Regulation (EU) 2018/1240 of the European Parliament and of the CouncilShow full title

CHAPTER XIIU.K. DATA PROTECTION

Article 56U.K.Data protection

1.Regulation (EC) No 45/2001 shall apply to the processing of personal data by the European Border and Coast Guard Agency and eu-LISA.

2.Regulation (EU) 2016/679 shall apply to the processing of personal data by the ETIAS National Units assessing applications, by border authorities and by immigration authorities.

Where the processing of personal data by the ETIAS National Units is performed by competent authorities assessing the applications for the purposes of the prevention, detection or investigation of terrorist offences or other serious criminal offences, Directive (EU) 2016/680 shall apply.

Where the ETIAS National Unit decides on the issue, refusal, revocation or annulment of a travel authorisation, Regulation (EU) 2016/679 shall apply.

3.Directive (EU) 2016/680 shall apply to the processing of personal data by Member States’ designated authorities for the purposes of Article 1(2) of this Regulation.

4.Regulation (EU) 2016/794 shall apply to the processing of personal data by Europol pursuant to Articles 29 and 53 of this Regulation.

Article 57U.K.Data controller

1.The European Border and Coast Guard Agency is to be considered a data controller in accordance with point (d) of Article 2 of Regulation (EC) No 45/2001 in relation to the processing of personal data in the ETIAS Central System. In relation to information security management of the ETIAS Central System, eu-LISA is to be considered a controller.

2.In relation to the processing of personal data in the ETIAS Central System by a Member State, the ETIAS National Unit is to be considered as controller in accordance with point 7 of Article 4 of Regulation (EU) 2016/679. It shall have central responsibility for the processing of personal data in the ETIAS Central System by that Member State.

Article 58U.K.Data processor

1.eu-LISA is to be considered a processor in accordance with point (e) of Article 2 of Regulation (EC) No 45/2001 in relation to the processing of personal data in the ETIAS Information System.

2.eu-LISA shall ensure that the ETIAS Information System is operated in accordance with this Regulation.

Article 59U.K.Security of processing

1.eu-LISA, the ETIAS Central Unit and the ETIAS National Units shall ensure the security of processing of personal data pursuant to this Regulation. eu-LISA, the ETIAS Central Unit and the ETIAS National Units shall cooperate on data security related tasks.

2.Without prejudice to Article 22 of Regulation (EC) No 45/2001, eu-LISA shall take the necessary measures to ensure the security of the ETIAS Information System.

3.Without prejudice to Article 22 of Regulation (EC) No 45/2001 and Articles 32 and 34 of Regulation (EU) 2016/679, eu-LISA, the ETIAS Central Unit and the ETIAS National Units shall adopt the necessary measures, including a security plan and a business continuity and disaster recovery plan, in order to:

(a)physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to the secure web service, the email service, the secure account service, the carrier gateway, the verification tool for applicants and the consent tool for applicants;

(c)deny unauthorised persons access to data processing equipment and national installations in accordance with the purposes of ETIAS;

(d)prevent the unauthorised reading, copying, modification or removal of data media;

(e)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data;

(f)prevent the use of automated data processing systems by unauthorised persons using data communication equipment;

(g)prevent the unauthorised processing of data in the ETIAS Central System and any unauthorised modification or deletion of data processed in the ETIAS Central System;

(h)ensure that persons authorised to access the ETIAS Information System have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only;

(i)ensure that all authorities with a right of access to the ETIAS Information System create profiles describing the functions and responsibilities of persons who are authorised to access the data and make their profiles available to the supervisory authorities;

(j)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment;

(k)ensure that it is possible to verify and establish what data has been processed in the ETIAS Information System, when, by whom and for what purpose;

(l)prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the ETIAS Central System or during the transport of data media, in particular by means of appropriate encryption techniques;

(m)ensure that, in the event of an interruption, installed systems can be restored to normal operation;

(n)ensure reliability by making sure that any faults in the functioning of ETIAS are properly reported and that necessary technical measures are put in place to ensure that personal data can be restored in the event of corruption due to a malfunctioning of ETIAS;

(o)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation.

4.The Commission shall, by means of implementing acts, adopt a model security plan and a model business continuity and disaster recovery plan. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 90(2). eu-LISA’s Management Board, the European Border and Coast Guard Agency’s Management Board and the Member States shall adopt the security, business continuity and disaster recovery plans for eu-LISA, for the ETIAS Central Unit and for the ETIAS National Units respectively. They shall use the model plans adopted by the Commission as a basis, adjusted as necessary.

5.eu-LISA shall inform the European Parliament, the Council and the Commission and the European Data Protection Supervisor of the measures it takes pursuant to this Article.

Article 60U.K.Security incidents

1.Any event that has or may have an impact on the security of ETIAS and may cause damage or loss to the data stored in ETIAS shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.Security incidents shall be managed so as to ensure a quick, effective and proper response.

3.Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. In the event of a security incident in relation to the ETIAS Information System, eu-LISA shall notify the Commission and the European Data Protection Supervisor. Europol shall notify the Commission and the European Data Protection Supervisor in the case of an ETIAS-related security incident.

4.Information regarding a security incident that has or may have an impact on the operation of ETIAS or on the availability, integrity and confidentiality of the data stored in ETIAS shall be provided to the Commission and, if affected, to the ETIAS Central Unit, to the ETIAS National Units and to Europol. Such incidents shall also be reported in compliance with the incident management plan to be provided by eu-LISA.

5.Member States, the European Border and Coast Guard Agency, eu-LISA and Europol shall cooperate in the event of a security incident.

Article 61U.K.Self-monitoring

The European Border and Coast Guard Agency, Europol and Member States shall ensure that each authority entitled to access the ETIAS Information System takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 62U.K.Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

Article 63U.K.Liability

1.Without prejudice to the right to compensation from, and liability of the controller or processor under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EC) No 45/2001:

(a)any person or Member State that has suffered material or non-material damage as a result of an unlawful personal data processing operation or any other act incompatible with this Regulation by a Member State shall be entitled to receive compensation from that Member State;

(b)any person or Member State that has suffered material or non-material damage as a result of any act by eu-LISA incompatible with this Regulation shall be entitled to receive compensation from that agency. eu-LISA shall be liable for unlawful personal data processing operations in accordance with its role as processor or, where applicable, controller.

A Member State or eu-LISA shall be exempted from their liability under the first subparagraph, in whole or in part, if they prove that they are not responsible for the event which gave rise to the damage.

2.If any failure of a Member State to comply with its obligations under this Regulation causes damage to the ETIAS Central System, that Member State shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in the ETIAS Central System failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the national law of that Member State. Claims for compensation against the controller or eu-LISA for the damage referred to in paragraphs 1 and 2 shall be subject to the conditions provided for in the Treaties.

Article 64U.K.Right of access to, of rectification, of completion, of erasure of personal data and of restriction of processing

1.Without prejudice to the right of information in Articles 11 and 12 of Regulation (EC) No 45/2001, applicants whose data are stored in the ETIAS Central System shall be informed, at the time their data are collected, of the procedures for exercising the rights under Articles 13 to 16 of Regulation (EC) No 45/2001 and Articles 15 to 18 of Regulation (EU) 2016/679. They shall also be provided with the contact details of the data protection officer of the European Border and Coast Guard Agency and of the European Data Protection Supervisor at the same time.

2.In order to exercise their rights under Articles 13 to 16 of Regulation (EC) No 45/2001 and Articles 15 to 18 of Regulation (EU) 2016/679, any applicant shall have the right to address him or herself to the ETIAS Central Unit or to the ETIAS National Unit responsible for his or her application. The unit that receives the request shall examine and reply to it as soon as possible, and at the latest within 30 days.

Where in response to a request, it is found that the data stored in the ETIAS Central System are factually inaccurate or have been recorded unlawfully, the ETIAS Central Unit or the ETIAS National Unit of the Member State responsible shall rectify or erase those data in the ETIAS Central System without delay.

Where in response to a request pursuant to this paragraph, a travel authorisation is amended by the ETIAS Central Unit or an ETIAS National Unit during its validity period, the ETIAS Central System shall carry out the automated processing laid down in Article 20 to determine whether the amended application file triggers a hit pursuant to Article 20(2) to (5). Where the automated processing does not report any hit, the ETIAS Central System shall issue an amended travel authorisation with the same validity period of the original and notify the applicant. Where the automated processing reports one or several hits, the ETIAS National Unit of the Member State responsible shall assess the security, illegal immigration or high epidemic risk in accordance with Article 26. It shall then decide whether to issue an amended travel authorisation or, where it concludes that the conditions for granting the travel authorisation are no longer met, revoke the travel authorisation.

3.Where the ETIAS Central Unit or the ETIAS National Unit of the Member State responsible for the application does not agree with the claim that data stored in the ETIAS Central System are factually inaccurate or have been recorded unlawfully, the ETIAS Central Unit or the ETIAS National Unit of the Member State responsible shall adopt without delay an administrative decision explaining in writing to the person concerned why it is not prepared to correct or delete data relating to him or her.

4.That decision shall also provide the person concerned with information explaining the possibility to challenge the decision taken in respect of the request referred to in paragraph 2 and, where relevant, information on how to bring an action or a complaint before the competent authorities or courts and any assistance available to the person, including from the competent national supervisory authorities.

5.Any request made pursuant to paragraph 2 shall contain the necessary information to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 2 and shall be erased immediately afterwards.

6.The ETIAS Central Unit or the ETIAS National Unit of the Member State responsible shall keep a record in the form of a written document that a request referred to in paragraph 2 was made and how it was addressed. It shall make that document available to the competent national data protection supervisory authorities without delay, and not later than seven days following the decision to rectify or erase data referred to in the second subparagraph of paragraph 2 or following the decision referred to in paragraph 3 respectively.

Article 65U.K.Communication of personal data to third countries, international organisations and private parties

1.Personal data stored in the ETIAS Central System shall not be transferred or made available to a third country, to an international organisation or to any private party with the exception of transfers to Interpol for the purpose of carrying out the automated processing referred to in points (b) and (l) of Article 20(2) of this Regulation. Transfers of personal data to Interpol are subject to the provisions of Article 9 of Regulation (EC) No 45/2001.

2.Personal data accessed from the ETIAS Central System by a Member State or by Europol for the purposes referred to in Article 1(2) shall not be transferred or made available to any third country, international organisation or private party. The prohibition shall also apply if those data are further processed at national level or between Member States.

3.By way of derogation from Article 49 of this Regulation, if necessary for the purpose of return, the immigration authorities may access the ETIAS Central System to retrieve data to be transferred to a third country in individual cases only where all of the following conditions are met:

(a)a prior search has been conducted in the EES in accordance with Article 26 of Regulation (EU) 2017/2226; and

(b)this search indicates that the EES does not contain data concerning the third-country national to be returned.

Where necessary, fulfilment of these conditions shall be verified by accessing the logs provided for in Article 46 of Regulation (EU) 2017/2226 corresponding to the search referred to in point (a) of the first subparagraph of this paragraph and to the answer corresponding to point (b) of that subparagraph.

If those conditions are met, the immigration authorities shall have access to query the ETIAS Central System with some or all of the data referred to in points (a) to (e) of Article 17(2) of this Regulation. If an ETIAS application file corresponds to those data, the immigration authorities will have access to the data referred to in points (a) to (g) of Article 17(2) of this Regulation and, in case of minors, point (k) of paragraph 2 of that Article.

By way of derogation from paragraph 1 of this Article, the data accessed from the ETIAS Central System by the immigration authorities may be transferred to a third country in individual cases if necessary in order to prove the identity of third-country nationals for the sole purpose of return, and only where one of the following conditions is satisfied:

(a)the Commission has adopted a decision on the adequate level of protection of personal data in that third country in accordance with Article 45(3) of Regulation (EU) 2016/679;

(b)appropriate safeguards have been provided as referred to in Article 46 of Regulation (EU) 2016/679, such as through a readmission agreement which is in force between the Union or a Member State and the third country in question;

(c)point (d) of Article 49(1) of Regulation (EU) 2016/679 applies.

The data referred to in [F1points (a), (aa), (b), (d), (e) and (f) of Article 17(2)] of this Regulation may be transferred only where all of the following conditions are satisfied:

(a)the transfer of the data is carried out in accordance with the relevant provisions of Union law, in particular provisions on data protection, including Chapter V of Regulation (EU) 2016/679, readmission agreements, and the national law of the Member State transferring the data;

(b)the third country has agreed to process the data only for the purposes for which they were provided; and

(c)a return decision adopted pursuant to Directive 2008/115/EC of the European Parliament and of the Council(1) has been issued in relation to the third-country national concerned, provided that the enforcement of such a return decision is not suspended and provided that no appeal has been lodged which may lead to the suspension of its enforcement.

4.Transfers of personal data to third countries pursuant to paragraph 3 shall not prejudice the rights of applicants for and beneficiaries of international protection, in particular as regards non-refoulement.

5.By way of derogation from paragraph 2 of this Article, the data from the ETIAS Central System referred to in Article 52(4) accessed by the designated authorities for the purposes referred to in Article 1(2) may be transferred or made available by the designated authority to a third country in individual cases, but only where all of the following conditions are met:

(a)there is an exceptional case of urgency where there is:

(b)the transfer of data is necessary for the prevention, detection or investigation in the territory of the Member States or in the third country concerned of such a terrorist offence or serious criminal offence;

(c)the designated authority has access to such data in accordance with the procedure and the conditions set out in Articles 51 and 52;

(d)the transfer is carried out in accordance with the applicable conditions set out in Directive (EU) 2016/680, in particular Chapter V thereof;

(e)a duly motivated written or electronic request from the third country has been submitted;

(f)the reciprocal provision of any information in systems for travel authorisation held by the requesting third country to the Member States operating the ETIAS is ensured.

Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.

Article 66U.K.Supervision by the supervisory authority

1.Each Member State shall ensure that the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 independently monitors the lawfulness of the processing of personal data pursuant to this Regulation by the Member State concerned, including their transmission to and from ETIAS.

2.Each Member State shall ensure that the national laws, regulations and administrative provisions adopted pursuant to Directive (EU) 2016/680 are also applicable to the access to ETIAS by its national authorities in line with Chapter X of this Regulation, including in relation to the rights of the persons whose data are so accessed.

3.The supervisory authority established in accordance with Article 41(1) of Directive (EU) 2016/680 shall monitor the lawfulness of the access to personal data by Member States in accordance with Chapter X of this Regulation, including the transmission of data to and from ETIAS. Article 66(5) and (6) of this Regulation shall apply accordingly.

4.The supervisory authority or authorities established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall ensure that an audit of the data processing operations by the ETIAS National Units is carried out in accordance with relevant international auditing standards at least every three years from the start of operations of ETIAS. The results of the audit may be taken into account in the evaluations conducted under the mechanism established by Council Regulation (EU) No 1053/2013(2). The supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 shall publish annually the number of requests for rectification, completion or erasure, or restriction of processing of data, the action subsequently taken and the number of rectifications, completions, erasures and restrictions of processing made in response to requests by the persons concerned.

5.Member States shall ensure that their supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 has sufficient resources and expertise to fulfil the tasks entrusted to it under this Regulation.

6.Member States shall supply any information requested by the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679. They shall, in particular, provide it with information on the activities carried out in accordance with their responsibilities as laid down in this Regulation. Member States shall grant the supervisory authority established in accordance with Article 51(1) of Regulation (EU) 2016/679 access to their logs and allow it access at all times to all their premises used for the purposes of ETIAS.

Article 67U.K.Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall be responsible for monitoring the personal data processing activities of eu-LISA, Europol and the European Border and Coast Guard Agency related to ETIAS and for ensuring that such activities are carried out in accordance with Regulation (EC) No 45/2001 and with this Regulation.

2.The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s and the ETIAS Central Unit’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to eu-LISA and to the supervisory authorities. eu-LISA and the European Border and Coast Guard Agency shall be given an opportunity to make comments before the report is adopted.

3.eu-LISA and the ETIAS Central Unit shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to their logs, and allow him or her access to all their premises at any time.

Article 68U.K.Cooperation between supervisory authorities and the European Data Protection Supervisor

1.The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities. They shall ensure coordinated supervision of ETIAS and of the national border infrastructures.

2.The supervisory authorities and the European Data Protection Supervisor shall exchange relevant information, assist each other in carrying out audits and inspections, examine any difficulties concerning the interpretation or application of this Regulation, assess problems in the exercise of independent supervision or in the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

3.For the purpose of paragraph 2, the supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board established by Regulation (EU) 2016/679. The costs of those meetings shall be borne and their organisation shall be undertaken by that Board. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.

4.A joint report of activities shall be sent by the European Data Protection Board to the European Parliament, to the Council, to the Commission, to the European Border and Coast Guard Agency and to eu-LISA every two years. That report shall include a chapter on each Member State prepared by the supervisory authority of that Member State.

Article 69U.K.Keeping of logs

1.eu-LISA shall keep logs of all data processing operations within the ETIAS Information System. Those logs shall include the following:

(a)the purpose of the access;

(b)the date and time of each operation;

(c)the data used for the automated processing of the applications;

[F2(ca) where relevant, a reference to the use of the ESP to query the ETIAS Central System as referred to in Article 7(2) of Regulation (EU) 2019/817;]

(d)the hits triggered while carrying out the automated processing laid down in Article 20;

(e)the data used for the verification of identity stored in the ETIAS Central System or other information systems and databases;

(f)the results of the verification process referred to in Article 22; and

(g)the staff member having performed it.

2.The ETIAS Central Unit shall keep records of the staff members duly authorised to perform the identity verifications.

The ETIAS National Unit of the Member State responsible shall keep records of the staff member duly authorised to enter or retrieve the data.

3.eu-LISA shall keep logs of all data processing operations within the ETIAS Information System involving the access by border authorities referred to in Article 47 and the access by immigration authorities referred to in Article 49. Those logs shall show the date and time of each operation, the data used for launching the search, the data transmitted by the ETIAS Central System and the name of the border authorities and immigration authorities entering and retrieving the data.

In addition, the competent authorities shall keep records of the staff members duly authorised to enter and retrieve the data.

4.Such logs may be used only for monitoring the admissibility of data processing and to ensure data security and integrity. The logs shall be protected by appropriate measures against unauthorised access. They shall be deleted one year after the retention period referred to in Article 54 has expired, if they are not required for monitoring procedures which have already begun.

eu-LISA and the ETIAS National Units shall make the logs available to the European Data Protection Supervisor and to the competent supervisory authorities on request.

Article 70U.K.Keeping of logs for requests for data consultation in order to prevent, detect and investigate terrorist offences or other serious criminal offences

1.eu-LISA shall keep logs of all data processing operations within the ETIAS Central System involving access by the central access points referred to in Article 50(2) for the purposes of Article 1(2). Those logs shall show the date and time of each operation, the data used for launching the search, the data transmitted by the ETIAS Central System and the name of the authorised staff of the central access points entering and retrieving the data.

2.In addition, each Member State and Europol shall keep logs of all data processing operations within the ETIAS Central System resulting from requests for consultation of data or from access to data stored in the ETIAS Central System for the purposes laid down in Article 1(2).

3.The logs referred to in paragraph 2 shall show:

(a)the exact purpose of the request for consultation of or access to data stored in the ETIAS Central System, including the terrorist offence or other serious criminal offence concerned and, for Europol, the exact purpose of the request for consultation;

(b)the decision taken with regard to the admissibility of the request;

(c)the national file reference;

(d)the date and exact time of the request for access made by the central access point to the ETIAS Central System;

(e)where applicable, the use of the urgency procedure referred to in Article 51(4) and the outcome of the ex post verification;

(f)which of the data or set of data referred to in Article 52(2) and (3) have been used for consultation; and

(g)in accordance with national rules or with Regulation (EU) 2016/794, the identifying mark of the official who carried out the search and of the official who ordered the search or transmission of data.

4.The logs referred to in paragraphs 1 and 2 of this Article shall be used only to check the admissibility of the request, monitor the lawfulness of data processing and to ensure data integrity and security. The logs shall be protected by appropriate measures against unauthorised access. They shall be deleted one year after the retention period referred to in Article 54 has expired, if they are not required for monitoring procedures which have already begun. The European Data Protection Supervisor and the competent supervisory authorities responsible for monitoring the lawfulness of the data processing and data integrity and security shall have access to the logs at their request for the purpose of fulfilling their duties. The authority responsible for checking the admissibility of the request shall also have access to the logs for that purpose. Other than for such purposes, personal data shall be erased in all national and Europol files after a period of one month, unless those data are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 92.