Regulation (EU) 2018/1861 of the European Parliament and of the CouncilShow full title

Article 6 is replaced by the following:

‘Article 6National Systems

1.Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS II and connecting it to NI-SIS.

2.Each Member State shall be responsible for ensuring the uninterrupted availability of SIS II data to end-users.’;

Article 11 is replaced by the following:

‘Article 11Confidentiality – Member States

1.Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS II data and supplementary information, in accordance with its national legislation. This obligation shall also apply after those people leave office or employment or after the termination of the activities of those bodies.

2.Where a Member State cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

3.The operational management of N.SIS II or of any technical copies shall not be entrusted to private companies or private organisations.’;

Article 15 is amended as follows:

in Article 17, the following paragraphs are added:

‘3.Where the Management Authority cooperates with external contractors in any SIS II-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4.The operational management of CS-SIS shall not be entrusted to private companies or private organisations.’;

in Article 20(2), the following point is inserted:

‘(ka)the type of offence;’;

in Article 21, the following paragraph is added:

‘Where the decision to refuse entry and stay referred to in Article 24(2) is related to a terrorist offence, the case shall be considered adequate, relevant and important enough to warrant an alert in SIS II. For public or national security reasons, Member States may exceptionally refrain from entering an alert when it is likely to obstruct official or legal inquiries, investigations or procedures.’;

Article 22 is replaced by the following:

‘Article 22Specific rules for entering, verification or search with photographs and fingerprints

1.Photographs and fingerprints shall only be entered following a special quality check to ascertain whether they fulfil minimum data quality standards. The specification of the special quality check shall be established in accordance with the procedure referred to in Article 51(2).

2.Where photographs and fingerprint data are available in an alert in SIS II, such photographs and fingerprint data shall be used to confirm the identity of a person who has been located as a result of an alphanumeric search made in SIS II.

3.Fingerprint data may be searched in all cases to identify a person. However, fingerprint data shall be searched to identify a person where the identity of the person cannot be ascertained by other means. For that purpose, the Central SIS II shall contain an Automated Fingerprint Identification System (AFIS).

4.Fingerprint data in SIS II in relation to alerts entered in accordance with Articles 24 and 26 may also be searched using complete or incomplete sets of fingerprints discovered at the scenes of serious crimes or terrorist offences under investigation, where it can be established to a high degree of probability that those sets of prints belong to a perpetrator of the offence and provided that the search is carried out simultaneously in the Member State's relevant national fingerprints databases.’;

Article 26 is replaced by the following:

‘Article 26Conditions for entering alerts on third-country nationals subject to restrictive measures

1.Alerts on third-country nationals who are the subject of a restrictive measure intended to prevent entry into or transit through the territory of Member States taken in accordance with legal acts adopted by the Council, including measures implementing a travel ban issued by the Security Council of the United Nations, shall, insofar as data-quality requirements are satisfied, be entered into SIS II for the purpose of refusing entry and stay.

2.The alerts shall be entered, kept up-to-date and deleted by the competent authority of the Member State which holds the Presidency of the Council of the European Union at the time of the adoption of the measure. If that Member State does not have access to SIS II or to alerts entered in accordance with this Regulation, the responsibility shall be taken up by the Member State which holds the subsequent Presidency and which has access to SIS II, including to alerts entered in accordance with this Regulation.

Member States shall put in place the necessary procedures for entering, updating and deleting such alerts.’;

the following Articles are inserted:

‘Article 27aAccess to data in SIS II by Europol

1.The European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the Council(1), shall, where necessary to fulfil its mandate, have the right to access and search data in SIS II. Europol may also exchange and further request supplementary information in accordance with the provisions of the SIRENE Manual.

2.Where a search by Europol reveals the existence of an alert in SIS II, Europol shall inform the issuing Member State through the exchange of supplementary information by means of the Communication Infrastructure and in accordance with the provisions set out in the SIRENE Manual. Until Europol is able to use the functionalities intended for the exchange of supplementary information, it shall inform issuing Member States through the channels defined by Regulation (EU) 2016/794.

3.Europol may process the supplementary information that has been provided to it by Member States for the purposes of comparing it with its databases and operational analysis projects, aimed at identifying connections or other relevant links and for the strategic, thematic or operational analyses referred to in points (a), (b) and (c) of Article 18(2) of Regulation (EU) 2016/794. Any processing by Europol of supplementary information for the purpose of this Article shall be carried out in accordance with that Regulation.

4.Europol's use of information obtained from a search in SIS II or from the processing of supplementary information shall be subject to the consent of the issuing Member State. If the Member State allows the use of such information, its handling by Europol shall be governed by Regulation (EU) 2016/794. Europol shall only communicate such information to third countries and third bodies with the consent of the issuing Member State and in full compliance with Union law on data protection.

5.Europol shall:

(a)without prejudice to paragraphs 4 and 6, not connect parts of SIS II nor transfer the data contained in it to which it has access to any system for data collection and processing operated by or at Europol, nor download or otherwise copy any part of SIS II;

(b)notwithstanding Article 31(1) of Regulation (EU) 2016/794, delete supplementary information containing personal data at the latest one year after the related alert has been deleted. By way of derogation, where Europol has information in its databases or operational analysis projects on a case to which the supplementary information is related, in order for Europol to perform its tasks, Europol may exceptionally continue to store the supplementary information when necessary. Europol shall inform the issuing and the executing Member State of the continued storage of such supplementary information and present a justification for it;

(c)limit access to data in SIS II, including supplementary information, to specifically authorised staff of Europol who require access to such data for the performance of their tasks;

(d)adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13;

(e)ensure that its staff who are authorised to process SIS II data receive appropriate training and information in accordance with Article 14; and

(f)without prejudice to Regulation (EU) 2016/794, allow the European Data Protection Supervisor to monitor and review the activities of Europol in the exercise of its right to access and search data in SIS II and in the exchange and processing of supplementary information.

6.Europol shall only copy data from SIS II for technical purposes where such copying is necessary in order for duly authorised Europol staff to carry out a direct search. This Regulation shall apply to such copies. The technical copy shall only be used for the purpose of storing SIS II data whilst those data are searched. Once the data have been searched they shall be deleted. Such uses shall not be considered to be unlawful downloading or copying of SIS II data. Europol shall not copy alert data or additional data issued by Member States or from CS-SIS II into other Europol systems.

7.For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, Europol shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12. Such logs and documentation shall not be considered to be unlawful downloading or copying of part of SIS II.

8.Member States shall inform Europol through the exchange of supplementary information of any hit on alerts related to terrorist offences. Member States may exceptionally not inform Europol if doing so would jeopardise current investigations, the safety of an individual or be contrary to essential interests of the security of the issuing Member State.

9.Paragraph 8 shall apply from the date that Europol is able to receive supplementary information in accordance with paragraph 1.

Article 27bAccess to data in SIS II by the European Border and Coast Guard teams, teams of staff involved in return-related tasks, and members of the migration management support teams

1.In accordance with Article 40(8) of Regulation (EU) 2016/1624 of the European Parliament and of the Council(2), the members of the teams referred to in points (8) and (9) of Article 2 of that Regulation shall, within their mandate and provided that they are authorised to carry out checks in accordance with Article 27(1) of this Regulation and have received the required training in accordance with Article 14 of this Regulation, have the right to access and search data in SIS II insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS II shall not be extended to any other team members.

2.Members of the teams referred to in paragraph 1 shall exercise the right to access and search data in SIS II in accordance with paragraph 1 through a technical interface. The technical interface shall be set up and maintained by the European Border and Coast Guard Agency and shall allow direct connection to Central SIS II.

3.Where a search by a member of the teams referred to in paragraph 1 of this Article reveals the existence of an alert in SIS II, the issuing Member State shall be informed thereof. In accordance with Article 40 of Regulation (EU) 2016/1624, members of the teams shall only act in response to an alert in SIS II under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating. The host Member State may authorise members of the teams to act on its behalf.

4.For the purpose of verifying the lawfulness of data processing, self-monitoring and ensuring proper data security and integrity, the European Border and Coast Guard Agency shall keep logs of every access to and search in SIS II in accordance with the provisions of Article 12.

5.The European Border and Coast Guard Agency shall adopt and apply measures to ensure security, confidentiality and self-monitoring in accordance with Articles 10, 11 and 13 and shall ensure that the teams referred to in paragraph 1 of this Article apply those measures.

6.Nothing in this Article shall be interpreted as affecting the provisions of Regulation (EU) 2016/1624 concerning data protection or the European Border and Coast Guard Agency's liability for any unauthorised or incorrect processing of data by it.

7.Without prejudice to paragraph 2, no parts of SIS II shall be connected to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS II to which those teams have access be transferred to such a system. No part of SIS II shall be downloaded or copied. The logging of access and searches shall not be considered to be unlawful downloading or copying of SIS II data.

8.The European Border and Coast Guard Agency shall allow the European Data Protection Supervisor to monitor and review the activities of the teams referred to in this Article in the exercise of their right to access and search data in SIS II. This shall be without prejudice to the further provisions of Regulation (EU) 2018/1725 of the European Parliament and of the Council(3).’.