectives and conditions for entering alerts

Alerts on the following categories of persons shall be entered in SIS at the request of the competent authority of the issuing Member State:

(a) missing persons who need to be placed under protection: (i) for their own protection; (ii) in order to prevent a threat to public order or public security;

(b) missing persons who do not need to be placed under protection;

(c) children at risk of abduction by a parent, a family member or a guardian, who need to be prevented from travelling;

(d) children who need to be prevented from travelling owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and: (i) becoming victims of trafficking in human beings, or of forced marriage, female genital mutilation or other forms of gender-based violence; (ii) becoming victims of or involved in terrorist offences; or (iii) becoming conscripted or enlisted into armed groups or being made to participate actively in hostilities;

(e) vulnerable persons who are of age and who need to be prevented from travelling for their own protection owing to a concrete and apparent risk of them being removed from or leaving the territory of a Member State and becoming victims of trafficking in human beings or gender-based violence.

The issuing Member State shall ensure all of the following:

(a) that the data it enters in SIS indicate which of the categories referred to in paragraph 1 the person concerned by the alert falls into;

(b) that the data it enters in SIS indicate which type of case is involved, wherever the type of case is known; and

(c) that, in relation to alerts entered in accordance with points (c), (d) and (e) of paragraph 1, its SIRENE Bureau has all relevant information at its disposal at the time of the creation of the alert.

The Commission shall also adopt implementing acts to lay down and develop technical rules necessary for entering, updating, deleting and searching the data referred to in paragraph 8.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 76(2).

Article 33

Execution of action based on an alert

CHAPTER VIII

Alerts on persons sought to assist with a judicial procedure

Article 34

Objectives and conditions for entering alerts

For the purposes of communicating the place of residence or domicile of persons, Member States shall, at the request of a competent authority, enter into SIS alerts on:

(a) witnesses;

(b) persons summoned or persons sought to be summoned to appear before the judicial authorities in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(c) persons who are to be served with a criminal judgment or other documents in connection with criminal proceedings in order to account for acts for which they are being prosecuted;

(d) persons who are to be served with a summons to report in order to serve a penalty involving a deprivation of liberty.

Article 35

Execution of the action based on an alert

Requested information shall be communicated to the issuing Member State through the exchange of supplementary information.

CHAPTER IX

Alerts on persons and objects for discreet checks, inquiry checks or specific checks

Article 36

Objectives and conditions for entering alerts

Alerts on persons for discreet checks, inquiry checks or specific checks may be entered for the purposes of preventing, detecting, investigating or prosecuting criminal offences, executing a criminal sentence and preventing threats to public security in one or more of the following circumstances:

(a) where there is a clear indication that a person intends to commit or is committing any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(b) where the information referred to in Article 37(1) is necessary for the execution of a custodial sentence or detention order regarding a person convicted of any of the offences referred to in Article 2(1) and (2) of the Framework Decision 2002/584/JHA;

(c) where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit the offences referred to in Article 2(1) and 2(2) of the Framework Decision 2002/584/JHA in the future.

Article 37

Execution of the action based on an alert

For the purposes of discreet checks, inquiry checks or specific checks, the executing Member State shall collect and communicate to the issuing Member State all or some of the following information:

(a) the fact that the person who is the subject of an alert has been located, or that objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment which are the subject of an alert have been located;

(b) the place, time and reason for the check;

(c) the route of the journey and destination;

(d) the persons accompanying the subject of the alert or the occupants of the vehicle, boat or aircraft, or the persons accompanying the holder of the blank official document or issued identity document who can reasonably be expected to be associated with the subject of the alert;

(e) any identity revealed and any personal description of the person using the blank official document or issued identity document that is the subject of the alert;

(f) the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or non-cash means of payment used;

(g) objects carried, including travel documents;

(h) the circumstances in which the person, the objects referred to in points (a), (b), (c), (e), (g), (h), (j), (k) and (l) of Article 38(2) or the non-cash means of payment were located;

(i) any other information being sought by the issuing Member State in accordance with Article 36(2).

If the information referred to in point (i) of the first subparagraph of this paragraph relates to special categories of personal data referred to in Article 10 of Directive (EU) 2016/680, it shall be processed in accordance with the conditions set out in that Article and only if it supplements other personal data processed for the same purpose.

CHAPTER IXa

Information alerts on third-country nationals in the interest of the Union

Article 37a

Objectives and conditions for entering alerts

Europol shall propose that information alerts be entered into SIS only in the following cases and provided that it has verified that the conditions set out in paragraph 4 are fulfilled:

(a) where there is a factual indication that a person intends to commit or is committing any of the offences referred to in paragraph 2;

(b) where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit an offence referred to in paragraph 2.

Europol shall propose that information alerts be entered into SIS only after it has established that the information alert is necessary and justified, by ensuring that both of the following conditions are fulfilled:

(a) an analysis of the information provided in accordance with Article 17(1)(b) of Regulation (EU) 2016/794 confirmed the reliability of the source of information as well as the accuracy of the information on the person concerned, permitting Europol to determine, where necessary, after having carried out further exchanges of information with the data provider in accordance with Article 25 of Regulation (EU) 2016/794, that at least one of the cases set out in paragraph 3 applies;

(b) a search in SIS, carried out in accordance with Article 48 of this Regulation, did not disclose the existence of an alert on the person concerned.

Where Europol has relevant additional or modified data in relation to its proposal to enter an information alert, or where Europol has evidence suggesting that the data included in its proposal to enter an information alert are factually incorrect or have been unlawfully stored, it shall inform the Member States without delay.

For the purposes of the first subparagraph, Member States shall put in place a periodic reporting mechanism.

Article 37b

Execution of the action based on an information alert

In the event of a hit on an information alert, the executing Member State shall collect and communicate to the issuing Member State all or some of the following information:

(a) the fact that the person who is the subject of an information alert has been located;

(b) the place, time and reason for the check;

(c) the route of the journey and destination;

(d) the persons accompanying the subject of the information alert who can reasonably be expected to be associated with the subject of the information alert;

(e) objects carried, including travel documents;

(f) the circumstances in which the person was located.

CHAPTER X

Alerts on objects for seizure or use as evidence in criminal proceedings

Article 38

Objectives and conditions for entering alerts

Alerts shall be entered on the following categories of readily identifiable objects:

(a) motor vehicles regardless of the propulsion system;

(b) trailers with an unladen weight exceeding 750 kg;

(c) caravans;

(d) industrial equipment;

(e) boats;

(f) boat engines;

(g) containers;

(h) aircraft;

(i) aircraft engines;

(j) firearms;

(k) blank official documents which have been stolen, misappropriated, lost or purport to be such a document but are false;

(l) issued identity documents, such as passports, identity cards, residence permits, travel documents and driving licences which have been stolen, misappropriated, lost or invalidated or purport to be such a document but are false;

(m) vehicle registration certificates and vehicle number plates which have been stolen, misappropriated, lost or invalidated or purport to be such a document or plate but are false;

(n) banknotes (registered notes) and false banknotes;

(o) items of information technology;

(p) identifiable component parts of motor vehicles;

(q) identifiable component parts of industrial equipment;

(r) other identifiable objects of high value, as defined in accordance with paragraph 3.

With regard to the documents referred to in points (k), (l) and (m), the issuing Member State may specify whether such documents are stolen, misappropriated, lost, invalid or false.

Article 39

Execution of the action based on an alert

CHAPTER XI

Alerts on unknown wanted persons for the purposes of identification under national law

Article 40

Alerts on unknown wanted persons for the purposes of identification under national law

Member States may enter into SIS alerts on unknown wanted persons containing only dactyloscopic data. Those dactyloscopic data shall be either complete or incomplete sets of fingerprints or palm prints discovered at the scenes of terrorist offences or other serious crimes under investigation. They shall only be entered into SIS where it can be established to a very high degree of probability that they belong to a perpetrator of the offence.

If the competent authority of the issuing Member State cannot establish the identity of the suspect on the basis of data from any other relevant national, Union or international database, the dactyloscopic data referred to in the first subparagraph may only be entered in this category of alerts as ‘unknown wanted person’ for the purpose of identifying such a person.

Article 41

Execution of the action based on an alert

In the event of a hit with the data entered pursuant to Article 40, the identity of the person shall be established in accordance with national law, together with expert verification that the dactyloscopic data in SIS belong to the person. The executing Member States shall communicate information on the identity and the whereabouts of the person to the issuing Member State through the exchange of supplementary information in order to facilitate timely investigation of the case.

CHAPTER XII

Specific rules for biometric data

Article 42

Specific rules for entering photographs, facial images, dactyloscopic data and DNA profiles

Article 43

Specific rules for verification or search with photographs, facial images, dactyloscopic data and DNA profiles

Before this functionality is implemented in SIS, the Commission shall present a report on the availability, readiness and reliability of the required technology. The European Parliament shall be consulted on the report.

After the start of the use of the functionality at regular border crossing points, the Commission shall be empowered to adopt delegated acts in accordance with Article 75 to supplement this Regulation concerning the determination of other circumstances in which photographs and facial images may be used to identify persons.

CHAPTER XIII

Right of access and review of alerts

Article 44

National competent authorities having a right to access data in SIS

National competent authorities shall have access to data entered in SIS and the right to search such data directly or in a copy of the SIS database for the purposes of:

(a) border control, in accordance with Regulation (EU) 2016/399;

(b) police and customs checks carried out within the Member State concerned, and the coordination of such checks by designated authorities;

(c) the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties, within the Member State concerned, provided that Directive (EU) 2016/680 applies;

(d) examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals, as well as carrying out checks on third country nationals who are illegally entering or staying on the territory of the Member States;

(e) security checks on third-country nationals who apply for international protection, insofar as authorities performing the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of Directive 2013/32/EU of the European Parliament and of the Council (6), and, where relevant, providing advice in accordance with Council Regulation (EC) No 377/2004 (7);

(f) verifying different identities and combating identity fraud in accordance with Chapter V of Regulation (EU) 2019/818;

(h) the manual processing of ETIAS applications by the ETIAS National Unit, pursuant to Article 8 of Regulation (EU) 2018/1240.

Article 45

Vehicle registration services

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

Article 46

Registration services for boats and aircraft

The services in the Member States responsible for issuing registration certificates or ensuring traffic management for boats, including boat engines, and aircraft, including aircraft engines, shall have access to the following data entered into SIS in accordance with Article 38(2), for the sole purpose of checking whether boats, including boat engines, and aircraft, including aircraft engines, presented to them for registration or subject to traffic management have been stolen, misappropriated, lost or are sought as evidence in criminal proceedings:

(a) data on boats;

(b) data on boat engines;

(c) data on aircraft;

(d) data on aircraft engines.

Access to the data by the services referred to in first subparagraph shall be governed by the national law and shall be limited to the specific competence of the services concerned.

Article 47

Registration services for firearms

Article 48

Access to data in SIS by Europol

Europol shall:

(a) without prejudice to paragraphs 4 and 6, not connect parts of SIS nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS;

(b) notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c) limit access to data in SIS, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d) adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e) ensure that its staff who are authorised to process SIS data receive appropriate training and information in accordance with Article 14(1); and

(f) without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS and in the exchange and processing of supplementary information.

Member States shall inform Europol through the exchange of supplementary information of:

(a) any hit on information alerts entered into SIS under Article 37a;

(b) when the person who is the subject of the information alert has been located in the territory of the issuing Member State in accordance with Article 37b(3); and

(c) any hit on alerts related to terrorist offences which are not entered into SIS under Article 37a.

Member States may exceptionally not inform Europol of hits on alerts under point (c) of this paragraph if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

Article 49

Access to data in SIS by Eurojust

Article 49a

Access to data in SIS by the ETIAS Central Unit

Article 50

Access to data in SIS by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

Article 50b

Interoperability with ETIAS

Article 51

Evaluation of the use of SIS by Europol, Eurojust and the European Border and Coast Guard Agency

Article 52

Scope of access

End-users, including Europol, the national members of Eurojust and their assistants and the members of the teams referred to in points (8) and (9) of Article 2 of Regulation (EU) 2016/1624, shall only access data which they require for the performance of their tasks.

Article 53

Review period for alerts on persons

Article 54

Review period for alerts on objects

CHAPTER XIV

Deletion of alerts

Article 55

Deletion of alerts

Alerts on missing persons or vulnerable persons who need to be prevented from travelling pursuant to Article 32 shall be deleted in accordance with the following rules:

(a) concerning missing children and children at risk of abduction, an alert shall be deleted upon: (i) the resolution of the case, such as when the child has been located or repatriated or the competent authorities in the executing Member State have taken a decision on the care of the child; (ii) the expiry of the alert in accordance with Article 53; or (iii) a decision by the competent authority of the issuing Member State;

(b) concerning missing adults, where no protective measures are requested, an alert shall be deleted upon: (i) the execution of the action to be taken, where their whereabouts are ascertained by the executing Member State; (ii) the expiry of the alert in accordance with Article 53; or (iii) a decision by the competent authority of the issuing Member State;

(c) concerning missing adults where protective measures are requested, an alert shall be deleted upon: (i) the carrying out of the action to be taken, where the person is placed under protection; (ii) the expiry of the alert in accordance with Article 53; or (iii) a decision by the competent authority of the issuing Member State;

(d) concerning vulnerable persons who are of age who need to be prevented from travelling for their own protection and children who need to be prevented from travelling, an alert shall be deleted upon: (i) the carrying out of the action to be taken such as the person's placement under protection; (ii) the expiry of the alert in accordance with Article 53; or (iii) a decision by the competent authority of the issuing Member State.

Without prejudice to the national law, where a person has been institutionalised following a decision by a competent authority an alert may be retained until that person has been repatriated.

Alerts on persons sought for a judicial procedure pursuant to Article 34 shall be deleted upon:

(a) the communication of the whereabouts of the person to the competent authority of the issuing Member State;

(b) the expiry of the alert in accordance with Article 53; or

(c) a decision by the competent authority of the issuing Member State.

Where the information in the communication referred to in point (a) cannot be acted upon, the SIRENE Bureau of the issuing Member State shall inform the SIRENE Bureau of the executing Member State in order to resolve the problem.

In the event of a hit where the address details were forwarded to the issuing Member State and a subsequent hit in the same executing Member State reveals the same address details, the hit shall be recorded in the executing Member State but neither the address details nor supplementary information shall be resent to the issuing Member State. In such cases the executing Member State shall inform the issuing Member State of the repeated hits and the issuing Member State shall carry out a comprehensive individual assessment of the need to retain the alert.

Alerts for discreet, inquiry and specific checks pursuant to Article 36, shall be deleted upon:

(a) the expiry of the alert in accordance with Article 53; or

(b) a decision to delete them by the competent authority of the issuing Member State.

Information alerts pursuant to Article 37a shall be deleted upon:

(a) the expiry of the alert in accordance with Article 53; or

(b) a decision to delete them by the competent authority of the issuing Member State, including where appropriate upon a proposal by Europol.

Alerts on objects for seizure or use as evidence in criminal proceedings pursuant to Article 38, shall be deleted upon:

(a) the seizure of the object or equivalent measure once the necessary follow-up exchange of supplementary information has taken place between the SIRENE Bureaux concerned or the object becomes the subject of another judicial or administrative procedure;

(b) the expiry of the alert in accordance with Article 53; or

(c) a decision to delete them by the competent authority of the issuing Member State.

Alerts on unknown wanted persons pursuant to Article 40 shall be deleted upon:

(a) the identification of the person;

(b) the expiry of the alert in accordance with Article 53; or

(c) a decision to delete them by the competent authority of the issuing Member State.

CHAPTER XV

General data processing rules

Article 56

Processing of SIS data

Member States shall keep an up-to-date inventory of those copies, make that inventory available to their supervisory authorities, and ensure that this Regulation, in particular Article 10, is applied in respect of those copies.

Article 57

SIS data and national files

Article 58

Information in the case of non-execution of an alert

If a requested action cannot be performed, the Member State from which action is requested shall immediately inform the issuing Member State through the exchange of supplementary information.

Article 59

Quality of the data in SIS

Article 60

Security incidents

Article 61

Distinguishing between persons with similar characteristics

Article 62

Additional data for the purpose of dealing with misused identities

Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a) to allow the competent authority to distinguish the person whose identity has been misused from the person intended to be the subject of the alert; and

(b) to allow the person whose identity has been misused to prove his or her identity and to establish that his or her identity has been misused.

For the purpose of this Article, and subject to the explicit consent of the person whose identity has been misused for each data category, only the following personal data of the person whose identity has been misused may be entered and further processed in SIS:

(a) surnames;

(b) forenames;

(c) names at birth;

(d) previously used names and any aliases possibly entered separately;

(e) any specific objective and physical characteristic not subject to change;

(f) place of birth;

(g) date of birth;

(h) gender;

(i) photographs and facial images;

(j) fingerprints, palm prints or both;

(k) any nationalities held;

(l) the category of the person's identification documents;

(m) the country of issue of the person's identification documents;

(n) the number(s) of the person's identification documents;

(o) the date of issue of a person's identification documents;

(p) address of the person;

(q) person's father's name;

(r) person's mother's name.

Article 63

Links between alerts

Article 64

Purpose and retention period of supplementary information

Article 65

Transfer of personal data to third parties

Data processed in SIS and the related supplementary information exchanged pursuant to this Regulation shall not be transferred or made available to third countries or to international organisations.

CHAPTER XVI

Data protection

Article 66

Applicable legislation

Article 67

Right of access, rectification of inaccurate data and erasure of unlawfully stored data

A Member State shall take a decision not to provide information to the data subject, in whole or in part, in accordance with national law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:

(a) avoid obstructing official or legal inquiries, investigations or procedures;

(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) protect national security; or

(e) protect the rights and freedoms of others.

In cases referred to in the first subparagraph, the Member State shall inform the data subject in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the data subject of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.

The Member State shall document the factual or legal reasons on which the decision not to provide information to the data subject is based. That information shall be made available to the supervisory authorities.

For such cases, the data subject shall also be able to exercise his or her rights through the competent supervisory authorities.

Article 68

Remedies

Member States shall report annually to the European Data Protection Board on:

(a) the number of access requests submitted to the data controller and the number of cases where access to the data was granted;

(b) the number of access requests submitted to the supervisory authority and the number of cases where access to the data was granted;

(c) the number of requests for the rectification of inaccurate data and for the erasure of unlawfully stored data to the data controller and the number of cases where the data were rectified or erased;

(d) the number of requests for the rectification of inaccurate data and the erasure of unlawfully stored data submitted to the supervisory authority;

(e) the number of court proceedings initiated;

(f) the number of cases where the court ruled in favour of the applicant;

(g) any observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts entered by the issuing Member State.

A template for the reporting referred to in this paragraph shall be developed by the Commission.

Article 69

Supervision of N.SIS

Article 70

Supervision of eu-LISA

Article 71

Cooperation between supervisory authorities and the European Data Protection Supervisor

CHAPTER XVII

Liability and penalties

Article 72

Liability

Without prejudice to the right to compensation and to any liability under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:

(a) any person or Member State that has suffered material or non-material damage, as a result of an unlawful personal data processing operation through the use of N.SIS or any other act incompatible with this Regulation by a Member State, shall be entitled to receive compensation from that Member State; and

(b) any person or Member State that has suffered material or non-material damage as a result of any act by eu-LISA incompatible with this Regulation shall be entitled to receive compensation from eu-LISA.

A Member State or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

Article 73

Penalties

Member States shall ensure that any misuse of SIS data or any processing of such data or any exchange of supplementary information contrary to this Regulation, is punishable in accordance with national law.

The penalties provided for shall be effective, proportionate and dissuasive.

CHAPTER XVIII

Final provisions

Article 74

Monitoring and statistics

In order to monitor the implementation of Union legal acts, including for the purposes of Regulation (EU) No 1053/2013, the Commission may request that eu-LISA provide additional specific statistical reports, either on a regular or ad hoc basis, on the performance of SIS, the use of SIS and on the exchange of supplementary information.

The European Border and Coast Guard Agency may request that eu-LISA provide additional specific statistical reports for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 11 and 13 of Regulation (EU) 2016/1624, either on a regular or ad hoc basis.

eu-LISA shall allow the Commission and the bodies referred to in paragraph 6 of this Article to obtain bespoke reports and statistics. Upon request, eu-LISA shall grant access to the central repository for reporting and statistics in accordance with Article 39 of Regulation (EU) 2019/818 to Member States, the Commission, Europol, and the European Border and Coast Guard Agency.

The Commission shall transmit the evaluation report to the European Parliament and to the Council.

Article 75

Exercise of the delegation

Article 76

Committee procedure

Article 77

Amendments to Decision 2007/533/JHA

Decision 2007/533/JHA is amended as follows:

(1) Article 6 is replaced by the following: ‘Article 6 National Systems

1.

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS II and connecting it to NI-SIS.

2.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS II data to end-users.’;

(2) Article 11 is replaced by the following: ‘Article 11 Confidentiality — Member States

1.

Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS II data and supplementary information, in accordance with its national legislation. This obligation shall also apply after those people leave office or employment or after the termination of the activities of those bodies.

2.

Where a Member State cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Decision, in particular on security, confidentiality and data protection.

3.

The operational management of N.SIS II or of any technical copies shall not be entrusted to private companies or private organisations.’;

(3) Article 15 is amended as follows: (a) the following paragraph is inserted: ‘3a. The Management Authority shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard. The Management Authority shall provide a regular report to the Commission covering the issues encountered and the Member States concerned. The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.’; (b) paragraph 8 is replaced by the following: ‘8. The operational management of Central SIS II shall consist of all the tasks necessary to keep Central SIS II functioning 24 hours a day, 7 days a week in accordance with this Decision, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS II and the N.SIS II that ensure that Central SIS II and the N.SIS II operate in accordance with the requirements for technical compliance set out in Article 9.’;

(4) in Article 17, the following paragraphs are added: ‘3. Where the Management Authority cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Decision, in particular on security, confidentiality and data protection.

4.

The operational management of CS-SIS shall not be entrusted to private companies or private organisations.’;

(5) in Article 21, the following paragraph is added: ‘Where a person or an object is sought under an alert related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS II. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.’;

(6) Article 22 is replaced by the following: ‘Article 22 Specific rules for entering, verification or search with photographs and fingerprints

1.

Photographs and fingerprints shall only be entered following a special quality check to ascertain whether they fulfil minimum data quality standards. The specification of the special quality check shall be established in accordance with the procedure referred to in Article 67.

2.

Where photographs and fingerprint data are available in an alert in SIS II, such photographs and fingerprint data shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS II.

3.

Fingerprint data may be searched in all cases to identify a person. However, fingerprint data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS II shall contain an Automated Fingerprint Identification System (AFIS).

4.

Fingerprint data in SIS II in relation to alerts entered in accordance with Articles 26, 32 and 36 may also be searched using complete or incomplete sets of fingerprints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.’;

(7) Article 41 is replaced by the following: ‘Article 41 Access to data in SIS II by Europol

1.

The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the Council (*1), shall, where necessary to fulfil its mandate, have the right to access and search data in SIS II. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2.

Where a search by Europol reveals the existence of an alert in SIS II, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3.

Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4.

Europol's use of information obtained from a search in SIS II or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5.

Europol shall:

(a) without prejudice to paragraphs 4 and 6, not connect parts of SIS II nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS II; (b) notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it; (c) limit access to data in SIS II, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks; (d) adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13; (e) ensure that its staff who are authorised to process SIS II data receive appropriate training and information in accordance with Article 14; and (f) without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS II and in the exchange and processing of supplementary information.

6.

Europol shall only copy data from SIS II for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Decision shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS II data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS II data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS II into other Europol systems.

7.

For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS II.

8.

Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9.

Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

(8) the following Article is inserted: ‘Article 42a Access to data in SIS II by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.

In accordance with Article 40(8) of Regulation (EU) 2016/1624 of the European Parliament and of the Council (*2), the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 40(1) of this Decision and have received the required training in accordance with Article 14 of this Decision, have the right to access and search data in SIS II insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS II shall not be extended to any other team members.

2.

Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS II in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS II.

3.

Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS II, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS II under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.

For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12.

5.

The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6.

Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7.

Without prejudice to paragraph 2, no parts of SIS II shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS II to which those teams have access be transferred to such a system. No part of SIS II shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS II data.

8.

The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS II. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council (*3).

Article 78

Repeal

Regulation (EC) No 1986/2006 and Decisions 2007/533/JHA and 2010/261/EU are repealed from the date of application of this Regulation as set out in the first subparagraph of Article 79(5).

References to the repealed Regulation (EC) No 1986/2006 and Decision 2007/533/JHA shall be construed as references to this Regulation and shall be read in accordance with the correlation tables in the Annex.

Article 79

Entry into force, start of operation and application

No later than 28 December 2021 the Commission shall adopt a decision setting the date on which SIS operations start pursuant to this Regulation, after verification that the following conditions have been met:

(a) the implementing acts necessary for the application of this Regulation have been adopted;

(b) Member States have notified the Commission that they have made the necessary technical and legal arrangements to process SIS data and exchange supplementary information pursuant to this Regulation; and

(c) eu-LISA has notified the Commission of the successful completion of all testing activities with regard to CS-SIS and to the interaction between CS-SIS and N.SIS.

By way of derogation from the first subparagraph:

(a) Article 4(4), Article 5, Article 8(4), Article 9(1) and (5), Article 12(8), Article 15(7), Article 19, Article 20(4) and (5), Article 26(6), Article 32(9), Article 34(3), Article 36(6), Article 38(3) and (4), Article 42(5), Article 43(4), Article 54(5), Article 62(4), Article 63(6), Article 74(7) and (10), Article 75, Article 76, points (1) to (5) of Article 77, and paragraphs 3 and 4 of this Article shall apply from the date of entry into force of this Regulation;

(b) points (7) and (8) of Article 77 shall apply from 28 December 2019;

(c) point 6 of Article 77 shall apply from 28 December 2020.

The Commission shall adopt a decision setting the date from which Member States may start entering, updating and deleting information alerts in SIS in accordance with Article 37a of this Regulation, after verification that the following conditions have been met:

(a) the implementing acts adopted pursuant to this Regulation have been amended to the extent necessary for the application of this Regulation as amended by Regulation (EU) 2022/1190 of the European Parliament and of the Council (10) ;

(b) Member States and Europol have notified the Commission that they have made the necessary technical and procedural arrangements to process SIS data and exchange supplementary information pursuant to this Regulation as amended by Regulation (EU) 2022/1190;

(c) eu-LISA has notified the Commission of the successful completion of all testing activities with regard to CS-SIS and to the interaction between CS-SIS and N.SIS.

That Commission decision shall be published in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

ANNEX

CORRELATION TABLE

Decision 2007/533/JHA This Regulation
Article 1 Article 1
Article 2 Article 2
Article 3 Article 3
Article 4 Article 4
Article 5 Article 5
Article 6 Article 6
Article 7 Article 7
Article 8 Article 8
Article 9 Article 9
Article 10 Article 10
Article 11 Article 11
Article 12 Article 12
Article 13 Article 13
Article 14 Article 14
Article 15 Article 15
Article 16 Article 16
Article 17 Article 17
Article 18 Article 18
Article 19 Article 19
Article 20 Article 20
Article 21 Article 21
Article 22 Articles 42 and 43
Article 23 Article 22
Article 23
Article 24 Article 24
Article 25 Article 25
Article 26 Article 26
Article 27 Article 27
Article 28 Article 28
Article 29 Article 29
Article 30 Article 30
Article 31 Article 31
Article 32 Article 32
Article 33 Article 33
Article 34 Article 34
Article 35 Article 35
Article 36 Article 36
Article 37 Article 37
Article 38 Article 38
Article 39 Article 39
Article 40
Article 41
Article 40 Article 44
Article 45
Article 46
Article 47
Article 41 Article 48
Article 42 Article 49
Article 51
Article 42a Article 50
Article 43 Article 52
Article 44 Article 53
Article 45 Article 54
Article 55
Article 46 Article 56
Article 47 Article 57
Article 48 Article 58
Article 49 Article 59
Article 60
Article 50 Article 61
Article 51 Article 62
Article 52 Article 63
Article 53 Article 64
Article 54 Article 65
Article 55
Article 56
Article 57 Article 66
Article 58 Article 67
Article 59 Article 68
Article 60 Article 69
Article 61 Article 70
Article 62 Article 71
Article 63
Article 64 Article 72
Article 65 Article 73
Article 66 Article 74
Article 75
Article 67 Article 76
Article 68
Article 77
Article 69
Article 78
Article 70
Article 71 Article 79
Regulation (EC) No 1986/2006 This Regulation
--- ---
Articles 1, 2 and 3 Article 45

(1) Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

(2) Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).

(3) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85).

(4) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).

(5) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).

(6) Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).

(7) Council Regulation (EC) No 377/2004 of 19 February 2004 on the creation of an immigration liaison officers network (OJ L 64, 2.3.2004, p. 1).

(8) Council Directive 1999/37/EC of 29 April 1999 on the registration documents for vehicles (OJ L 138, 1.6.1999, p. 57).

(9) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).

(*1) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).’;

(*2) Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1).

(*3) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).’.

(10) Regulation (EU) 2022/1190 of the European Parliament and of the Council of 6 July 2022 amending Regulation (EU) 2018/1862 as regards the entry of information alerts into the Schengen Information System (SIS) on third-country nationals in the interest of the Union (OJ L 185, 12.7.2022, p. 1).