Regulation (EU) 2017/2226 of the European Parliament and of the CouncilShow full title

CHAPTER VIIU.K. RIGHTS AND SUPERVISION ON DATA PROTECTION

Article 50U.K.Right of information

1.Without prejudice to the right of information in Article 13 of Regulation (EU) 2016/679, third-country nationals whose data are to be recorded in the EES shall be informed by the Member State responsible of the following:

(a)the fact that the EES may be accessed by the Member States and Europol for law enforcement purposes;

(b)the obligation on visa-exempt third-country nationals and on holders of an FTD to have their fingerprints taken;

(c)the obligation on all third-country nationals subject to registration in the EES to have their facial image recorded;

(d)that the collection of the data is mandatory for the examination of entry conditions;

(e)the fact that entry will be refused if a third-country national refuses to provide the requested biometric data for registration, verification or identification in the EES;

(f)the right to receive information about the maximum remaining duration of their authorised stay in accordance with Article 11(3);

(g)the fact that personal data stored in the EES may be transferred to a third country or an international organisation listed in Annex I for the purposes of return, to a third country in accordance with Article 41(6) and to Member States in accordance with Article 42;

(h)the existence of the right to request from the controller access to data relating to them, the right to request that inaccurate data relating to them be rectified, that incomplete personal data relating to them be completed, that unlawfully processed personal data concerning them be erased or that the processing thereof be restricted, as well as the right to receive information on the procedures for exercising those rights, including the contact details of the controller and the supervisory authorities, or of the European Data Protection Supervisor if applicable, which shall hear complaints concerning the protection of personal data;

(i)the fact that EES data will be accessed for border management and facilitation purposes and that overstays will automatically lead to the addition of their data to the list of identified persons referred to in Article 12(3), as well as the possible consequences of overstaying;

(j)the data retention period set for entry and exit records, refusal of entry records, and for individual files pursuant to Article 34;

(k)the right for overstayers to have their personal data erased from the list of identified persons referred to in Article 12(3) and rectified in the EES, where they provide evidence that they exceeded the authorised duration of stay due to unforeseeable and serious events;

(l)the right to lodge a complaint to the supervisory authorities.

2.The information provided in paragraph 1 of this Article shall be provided in writing, by any appropriate means, in a concise, transparent, intelligible and easily accessible form, and it shall be made available, using clear and plain language, in a linguistic version the person concerned understands or is reasonably expected to understand, in order to ensure that third-country nationals are informed of their rights, at the time when the individual file of the person concerned is being created in accordance with Article 16, 17 or 18.

3.The Commission shall also set up a website containing the information referred to paragraph 1.

4.The Commission shall adopt implementing acts drawing up the information referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).

5.The Commission shall provide the information referred to in paragraph 1 of this Article in a template. The template shall be drawn up in such a manner as to enable Member States to complete it with additional Member State specific information. That Member State specific information shall include at least the rights of the data subject, the possibility of assistance by the supervisory authorities, as well as contact details of the office of the controller and of the data protection officer and the supervisory authorities. The Commission shall adopt implementing acts concerning the specifications and conditions for the website referred to in paragraph 3 of this Article. Those implementing acts shall be adopted prior to the start of operations of the EES in accordance with the examination procedure referred to in Article 68(2).

Article 51U.K.Information campaign

The Commission shall, in cooperation with the supervisory authorities and the European Data Protection Supervisor, accompany the start of operations of the EES with an information campaign informing the public and, in particular, third-country nationals, about the objectives of the EES, the data stored in the EES, the authorities having access and the rights of persons concerned. Such information campaigns shall be conducted regularly.

Article 52U.K.Right of access to, rectification, completion and erasure of personal data, and of restriction of the processing thereof

1.The requests of third-country nationals in relation to the rights set out in Articles 15 to 18 of Regulation (EU) 2016/679 may be addressed to the competent authority of any Member State.

The Member State responsible or the Member State to which the request has been made shall reply to such requests within 45 days of receipt of the request.

2.If a request for rectification, completion or erasure of personal data or restriction of the processing thereof is made to a Member State other than the Member State responsible, the authorities of the Member State to which the request has been made shall check the accuracy of the data and the lawfulness of the data processing in the EES within 30 days of the receipt of the request where that check can be done without consulting the Member State responsible. Otherwise, the Member State to which the request has been made shall contact the authorities of the Member State responsible within seven days and the Member State responsible shall check the accuracy of the data and the lawfulness of the data processing within 30 days of such contact.

3.In the event that data recorded in the EES are factually inaccurate, incomplete or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall rectify, complete or erase the personal data or restrict the processing of personal data in accordance with Article 35. The Member State responsible or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without delay that it has taken action to rectify, complete or erase the personal data of that person or to restrict the processing of such personal data.

In the event that visa-related data recorded in the EES are factually incorrect, incomplete or have been recorded unlawfully, the Member State responsible or, where applicable, the Member State to which the request has been made shall first check the accuracy of these data against the VIS and shall, if necessary, amend them in the EES. Should the data recorded in the VIS be the same as in the EES, the Member State responsible or, where applicable, the Member State to which the request has been made, shall contact the authorities of the Member State which is responsible for entering these data in the VIS within seven days. The Member State which is responsible for entering the data in the VIS shall check the accuracy of the visa-related data and the lawfulness of their processing in the EES within 30 days of such contact and inform the Member State responsible or the Member State to which the request has been made which shall, if necessary, rectify or complete the personal data of the person concerned or restrict the processing of such data in, or erase such data from, the EES without delay and, where applicable, from the list of identified persons referred to in Article 12(3).

4.If the Member State responsible or, where applicable, the Member State to which the request has been made does not agree that data recorded in the EES are factually inaccurate, incomplete or have been recorded unlawfully, that Member State shall adopt an administrative decision explaining in writing to the third-country national concerned without delay why it is not prepared to rectify, complete or erase the personal data relating to him or her or restrict the processing of such data.

5.The Member State which has adopted the administrative decision pursuant to paragraph 4 of this Article shall also provide the third-country national concerned with information explaining the steps which he or she can take if he or she does not accept the explanation. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance that is available in accordance with the laws, regulations and procedures of that Member State, including from the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679.

6.Any request made pursuant to paragraphs 1 and 2 shall contain the minimum information necessary to identify the third-country national concerned. Fingerprints may be requested for this purpose only in duly justified cases and where there are substantive doubts as to the identity of the applicant. That information shall be used exclusively to enable that third-country national to exercise the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7.Whenever a person makes a request in accordance with paragraph 1 of this Article, the competent authority of the Member State responsible or of the Member State to whom the request has been made shall keep a record in the form of a written document that such a request was made. That document shall contain information on how that request was dealt with and by which authority. The competent authority shall make that document available to the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679, within seven days.

Article 53U.K.Cooperation to enforce the rights on data protection

1.The competent authorities of the Member States shall cooperate actively to enforce the rights laid down in Article 52.

2.In each Member State, the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall, upon request, assist and advise the data subject in exercising his or her right to rectify, complete or erase personal data relating to him or her or to restrict the processing of such data in accordance with Regulation (EU) 2016/679.

In order to achieve the aims referred to in the first subparagraph, the supervisory authority of the Member State responsible which transmitted the data and the supervisory authority of the Member State to which the request has been made shall cooperate with each other.

Article 54U.K.Remedies

1.Without prejudice to Articles 77 and 79 of Regulation (EU) 2016/679, in each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to, or right of rectification, completion or erasure of, data relating to him or her provided for in Article 52 and Article 53(2) of this Regulation. The right to bring such an action or complaint shall also apply in cases where requests for access, rectification, completion or erasure were not responded to within the deadlines provided for in Article 52 or were never dealt with by the data controller.

2.The assistance of the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall remain available throughout the proceedings.

Article 55U.K.Supervision by the supervisory authority

1.Each Member State shall ensure that the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 independently monitors the lawfulness of the processing of personal data referred to in Chapters II, III, V and VI of this Regulation by the Member State concerned, including their transmission to and from the EES.

2.The supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall ensure that an audit of the data processing operations in the national border infrastructure is carried out in accordance with relevant international auditing standards at least every three years from the start of operations of the EES. The results of the audit may be taken into account in the evaluations conducted under the mechanism established by Council Regulation (EU) No 1053/2013(1). The supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall publish annually the number of requests for rectification, completion or erasure, or restriction of processing of data, the action subsequently taken and the number of rectifications, completions, erasures and restrictions of processing made in response to requests by the persons concerned.

3.Member States shall ensure that their supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 has sufficient resources to fulfil the tasks entrusted to it under this Regulation and has access to advice from persons with sufficient knowledge of biometric data.

4.Member States shall supply any information requested by the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 and shall, in particular, provide it with information on the activities carried out in accordance with Article 38, Article 39(1) and Article 43. Member States shall grant the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 access to their logs pursuant to Article 46 and allow it access at all times to all their EES related premises.

Article 56U.K.Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall be responsible for monitoring the personal data processing activities of eu-LISA concerning the EES and for ensuring that such activities are carried out in accordance with Regulation (EC) No 45/2001 and with this Regulation.

2.The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to eu-LISA and to the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 46 and allow him or her access to all its premises at any time.

Article 57U.K. [X1Cooperation between supervisory authorities and the European Data Protection Supervisor]

1.The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities and shall ensure coordinated supervision of the EES and the national border infrastructures.

2.The supervisory authorities and the European Data Protection Supervisor shall exchange relevant information, assist each other in carrying out audits and inspections, examine any difficulties concerning the interpretation or application of this Regulation, assess problems in the exercise of independent supervision or in the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.For the purpose of paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board established by Regulation (EU) 2016/679 (the ‘European Data Protection Board’). The costs of those meetings shall be borne and their organisation shall be undertaken by that Board. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.A joint report of activities shall be sent by the European Data Protection Board to the European Parliament, to the Council, to the Commission and to eu-LISA every two years. That report shall include a chapter on each Member State prepared by the supervisory authorities of that Member State.

Article 58U.K.Protection of personal data accessed in accordance with Chapter IV

1.Each Member State shall ensure that the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 are also applicable to the access to the EES by its national authorities in line with Article 1(2) of this Regulation, including in relation to the rights of the persons whose data are so accessed.

2.The supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680 shall monitor the lawfulness of the access to personal data by the Member States in accordance with Chapter IV of this Regulation, including their transmission to and from the EES. Article 55(3) and (4) of this Regulation shall apply accordingly.

3.The processing of personal data by Europol pursuant to this Regulation shall be carried out in accordance with Regulation (EU) 2016/794 and shall be supervised by the European Data Protection Supervisor.

4.Personal data accessed in the EES in accordance with Chapter IV shall only be processed for the purposes of the prevention, detection or investigation of the specific case for which the data have been requested by a Member State or by Europol.

5.The EES Central System, the designated authorities, the central access points and Europol shall keep records of the searches for the purpose of enabling the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680 and the European Data Protection Supervisor to monitor the compliance of data processing with Union and national data protection rules. With the exception of that purpose, personal data, as well as the records of searches, shall be erased from all national and Europol files after 30 days, unless those data and records are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol.

Article 59U.K.Logging and documentation

1.Each Member State and Europol shall ensure that all data processing operations resulting from requests to access to EES data in accordance with Chapter IV are logged or documented for the purposes of checking the admissibility of the request, monitoring the lawfulness of the data processing and data integrity and security, and self-monitoring.

2.The log or documentation shall show, in all cases:

(a)the exact purpose of the request for access to EES data, including the terrorist offence or other serious criminal offence concerned and, for Europol, the exact purpose of the request for access;

(b)the reasonable grounds given for not making comparisons with other Member States under Decision 2008/615/JHA, in accordance with point (b) of Article 32(2) of this Regulation;

(c)the national file reference;

(d)the date and exact time of the request for access by the central access point to the EES Central System;

(e)the name of the authority which requested access for consultation;

(f)where applicable, the use of the urgency procedure referred to in Article 31(2) of this Regulation and the decision taken with regard to the ex-post verification;

(g)the data used for consultation;

(h)in accordance with national rules or with Regulation (EU) 2016/794, the unique user identity of the official who carried out the search and of the official who ordered the search.

3.Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs which do not contain personal data may be used for the monitoring and evaluation referred to in Article 72 of this Regulation. The supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, which is responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security, shall have access to these logs at its request for the purpose of fulfilling its duties.