Regulation (EU) 2017/2226 of the European Parliament and of the CouncilShow full title

CHAPTER VIU.K. DEVELOPMENT, OPERATION AND RESPONSIBILITIES

Article 36U.K.Adoption of implementing acts by the Commission prior to development

The Commission shall adopt the implementing acts necessary for the development and technical implementation [F1of the EES Central System and the CIR], the NUIs, the Communication Infrastructure, the web service referred to in Article 13 and the data repository referred to in Article 63(2), in particular measures for:

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

For the adoption of the implementing acts set out in point (i) of the first paragraph of this Article, the Committee set up by Article 68 of this Regulation shall consult the VIS Committee set up by Article 49 of Regulation (EC) No 767/2008.

Article 37U.K.Development and operational management

[F11. eu-LISA shall be responsible for the development of the EES Central System and the CIR, the NUIs, the Communication Infrastructure and the Secure Communication Channel between the EES Central System and the VIS Central System. eu-LISA shall also be responsible for the development of the web service referred to in Article 13 in accordance with the detailed rules referred to in Article 13(7) and the specifications and conditions adopted pursuant to point (h) of the first paragraph of Article 36 and for the development of the data repository referred to in Article 63(2).]

eu-LISA shall define the design of the physical architecture of the EES including its Communication Infrastructure, as well as the technical specifications and their evolution regarding the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 of this Regulation and the data repository referred to in Article 63(2) of this Regulation. Those technical specifications shall be adopted by eu-LISA’s Management Board, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the VIS deriving from the establishment of interoperability with the EES as well as from the implementation of the amendments to Regulation (EC) No 767/2008 set out in Article 61 of this Regulation.

eu-LISA shall develop and implement the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to Article 63(2) as soon as possible after the adoption by the Commission of the measures provided for in Article 36.

The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

When developing, and when implementing, the EES Central System, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to in Article 63(2), the tasks of eu–LISA shall also be to:

(a)perform a security risk assessment;

(b)follow the principles of privacy by design and by default during the entire lifecycle of the development of the EES;

(c)conduct a security risk assessment regarding the interoperability with the VIS referred to in Article 8 and assess the required security measures needed for the implementation of the interoperability with the VIS.

2.During the designing and development phase, a Programme Management Board composed of a maximum of ten members shall be established. It shall be composed of seven members appointed by eu-LISA’s Management Board from among its members or alternate members, the Chair of the EES Advisory Group referred to in Article 69, a member representing eu-LISA appointed by its Executive Director and one member appointed by the Commission. The members appointed by eu-LISA’s Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA and which comply with the conditions set out in Article 66(2).

The Programme Management Board shall meet regularly and at least three times per quarter. It shall ensure the adequate management of the design and development phase of the EES and ensure the consistency between central and national EES projects.

The Programme Management Board shall submit written reports every month to eu-LISA’s Management Board on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of eu-LISA’s Management Board.

eu-LISA’s Management Board shall establish the rules of procedure of the Programme Management Board which shall include in particular rules on:

(a)its chairmanship;

(b)meeting venues;

(c)the preparation of meetings;

(d)the admission of experts to meetings;

(e)communication plans ensuring full information to non-participating members of eu-LISA’s Management Board.

The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.

All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA and Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. eu-LISA shall provide the Programme Management Board with a secretariat.

During the designing and development phase, the EES Advisory Group referred to in Article 69 shall be composed of national EES project managers and chaired by eu-LISA. It shall meet regularly and at least three times per quarter until the start of operations of the EES. It shall report after each meeting to the Programme Management Board. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow-up on the state of preparation of the Member States.

[F13. eu-LISA shall be responsible for the operational management of the EES Central System and the CIR, the NUIs and the Secure Communication Channel between the EES Central System and the VIS Central System. It shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the EES Central System and the CIR, the NUIs, the Communication Infrastructure, the Secure Communication Channel between the EES Central System and the VIS Central System, the web service referred to in Article 13 and the data repository referred to in Article 63(2). eu-LISA shall also be responsible for the operational management of the Communication Infrastructure between the EES Central System and the NUIs, for the web service referred to in Article 13 and the data repository referred to in Article 63(2).]

Operational management of the EES shall consist of all the tasks necessary to keep the EES functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the EES functions at a satisfactory level of operational quality, in particular as regards the response time for interrogation of the EES Central System by border authorities, in accordance with the technical specifications.

4.Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68(1), eu-LISA shall ensure that those members of its staff who are required to work with EES data or with data stored in the EES apply appropriate rules of professional secrecy or other equivalent duties of confidentiality. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 38U.K.Responsibilities of Member States and Europol

1.Each Member State shall be responsible for:

(a)the integration of the existing national border infrastructure and its connection to the NUI;

(b)the organisation, management, operation and maintenance of its existing national border infrastructure and of its connection to the EES for the purpose of Article 6 with the exception of Article 6(2);

(c)the organisation of central access points and their connection to the NUI for the purpose of law enforcement;

(d)the management of, and arrangements for, access by the duly authorised staff, and by the duly empowered staff, of the competent national authorities to the EES in accordance with this Regulation and the creation and regular update of a list of those staff and their profiles.

2.Each Member State shall designate a national authority, which shall provide the competent authorities referred to in Article 9(2) with access to the EES. Each Member State shall connect that national authority to the NUI. Each Member State shall connect their respective central access points referred to in Article 29 to the NUI.

3.Each Member State shall use automated procedures for processing EES data.

4.Member States shall ensure that the technical performance of the border control infrastructure, its availability, the duration of the border checks and the data quality are closely monitored in order to ensure that they meet the overall requirements for the proper functioning of the EES and an efficient border check procedure.

5.Before being authorised to process data stored in the EES, the staff of the authorities having a right to access the EES shall be given appropriate training on, in particular, data security and data protection rules, as well as on relevant fundamental rights.

6.Member States shall not process the data in or from the EES for purposes other than those laid down in this Regulation.

7.Europol shall assume the responsibilities provided for in point (d) of paragraph 1 and in paragraphs 3, 5 and 6. It shall connect, and be responsible for the connection of, the Europol central access point to the EES.

Article 39U.K.Responsibility for data processing

1.In relation to the processing of personal data in the EES, each Member State shall designate the authority which is to be considered as controller in accordance with point (7) of Article 4 of Regulation (EU) 2016/679 and which shall have central responsibility for the processing of data by that Member State. Each Member State shall communicate the details of that authority to the Commission.

Each Member State shall ensure that the data collected and recorded in the EES is processed lawfully and, in particular, that only duly authorised staff have access to the data for the performance of their tasks. The Member State responsible shall ensure, in particular, that the data are:

(a)collected lawfully and in full respect of the human dignity of the third-country national concerned;

(b)registered lawfully in the EES;

(c)accurate and up-to-date when they are transmitted to the EES.

2.eu-LISA shall ensure that the EES is operated in accordance with this Regulation and the implementing acts referred to in Article 36. In particular, eu-LISA shall:

(a)take the necessary measures to ensure the security of the EES Central System and the Communication Infrastructure between the EES Central System and the NUI, without prejudice to the responsibilities of the Member States;

(b)ensure that only duly authorised staff have access to data processed in the EES.

3.eu-LISA shall inform the European Parliament, the Council and the Commission, as well as the European Data Protection Supervisor, of the measures it takes pursuant to paragraph 2 in view of the start of operations of the EES.

Article 40U.K.Keeping of data in national files and national entry/exit systems

1.A Member State may keep the alphanumeric data which that Member State entered in the EES, in accordance with the purposes of the EES, in its national entry/exit system or equivalent national files, in full respect of Union law.

2.The data shall not be kept in the national entry/exit systems or equivalent national files for longer than they are kept in the EES.

3.Any use of data which does not comply with paragraph 1 shall be considered a misuse under the national law of each Member State as well as under Union law.

4.This Article shall not be construed as requiring any technical adaptation of the EES. Member States may keep data in accordance with this Article at their own cost and risk and using their own technical means.

Article 41U.K.Communication of data to third countries, international organisations and private entities

1.Data stored in the EES shall not be transferred or made available to any third country, to any international organisation or to any private entity.

2.By way of derogation from paragraph 1 of this Article, the data referred to in Article 16(1) and points (a), (b) and (c) of Article 17(1) of this Regulation may be transferred by border authorities or immigration authorities to a third country or to an international organisation listed in the Annex I to this Regulation in individual cases, if necessary in order to prove the identity of third-country nationals for the sole purpose of return, only where one of the following conditions is satisfied:

(a)the Commission has adopted a decision on the adequate protection of personal data in that third country in accordance with Article 45(3) of Regulation (EU) 2016/679;

(b)appropriate safeguards as referred to in Article 46 of Regulation (EU) 2016/679 have been provided, such as through a readmission agreement which is in force between the Union or a Member State and the third country in question; or

(c)point (d) of Article 49(1) of Regulation (EU) 2016/679, applies.

3.The data referred to in Article 16(1) and points (a), (b) and (c) of Article 17(1) of this Regulation may be transferred in accordance with paragraph 2 of this Article only where all of the following conditions are satisfied:

(a)the transfer of the data is carried out in accordance with the relevant provisions of Union law, in particular provisions on data protection, including Chapter V of Regulation (EU) 2016/679, and readmission agreements, and the national law of the Member State transferring the data;

(b)the third country or international organisation has agreed to process the data only for the purposes for which they were provided; and

(c)a return decision adopted pursuant to Directive 2008/115/EC has been issued in relation to the third-country national concerned, provided that the enforcement of such a return decision is not suspended and provided that no appeal has been lodged which may lead to the suspension of its enforcement.

4.Transfers of personal data to third countries or to international organisations pursuant to paragraph 2 shall not prejudice the rights of applicants for and beneficiaries of international protection, in particular as regards non-refoulement.

5.Personal data obtained from the EES Central System by a Member State or by Europol for law enforcement purposes shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. The prohibition shall also apply where those data are further processed at national level or between Member States pursuant to Directive (EU) 2016/680.

6.By way of derogation from paragraph 5 of this Article, the data referred to in points (a), (b) and (c) of Article 16(1), points (a) and (b) of Article 16(2), points (a) and (b) of Article 16(3) and point (a) of Article 17(1) may be transferred by the designated authority to a third country in individual cases, only where all of the following conditions are met:

(a)there is an exceptional case of urgency where there is:

(b)the transfer of data is necessary for the prevention, detection or investigation in the territory of the Member States or in the third country concerned of such a terrorist offence or serious criminal offence;

(c)the designated authority has access to such data in accordance with the procedure and the conditions set out in Articles 31 and 32;

(d)the transfer is carried out in accordance with the applicable conditions set out in Directive (EU) 2016/680, in particular Chapter V thereof;

(e)a duly motivated written or electronic request from the third country has been submitted; and

(f)the reciprocal provision of any information on entry/exit records held by the requesting third country to the Member States operating the EES is ensured.

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.

Article 42U.K.Conditions for communication of data to a Member State which does not yet operate the EES and to a Member State to which this Regulation does not apply

1.The data referred to in points (a), (b) and (c) of Article 16(1), points (a) and (b) of Article 16(2), points (a) and (b) of Article 16(3) and point (a) of Article 17(1) may be transferred by a designated authority to a Member State which does not yet operate the EES and to a Member State to which this Regulation does not apply, in individual cases, only where all of the following conditions are met:

(a)there is an exceptional case of urgency where there is:

(b)the transfer of data is necessary for the prevention, detection or investigation of such a terrorist offence or serious criminal offence;

(c)the designated authority has access to such data in accordance with the procedure and the conditions set out in Articles 31 and 32;

(d)Directive (EU) 2016/680 applies;

(e)a duly motivated written or electronic request has been submitted; and

(f)the reciprocal provision of any information on entry/exit records held by the requesting Member State to the Member States operating the EES is ensured.

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.

2.Where data is provided pursuant to this Article, the same conditions as provided for in Article 43(1), Article 45(1) and (3), Article 48 and Article 58(4) shall apply mutatis mutandis.

Article 43U.K.Data security

1.The Member State responsible shall ensure the security of the data before and during the transmission to the NUI. Each Member State shall ensure the security of the data it receives from the EES.

2.Each Member State shall, in relation to its national border infrastructure, adopt the necessary measures, including a security plan and a business continuity and disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to data-processing equipment and national installations in which the Member State carries out operations in accordance with the purposes of the EES;

(c)prevent the unauthorised reading, copying, modification or removal of data media;

(d)prevent the unauthorised entering of data and the unauthorised inspection, modification or erasure of stored personal data;

(e)prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;

(f)prevent the unauthorised processing of data in the EES and any unauthorised modification or erasure of data processed in the EES;

(g)ensure that persons authorised to access the EES have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only;

(h)ensure that all authorities with a right of access to the EES create profiles describing the functions and responsibilities of persons who are authorised to enter, amend, erase, consult and search the data and make their profiles available to the supervisory authorities;

(i)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(j)ensure that it is possible to verify and establish which data have been processed in the EES, as well as when, by whom and for what purpose they have been processed;

(k)prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from the EES or during the transport of data media, in particular by means of appropriate encryption techniques;

(l)ensure that, in the event of an interruption, installed systems can be restored to normal operation;

(m)ensure reliability by making sure that any faults in the functioning of the EES are properly reported;

(n)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation.

3.As regards the operation of the EES, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 2, including the adoption of a security plan and a business continuity and disaster recovery plan. eu-LISA shall also ensure reliability by making sure that necessary technical measures are put in place to ensure that personal data can be restored in the event of corruption due to a malfunctioning of the EES.

4.eu-LISA and the Member States shall cooperate in order to ensure a harmonised data security approach based on a security risk management process encompassing the entire EES.

Article 44U.K.Security incidents

1.Any event that has or may have an impact on the security of the EES and may cause damage or loss to data stored in the EES shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the EES Central System, eu-LISA shall notify the Commission and the European Data Protection Supervisor.

4.Information regarding a security incident that has or may have an impact on the operation of the EES or on the availability, integrity and confidentiality of the data shall be provided to the Member States and reported in compliance with the incident management plan to be provided by eu-LISA.

5.The Member States concerned and eu-LISA shall cooperate in the event of a security incident.

Article 45U.K.Liability

1.Any person or Member State that has suffered material or immaterial damage as a result of an unlawful processing operation or any act not compliant with this Regulation shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That Member State shall be exempted from liability, in whole or in part, if it proves that it is not in any way responsible for the event which gave rise to the damage.

2.If any failure of a Member State to comply with its obligations under this Regulation causes damage to the EES, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in the EES failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.

Article 46U.K.Keeping of logs by eu-LISA and Member States

1.eu-LISA shall keep logs of all data processing operations within the EES. Those logs shall include the following:

(a)the purpose of access referred to in Article 9(2);

(b)the date and time;

(c)the data transmitted as referred to in Articles 16 to 19;

(d)the data used for interrogation as referred to in Articles 23 to 27;[F2 and]

(e)the name of the authority entering or retrieving the data[F1; and]

[F3(f) a reference to the use of the ESP to query the EES as referred to in Article 7(2) of Regulation (EU) 2019/817.]

2.For the consultations listed in Article 8, a log of each data processing operation carried out within the EES and the VIS shall be kept in accordance with this Article and Article 34 of Regulation (EC) No 767/2008. eu-LISA shall ensure, in particular, that the relevant log of the concerned data processing operations is kept when the competent authorities launch a data processing operation directly from one system to the other.

3.In addition to paragraphs 1 and 2, each Member State shall keep logs of the staff duly authorised to process the EES data.

4.Such logs may be used only for data protection monitoring, including checking the admissibility of a request and the lawfulness of data processing, and for ensuring data security pursuant to Article 43. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after the retention period referred to in Article 34 has expired, unless they are required for monitoring procedures which have already begun.

Article 47U.K.Self-monitoring

Member States shall ensure that each authority entitled to access EES data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authorities.

Article 48U.K.Penalties

Member States shall take the necessary measures to ensure that any use of data entered in the EES in a manner contrary to this Regulation is punishable by effective, [X1proportionate and dissuasive penalties in accordance with] national law, Article 84 of Regulation (EU) 2016/679 and Article 57 of Directive (EU) 2016/680.

Article 49U.K.Data Protection

1.Regulation (EC) No 45/2001 shall apply to the processing of personal data by eu-LISA on the basis of this Regulation.

2.Regulation (EU) 2016/679 shall apply to the processing of personal data by national authorities on the basis of this Regulation, with the exception of processing for the purposes referred to in Article 1(2) of this Regulation.

3.Directive (EU) 2016/680 shall apply to the processing of personal data by Member States’ designated authorities on the basis of this Regulation for the purposes referred to in Article 1(2) of this Regulation.

4.Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol on the basis of this Regulation.