Commission Implementing Regulation (EU) 2021/331 of 24 February 2021 on the reporting of abuses committed by commercial intermediaries providing application services for travel authorisation under Regulation (EU) 2018/1240 of the European Parliament and of the Council

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular Articles 15(5) and 16(10) thereof,

Whereas:

(1) Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (‘ETIAS’) for third-country nationals exempt from the requirement to be in the possession of a visa for the purposes of entering and staying in the territory of the Member States.

(2) To obtain the travel authorisation, the application is to be submitted by the applicant directly, or by a third person or a commercial intermediary authorised by the applicant to submit the application on his or her behalf.

(3) In the context of comparable travel authorisation systems, commercial intermediaries have been known to engage in abusive practices. Abuses may take many different forms including: attempting to mislead applicants into believing that their website is the dedicated official public website or application for mobile devices for submitting an application, thereby giving the false impression that the excess charged by the commercial intermediary is a mandatory part of the application process rather than consideration for the voluntary use of a commercial service; making fraudulent use of the personal or financial data provided by the applicant; charging an unreasonably high price for its service, or failing to request the application in the required time, format and quality on behalf of the applicant.

(4) In order to detect abusive practices and to prevent their recurrence, an online form for the reporting of abuse by commercial intermediaries should be made accessible via the dedicated public website and the application for mobile devices. In order to promote awareness of the possibility to report abuse and to facilitate such reporting, information regarding the process to be followed should be displayed visibly on the public website and the application for mobile devices. The form should contain standardised fields and request users to enter details of the abusive conduct.

(5) In order to ensure that applicants are adequately informed of the nature and purpose of the reporting facility, the form should clarify that the reporting system is for monitoring purposes, it shall not collect any personal data and does not constitute a channel for appealing decisions on applications, or as a substitute for the pursuit of remedies under administrative, civil or criminal law.

(6) The ETIAS Central Unit should receive and assess such reports, taking into account the similarities and recurrences of the abuses reported. The ETIAS Central Unit should regularly report to the Commission, as necessary, on the abuses reported and the assessments made. Account should be taken of these assessments in the development by the Commission of information campaigns referred to in Article 72 of Regulation (EU) 2018/1240. On the basis of the assessments, the ETIAS Central Unit should modify, as appropriate, the information to the general public referred to in Article 71 of Regulation (EU) 2018/1240, and in particular to the applicants.

(7) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (‘TEU’) and to the Treaty on the Functioning of the European Union (‘TFEU’), Denmark did not take part in the adoption of Regulation (EU) 2018/1240 and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen acquis, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.

(8) This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (2); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(9) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (3), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (4).

(10) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (5), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (6).

(11) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (7) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (8).

(12) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 4 September 2020.

(14) The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee (ETIAS),

HAS ADOPTED THIS REGULATION:

Article 1

Form for reporting abuse

Article 2

Additional documentation

The limitations on the number and size of additional files that may be uploaded shall be set out in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 3

Notification to applicants

(a) acknowledgement of receipt of the report and confirmation of the date and time at which the form was submitted

(b) a reminder of all relevant information in relation to submitting an application for a travel authorisation as referred to in Article 71 of Regulation (EU) 2018/1240;

(c) information that the report of abuse shall be used to assist the monitoring and improving of the European Travel Information and Authorisation System. By contrast, the reporting facility is not intended to provide remedies in individual cases and is not a substitute for the pursuit of any claims in administrative, civil or criminal law that may be provided for under the applicable national law.

Article 4

Roles of the ETIAS Central Unit

(a) monitor, process and analyse all reports of abuses;

(b) publish on the dedicated public website and in the application for mobile devices relevant information in order to prevent abuses.

(a) an anonymised description of the cases of abuse reported, including similarities between the cases, recurrences, trends and characteristics;

(b) an overview of the actions taken to adapt the information to the general public and applicants.

Article 5

Specific security measures

The form to report abuses shall be designed and implemented to ensure the confidentiality, integrity, availability, protection of personal data and non-repudiation of transactions as referred to in the Commission Decision (EU, Euratom) 2017/46 (10). Its technical and organisational implementation shall meet the requirements of the European Travel Information and Authorisation System’s security plan, referred in Article 59(3) of Regulation (EU) 2018/1240, and shall comply with the rules on data protection and security applicable to the public website and the application for mobile devices referred to in Article 16(10) of Regulation (EU) 2018/1240.

Article 6

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels, 24 February 2021.

For the Commission The President Ursula VON DER LEYEN

(1) OJ L 236, 19.9.2018, p. 1.

(2) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).

(3) OJ L 176, 10.7.1999, p. 36.

(4) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).

(5) OJ L 53, 27.2.2008, p. 52.

(6) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).

(7) OJ L 160, 18.6.2011, p. 21.

(8) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).

(9) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(10) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission; OJ L 6, 11.1.2017, p. 40.