http://www.legislation.gov.uk/id/eur/2018/1861

CHAPTER IIIRESPONSIBILITIES OF eu-LISA

Article 15Operational management

1.

eu-LISA shall be responsible for the operational management of Central SIS. eu-LISA shall, in cooperation with the Member States, ensure that at all times the best available technology is used for Central SIS, subject to a cost-benefit analysis.

2.

eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a)

supervision;

(b)

security;

(c)

the coordination of relations between the Member States and the provider;

(d)

tasks relating to implementation of the budget;

(e)

acquisition and renewal; and

(f)

contractual matters.

3.

eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a)

the coordination, management and support of testing activities;

(b)

the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c)

managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

4.

eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data in CS-SIS. It shall provide regular reports to the Member States in this regard.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

5.

eu-LISA shall also perform tasks related to providing training on the technical use of SIS and on measures for improving the quality of SIS data.

6.

The operational management of Central SIS shall consist of all the tasks necessary to keep Central SIS functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary for the smooth running of the system. Those tasks shall also include the coordination, management and support of testing activities for Central SIS and the N.SIS that ensure that Central SIS and the N.SIS operate in accordance with the requirements for technical and functional compliance set out in Article 9.

7.

The Commission shall adopt implementing acts to set out the technical requirements for the Communication Infrastructure. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2).

Article 16Security – eu-LISA

1.

eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a)

physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b)

deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(c)

prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)

prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e)

prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f)

prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g)

ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h)

create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i)

ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j)

ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(k)

prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l)

monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).

(m)

ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(n)

ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity); and

(o)

ensure the security of its technical sites.

2.

eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards security in respect of the processing and exchange of supplementary information through the Communication Infrastructure.

Article 17Confidentiality – eu-LISA

1.

Without prejudice to Article 17 of the Staff Regulations eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of a comparable standard to those laid down in Article 11 of this Regulation to all its staff required to work with SIS data. That obligation shall also apply after those persons leave office or employment or after the termination of their activities.

2.

eu-LISA shall take measures equivalent to those referred to in paragraph 1 as regards confidentiality in respect of the exchange of supplementary information through the Communication Infrastructure.

3.

Where eu-LISA cooperates with external contractors in any SIS-related tasks, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular on security, confidentiality and data protection.

4.

The operational management of CS-SIS shall not be entrusted to private companies or private organisations.

Article 18Keeping of logs at central level

1.

eu-LISA shall ensure that every access to and all exchanges of personal data within CS-SIS are logged for the purposes stated in Article 12(1).

2.

The logs shall show, in particular, the history of the alert, the date and time of the data processing activity, the data used to perform a search, a reference to the data processed and the individual and unique user identifiers of the competent authority processing the data.

3.

By way of derogation from paragraph 2 of this Article, if the search is carried out with dactyloscopic data or facial images in accordance with Article 33, the logs shall show the type of data used to perform the search instead of the actual data.

4.

The logs shall only be used for the purposes referred to in paragraph 1 and shall be deleted three years after their creation. The logs which include the history of alerts shall be deleted three years after deletion of the alerts.

5.

Logs may be kept longer than the periods referred to in paragraph 4 if they are required for monitoring procedures that are already underway.

6.

For the purposes of self-monitoring and ensuring the proper functioning of CS-SIS, data integrity and security, eu-LISA shall have access to the logs within the limits of its competence.

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.