Legal provisions of COM(2013)97 - Registered Traveller Programme - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2013)97 - Registered Traveller Programme. |
---|---|
document | COM(2013)97 |
date | February 28, 2013 |
Contents
- CHAPTER I - General provisions
- Article 1 - Subject matter
- Article 2 - Set-up of the RTP
- Article 3 - Definitions
- Chapter II - Procedures and conditions for lodging an application for access to the RTP
- Article 4 - Authorities and Member States competent for examining and deciding on an application for access to the RTP
- Article 5 - Lodging an application
- Article 6 - Application form
- Article 7 - Travel document
- Article 8 - Biometric data
- Article 9 - Supporting documents
- Article 10 - Fee
- CHAPTER III - Examination of and decision on applications
- Article 11 - Admissibility
- Article 12 - Examination of an application
- Article 13 - Decision on the application
- CHAPTER IV - Granting, extending, refusing and revoking access to the RTP
- Article 14 - Grant and extension of access to the RTP
- Article 15 - Refusal of access to the RTP
- Article 16 - Revocation
- CHAPTER V - Administrative management and organisation
- Article 17 - Administration
- Article 18 - Resources for examining applications, issuing tokens, monitoring and statistics
- Article 19 - Conduct of staff
- Article 20 - Information to the general public
- CHAPTER VI - Technical architecture of the token-Central Repository, categories of data and entry of data by the competent authorities
- Article 21 - Technical architecture of the token-Central Repository
- Article 22 - Categories of data in the token-Central Repository
- Article 23 - Entering, amending, deleting, consulting and searching data
- Article 24 - Procedures for entering data from the application
- Article 25 - Data to be entered upon lodging of an application for access to the RTP
- Article 26 - Data to be added in the Central Repository when granting or withdrawing access to the RTP
- Article 27 - Data to be entered in the token when granting access to the RTP
- Article 28 - Data to be added in the Central Repository when refusing access to the RTP
- Article 29 - Data to be added in the Central Repository when revoking access to the RTP
- Article 30 - Data to be added in the Central Repository when extending access to the RTP
- CHAPTER VII - Use of data
- Article 31 - Use of data for examining applications, lost or stolen token or problems occur with facilitating registered travellers' border crossings
- Article 32 - Use of data at external border crossing points for border checks
- Article 33 - Use of data for reporting and statistics
- CHAPTER VIII - Retention period, amendment of data and lost or stolen token
- Article 34 - Retention period for data storage
- Article 35 - Amendment of data and advance data deletion
- Article 36 - Lost or stolen token
- CHAPTER IX - Development, operation and responsibilities
- Article 37 - Adoption of implementation measures by the Commission
- Article 38 - Development and operational management
- Article 39 - National responsibilities
- Article 40 - Responsibility for the use of data
- Article 41 - Keeping of data in national files
- Article 42 - Communication of data to third countries or international organisations
- Article 43 - Data security
- Article 44 - Liability
- Article 45 - Keeping of records
- Article 46 - Self-monitoring
- Article 47 - Penalties
- CHAPTER X - Rights of the data subject and supervision
- Article 48 - Right of information
- Article 49 - Right of access, correction and deletion
- Article 50 - Cooperation to ensure the rights on data protection
- Article 51 - Remedies
- Article 52 - Supervision by the National Supervisory Authority
- Article 53 - Supervision by the European Data Protection Supervisor
- Article 54 - Cooperation between supervisory authorities and the European Data Protection Supervisor
- CHAPTER XI - Final Provisions
- Article 55 - Start of transmission
- Article 56 - Start of operations
- Article 57 - Committee procedure
- Article 58 - Amendments to the annexes
- Article 59 - Exercise of delegation
- Article 60 - Notification
- Article 61 - Advisory group
- Article 62 - Training
- Article 63 - Monitoring and evaluation
- Article 64 - Entry into force and applicability
CHAPTER I - General provisions
Article 1 - Subject matter
Article 2 - Set-up of the RTP
2. The technical architecture of the token-Central Repository is further determined in Article 21.
3. The Agency for the operational management of large-scale information systems in the area of freedom, security and justice (hereinafter the Agency) is hereby entrusted with the tasks of development and operational management of the Central Repository, the Uniform Interface in each Member State, the Network Entry Points and the Communication Infrastructure between the Central Repository and the Network Entry Points. The Agency shall also be responsible for the definition of technical specifications for a token.
Article 3 - Definitions
(1) Registered Traveller Programme (RTP) means a programme which allows third-country nationals who have been pre-vetted and granted access to the RTP to benefit from facilitation of border checks at the Union external border;
(2) Registered traveller means a third-country national who has been granted access to the RTP in accordance with this Regulation;
(3) Agency means the European Аgency for the operational management of large-scale IT systems in the area of freedom, security and justice established by Regulation (EU) No 1077/2011;
(4) Central Repository means the centrally located physical storage of the RTP data;
(5) token means a device used to store a unique identifier given to a registered traveller. The unique identifier links the traveller and his/her data entered in the Central Repository;
(6) operational management means all the tasks necessary to keep large-scale IT systems functioning, including responsibility for the communication infrastructure used by them;
(7) development means all the tasks necessary to create a large-scale IT system, including the communication infrastructure used by it;
(8) competent authorities means visa and border authorities within the meaning of Article 4(3) of Regulation (EC) No 767/2008 of the European Parliament and of the Council and authorities assigned, in accordance with national law to carry out checks on persons at the external border crossing points in accordance with Regulation (EC) No 562/2006 of the European Parliament and of the Council;
(9) 'third‑country national' or third-country traveller means any person who is not a citizen of the Union within the meaning of Article 20 of the Treaty or a citizen of a third country who under agreements between the Union and its Member States, on the one hand, and those third countries, on the other hand, enjoy rights of free movement equivalent to those of Union citizens;
(10) application form means a uniform application form for access to the RTP as set out in Annex 1;
(11) biometric data means fingerprints;
(12) travel document means a passport or other equivalent document entitling the holder to cross the external borders and to which a visa may be affixed;
(13) verification means the process of comparison of sets of data to establish the validity of a claimed identity (one-to-one check);
(14) alphanumeric data means data represented by letters, digits, special characters, space and punctuation marks;
(15) National System means the hardware, software and national communication infrastructure to connect the end user devices of the competent authorities as defined in Article 23(2) with the Network Entry Points in each Member State.
(16) token-Central Repository means a system for the storage of data on registered travellers consisting of a Central Repository and a token;
(17) Member State responsible means the Member State which has entered the data in the Central Repository;
(18) common application centre means a centre as referred to in Article 41(2) of Regulation (EC) No 810/2009 of the European Parliament and of the Council;
(19) 'supervisory authority" means the supervisory authority established in accordance with Article 28 of Directive 95/46/EC.
Chapter II - Procedures and conditions for lodging an application for access to the RTP
Article 4 - Authorities and Member States competent for examining and deciding on an application for access to the RTP
Article 5 - Lodging an application
2. Applicants may be required to obtain an appointment for the lodging of an application. The appointment shall, as a general rule, take place within a period of two weeks from the date when the appointment was requested.
3. Where an applicant is applying for access to the RTP for the first time, he/she shall be required to appear in person, in order to provide his/her fingerprints, for interview and for the travel document to be checked.
4. Where an applicant submits an on-line application or falls within the scope of paragraph 5, the biometric data shall be collected, the travel document checked and an interview carried out, if applicable, when the decision on the application is made and the token is issued.
5. Without prejudice to Article 8, the competent authorities may waive the requirement referred to in paragraph 3 if the applicant is the holder of a residence permit or a residence card or if the applicant is known to them for his/her integrity and reliability.
6. When lodging the application, the applicant shall:
(a) be at least 12 years old;
(b) present an application form in accordance with Article 6;
(c) present a travel document in accordance with Article 7;
(d) allow collection of his/her fingerprints in accordance with Article 8;
(e) provide supporting documents in accordance with Article 9 and Annex II, if applicable;
(f) pay the fee in accordance with Article 10.
7. The applicant may withdraw his/her application at any time before a decision has been taken on the application.
Article 6 - Application form
2. Member States shall make the application form widely available and easily accessible to applicants free of charge.
3. The application form shall be available in at least the following languages: official language(s) of the Member State in question, the official language(s) of the third country or countries where the application may be lodged and the official language(s) of neighbouring third countries, where applicable.
4. Member States shall inform applicants of the language(s) which may be used when filling in the application form.
Article 7 - Travel document
Article 8 - Biometric data
2. If it is not possible to collect four fingerprints the maximum number of fingerprints shall be collected. Member States shall ensure that appropriate procedures guaranteeing the dignity of the applicant are in place should difficulties be encountered with collecting fingerprints.
3. Where fingerprints collected from the applicant as part of an earlier application were entered in the Central Repository for the first time less than 59 months before the date of the new application, they may be copied to the subsequent application.
However, where there is reasonable doubt regarding the identity of the applicant or it cannot be immediately confirmed that the fingerprints were collected within the period specified in the first subparagraph, the competent authorities shall collect fingerprints from the applicant.
4. The specifications for the resolution and use of fingerprints for biometric verification in the RTP shall be decided by the Commission in accordance with Article 37.
5. The fingerprints shall be collected by qualified and duly authorised staff of the competent authorities.
6. The fingerprints shall not be linked with the alphanumeric data and they shall be entered in separate sections in the Central Repository.
Article 9 - Supporting documents
(a) documents indicating the purposes of the journeys;
(b) proof of sufficient means of subsistence in relation to the travel and accommodation for the next two trips;
(c) documents establishing his/her occupational or family status, such as business person, civil servant engaged in regular official contacts with Member States and the Union institutions, representative of civil society organisations, person travelling for the purpose of educational training, seminars and conferences, person participating in economic activities, family member of a citizen of the Union, family member of a third-country nationals legally residing in a Member State.
2. Where the applicant is a family member of a citizen of the Union enjoying the right to free movement, the applicant shall only be required to present a residence card issued by a Member State, where applicable, and evidence of his/her identity, nationality and family ties with a Union citizen to whom Directive 2004/38/EC applies.
3. Where a third-country national lodges an application for a multiple-entry visa and an application for access to the RTP at the same time and in the same place, only one set of supporting documents shall be required.
4. If a multiple-entry visa holder lodges an application for a RTP at the same place where a multiple-entry visa was issued but does not do so at the same time, the supporting documents provided for the multiple-entry visa application may be used in the assessment of the RTP application. If there is any doubt whether the supporting documents provided earlier are up to date, a Member State may request new supporting documents within a period of ten working days.
A non-exhaustive list of supporting documents which competent authorities may request from the applicant is set out in Annex II.
5. Member States may require applicants to present proof of sponsorship and/or private accommodation by completing a form drawn up by the Member State concerned. Such proof may be requested for the next two trips as a maximum. That form shall indicate in particular:
(a) the validity period of sponsorship and/or of accommodation;
(b) whether its purpose is proof of sponsorship and/or of accommodation;
(c) whether the host is an individual person, a company or an organisation;
(d) the host's identity and contact details;
(e) the invited applicant(s);
(f) the address of the accommodation;
(g) possible family ties with the host.
In addition to the Member State's official language(s) the form shall be drawn up in at least one other official language of the institutions of the European Union. The form shall provide the person signing such a form with the information specified in Article 48(1). A specimen of the form shall be notified to the Commission.
6. The competent authorities may waive one or more of the requirements laid down in paragraph 1 if the applicant holds a residence permit or if the applicant is known to them for his/her integrity and reliability.
Article 10 - Fee
2. The fee shall be revised regularly in order to reflect the administrative costs. The Commission shall be empowered to adopt delegated acts concerning the adjustment of the fee in accordance with Article 59.
3. The fee shall be charged in euro, in the national currency of the third country or in the currency usually used in the third country where the application is lodged and shall not be refundable regardless of the outcome of the application or if an application is withdrawn.
4. When charged in a currency other than euro, the amount of the fee charged in that currency shall be determined and regularly reviewed in application of the euro foreign exchange reference rate established by the European Central Bank. The amount charged may be rounded up.
5. The applicant shall be given a printed or electronic receipt for the fee paid.
CHAPTER III - Examination of and decision on applications
Article 11 - Admissibility
– the applicant is at least 12 years old;
– the application contains the items referred to in Article 5(6)(b), (c) and (e);
– the biometric data of the applicant have been collected;
– the fee has been collected.
2. Where the competent authorities find that the conditions referred to in paragraph 1 have been fulfilled, the application shall be admissible and the competent authorities shall:
– follow the procedures described in Article 24;
– further examine the application.
3. Where the competent authorities find that the conditions referred to in paragraph 1 have not been fulfilled, the application shall be inadmissible and the competent authorities shall not examine the application and without delay:
– return the application form and any documents submitted by the applicant;
– destroy the collected biometric data.
Article 12 - Examination of an application
2. In the examination of an application, the competent authority shall verify:
(a) that the applicant fulfils the entry conditions set out in Article 5(1) of Regulation (EU) No 562/2006;
(b) that the applicant's travel document, visa, residence permit or residence card presented, as applicable, are valid and not false, counterfeited or forged;
(c) that the applicant proves the need for or justifies the intention to travel frequently and/or regularly;
(d) that the applicant has not previously exceeded the maximum duration of authorised stay in the territory of the Member States and that he/she proves his/her integrity and reliability, in particular a genuine intention to leave the territory in due time;
(e) the applicant's justification of the purpose and conditions of the intended stays;
(f) that the applicant proves his/her financial situation in the country of origin or residence and possesses sufficient means of subsistence both for the duration of the intended stay(s) and for the return to his/her country of origin or residence, or that he/he is in a position to acquire such means lawfully;
(g) that the applicant is not a person for whom an alert has been issued in the Schengen Information System (SIS);
(h) that the applicant is not considered to be a threat to public policy, internal security, public health or the international relations of any of the Member States, in particular where no alert has been issued in Member States’ national databases for the purpose of refusing entry on the same grounds;
(i) whether the applicant's access to the RTP has previously been granted, extended, refused or revoked.
When verifying that the applicant fulfils the entry conditions set out in Article 5(1) of Regulation No 562/2006, particular consideration shall be given to assessing whether the applicant presents a risk of illegal immigration or a risk to the security of the Member States and whether the applicant intends to leave the territory of the Member States within the authorised stay.
3. The means of subsistence for the intended stays shall be assessed according to the duration(s) and the purpose(s) of the stay(s) and by reference to average prices in the Member State(s) concerned for board and lodging in budget accommodation, on the basis of the reference amounts set by the Member States in accordance with Article 34 of the Schengen Borders Code. A proof of sponsorship and/or private accommodation may also constitute evidence of sufficient means of subsistence.
4. The examination of an application shall be based in particular on the authenticity and reliability of the documents submitted and on the veracity and reliability of the statements made by the applicant. If a Member State responsible for examining an application has any doubts on the applicant, his/her statements or supporting documents that have been provided, it may consult other Member States before any decision on the application is taken.
5. During the examination of an application, the competent authorities may, in justified cases, request additional documents as laid down in Article 9.
6. A previous refusal of access to the RTP shall not lead to an automatic refusal of a new application. A new application shall be assessed on the basis of all available information.
7. The criteria used for the examination of applications lodged by family members of citizens of the Union shall be the same as those used for the examination of their visa applications.
Article 13 - Decision on the application
2. Unless the application has been found inadmissible or has been withdrawn by the applicant, a decision shall be taken to:
(a) grant access to the RTP, in accordance with Article 14, or
(b) refuse access to the RTP, in accordance with Article 15.
CHAPTER IV - Granting, extending, refusing and revoking access to the RTP
Article 14 - Grant and extension of access to the RTP
2. Access to the RTP shall be granted without further procedural requirements, subject to fulfilment of the substantive requirements set out in this Regulation, to persons holding or being issued a multiple-entry visa or D-visa valid for at least one year, persons holding a residence permit and family members of citizens of the Union.
3. The data set out in Article 26 shall be entered into the Central Repository when a decision granting access to the RTP has been taken.
4. The data set out in Article 27 shall be entered into the token when a decision granting access to the RTP has been taken.
5. The data set out in Article 30 shall be entered into the Central Repository when a decision extending access to the RTP has been taken.
Article 15 - Refusal of access to the RTP
(a) presents a travel document which is not valid or it is false, counterfeited or forged;
(b) does not have a valid residence permit, residence card or a visa, if required pursuant to Council Regulation (EC) No 539/2001 and does not fulfil the requirements to be issued therewith;
(c) does not prove the need or justify the intention to travel frequently and/or regularly;
(d) has previously exceeded the maximum duration of authorised stay in the territory of the Member States and he/she does not prove his/her integrity and reliability, in particular his/her genuine intention to leave the territory in due time;
(e) does not provide justification of the purpose and conditions of the intended stays;
(f) does not prove his/her financial situation in the country of origin or residence and does not possess sufficient means of subsistence both for the duration of the intended stay(s) and for the return to his/her country of origin or residence, or he/she is not in a position to acquire such means lawfully;
(g) is a person for whom an alert has been issued in the SIS;
(h) is considered to be a threat to public policy, internal security, public health or the international relations of any of the Member States, in particular where an alert has been issued in Member States’ national databases for the purpose of refusing entry on the same grounds;
or
(i) if there are reasonable doubts as to the authenticity of the supporting documents submitted by the applicant or the veracity of their contents or the reliability of the statements made by the applicant.
2. A decision on refusal and the reasons on which it is based shall be notified to the applicant by means of the standard form set out in Annex IV.
3. Without prejudice to the right to judicial review, in accordance with the procedural law of the Member State that has taken the final decision on the application, the applicant whose access has been refused to the RTP shall have the right to review of the refusal for challenging or correcting potential errors in accordance with the Right to effective remedy. Appeals shall be conducted against the Member State that has taken the decision on the application and in accordance with the national law of that Member State. Member States shall provide applicants with information regarding the procedure to be followed in case of review, as specified in Annex IV.
4. Where an application for access to the RTP is refused, data shall be added to the Central Repository in accordance with Article 28.
Article 16 - Revocation
(a) when it becomes evident that the conditions for granting access to the RTP were not met;
(b) when it becomes evident that the conditions for granting access to the RTP are no longer met;
(c) at the request of the registered traveller.
2. Access may be revoked by the competent authorities of any Member State at any time pursuant to paragraph 1.
3. If authorities other than competent authorities have evidence to suggest that access to the RTP should be revoked pursuant to paragraph 1, they shall inform the competent authorities without delay.
4. A decision on revocation of access to the RTP and the reasons on which it is based shall be notified to the registered traveller by means of the standard form set out in Annex IV.
5. Without prejudice to the right to judicial review, in accordance with the procedural law of the Member State that has revoked access to the RTP, a registered traveller whose access to the RTP has been revoked shall have the right to review of the revocation for challenging or correcting potential errors in accordance with the Right to effective remedy unless the access has been revoked at the request of the registered traveller in accordance with paragraph 1(c). Appeals shall be conducted against the Member State that has taken the decision on the revocation and in accordance with the national law of that Member State. Member States shall provide applicants with information regarding the procedure to be followed in case of review, as specified in Annex IV.
6. Where the access to the RTP is revoked, data shall be added to the Central Repository in accordance with Article 29.
7. Where the revocation of access was requested by the registered traveller, the registered traveller shall have the right to ask for immediate deletion of his/her data. Member States shall inform the registered traveller about this right.
CHAPTER V - Administrative management and organisation
Article 17 - Administration
2. Individual application files shall be kept as long as access is granted to the RTP.
3. Where access to the RTP is refused or revoked, the application files shall be kept for a maximum of two years. That period shall start on the date of the decision of the competent authority to refuse or revoke access. Applications withdrawn by the applicants shall be deleted without delay. Member States may store the application files including supporting documents in an electronic form.
Article 18 - Resources for examining applications, issuing tokens, monitoring and statistics
2. Member States shall deploy appropriate staff in sufficient numbers to carry out the tasks relating to the examination of applications, in such a way as to ensure reasonable and harmonised quality of service to the public.
3. The competent authorities shall provide adequate training to their staff and shall be responsible for providing them with complete, precise and updated information on the relevant Union and national law.
4. The competent authorities shall ensure frequent and adequate monitoring of the conduct of examination of applications, issuing tokens and take corrective measures when deviations from provisions and procedures of this Regulation are detected.
5. Member States shall compile annual statistics on the RTP, in accordance with the table set out in Annex V. These statistics shall be submitted to the Agency by 1 March of each year. The Agency shall publish them.
Article 19 - Conduct of staff
2. The competent authorities shall, in the performance of their duties, respect human dignity. Any measures taken shall be proportionate to the objectives pursued by such measures.
3. While performing their tasks, the competent authorites shall not discriminate against applicants or registered travellers on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.
Article 20 - Information to the general public
(a) the criteria, conditions and procedures for applying;
(b) the time limits for examining applications;
(c) the fee;
(d) where applications may be submitted.
CHAPTER VI - Technical architecture of the token-Central Repository, categories of data and entry of data by the competent authorities
Article 21 - Technical architecture of the token-Central Repository
(a) a Central Repository comprising a Principal repository and a Back-up repository, capable of ensuring all the functionalities of the Principal repository in the event of failure of the latter;
(b) a Uniform Interface in each Member State based on common technical specifications and identical for all Member States;
(c) the Network Entry Points which are part of the Uniform Interface and are the national points of access connecting the National System as defined in Article 3(15) of each Member State to the Central Repository;
(d) a Communication Infrastructure between the Central Repository and the Network Entry Points; and
(e) a token based on common technical standards.
Article 22 - Categories of data in the token-Central Repository
(a) alphanumeric data on the applicant and on access granted, refused, revoked or extended referred to in Article 25(1) to (4), Article 26 and Articles 28, 29 and 30;
(b) biometric data referred to in Article 25(5).
The alphanumeric data and the biometric data shall be recorded in separate sections in the Central Repository.
2. Only the unique identifier number shall be recorded in the token referred to in Article 27.
Article 23 - Entering, amending, deleting, consulting and searching data
2. Each Member State shall designate the competent authorities, the duly authorised staff of which shall have access to enter, amend, delete, consult or search the data recorded in the Central Repository or in the token. Each Member State shall without delay communicate to the Agency a list of those authorities, including those referred to in Article 52(4), and any amendments thereto.
3. Within 4 months after this Regulation enters into force, the Agency shall publish a consolidated list of authorities referred to in paragraph 2 in the Official Journal of the European Union. Where there are amendments thereto, the Agency shall publish an updated consolidated list once a year.
Article 24 - Procedures for entering data from the application
2. Where specific data are not required to be provided for legal reasons, the specific data field(s) shall be marked as ‘not applicable’.
Article 25 - Data to be entered upon lodging of an application for access to the RTP
(1) the unique application number;
(2) status information, indicating that access to the RTP has been requested;
(3) the authority with which the application has been lodged, including its location;
(4) the following data to be taken from the application form:
(a) surname (family name); first name(s) (given names);
(b) surname at birth (earlier family name(s)), country of birth, nationality(ies); and sex;
(c) date of birth, place of birth;
(d) type and number of the travel document(s), the authority which issued it and the date of issue and of expiry;
(e) place and date of the application;
(f) if applicable, pursuant to Article 9(5), details of the person liable to pay the applicant's subsistence costs during the stay, being:
(i) in the case of a natural person, the surname and first name, address of the person and telephone number;
(ii) in the case of a company or other organisation, the name and address of the company/other organisation, surname and first name of the contact person in that company/organisation and telephone number;
(g) main purposes of the journeys;
(h) the applicant's home address and telephone number;
(i) if applicable, the visa sticker number;
(j) if applicable, the residence permit or residence card number;
(k) current occupation and employer; for students: name of educational establishment;
(l) in the case of minors, surname and first name(s) of the applicant's parental authority or legal guardian.
(5) fingerprints, in accordance with Article 8.
Article 26 - Data to be added in the Central Repository when granting or withdrawing access to the RTP
(a) status information indicating that access to the RTP has been granted;
(b) the authority that granted access, including its location;
(c) the place and date of the decision taken to grant access to the RTP;
(d) the commencement and expiry dates of the validity of the access.
2. Where an application is withdrawn by the applicant before a decision has been taken whether to grant access to the RTP, the competent authority shall indicate that the application has been closed for this reason, the date when the application was closed and delete the data from the application file.
Article 27 - Data to be entered in the token when granting access to the RTP
2. The token shall be given to the applicant.
Article 28 - Data to be added in the Central Repository when refusing access to the RTP
(a) status information indicating that access to the RTP has been refused;
(b) the authority that refused access to the RTP, including its location;
(c) place and date of the decision to refuse access to the RTP.
2. The application file shall also indicate the ground(s) on which access to the RTP was refused, which shall be one or more of the reasons listed in Article 15(1).
Article 29 - Data to be added in the Central Repository when revoking access to the RTP
(a) status information indicating that access to the RTP has been revoked;
(b) authority that revoked access, including its location;
(c) place and date of the decision to revoke access to the RTP.
2. The application file shall indicate the ground(s) for revocation of access to the RTP, which shall be one or more of the reasons listed in Article 16(1).
Article 30 - Data to be added in the Central Repository when extending access to the RTP
(a) status information indicating that access to the RTP has been extended;
(b) authority that extended access, including its location;
(c) place and date of the decision;
(d) the commencement and expiry dates of the extended period.
CHAPTER VII - Use of data
Article 31 - Use of data for examining applications, lost or stolen token or problems occur with facilitating registered travellers' border crossings
2. For the purposes referred to in paragraph 1, the competent authority shall search with one or several of the following data:
(a) the unique application number;
(b) the data referred to in Article 25(4)(a), (b) and (c);
(c) the data on the travel document, referred to in Article 25(4)(d);
(d) the visa sticker, residence permit or residence card number, if applicable.
3. If the search with one or several of the data listed in paragraph 2 indicates that data on the applicant is recorded in the Central Repository, the competent authority shall be given access to the application file but not to the separate section containing biometric data.
4. The competent authority shall search the separate section of the Central Repository with biometric data for extending access to the RTP and if any problems occur with facilitating registered travellers' border crossing only if the token and fingerprints are presented by the registered traveller at the same time. If this search indicates that data on the registered traveller is recorded in the Central Repository, the competent authority shall be given access to the application file including biometric data.
5. The competent authority shall search the separate section of the Central Repository with biometric data alone, without the token, only for the examination of applications, deciding whether to revoke access to the RTP and in case the token is lost or stolen. If this search indicates that data on the applicant is recorded in the Central Repository, the competent authority shall be given access to the application file including biometric data.
Article 32 - Use of data at external border crossing points for border checks
2. If the search with the data listed in paragraph 1 indicates that data on the registered traveller is recorded in the Central Repository, the competent authority shall be given a hit/no hit information.
3. Where a manual border check is carried out, without prejudice to paragraph 1, verification of the identity of a registered traveller may be done manually by checking the travel document visually.
Article 33 - Use of data for reporting and statistics
(1) status information;
(2) current nationality of the applicant;
(3) date and place of the application;
(4) the types(s) and ground(s) of the decision concerning access to the RTP;
(5) the type and issuing country of the travel document(s);
(6) the competent authority, including its location, where a decision has been taken granting, refusing, revoking or extending access to the RTP and the date of the decision;
(7) purposes of journeys;
(8) lost or stolen tokens.
CHAPTER VIII - Retention period, amendment of data and lost or stolen token
Article 34 - Retention period for data storage
That period shall start:
(a) on the date of expiry date of granted or extended access to the RTP;
(b) on the date of the creation of the application file in the Central Repository, if the application has been withdrawn;
(c) on the date of the decision of the competent authority if access to the RTP has been refused or revoked.
2. Upon expiry of the period referred to in paragraph 1, the Central Repository shall automatically delete the individual application file.
3. The registered traveller may keep the token.
Article 35 - Amendment of data and advance data deletion
2. If the Member State responsible has evidence that data processed in the Central Repository are inaccurate or that data were processed in the Central Repository contrary to this Regulation, it shall check the data concerned and, if necessary, correct or delete them without delay. This may also be done at the request of the registered traveller.
3. If a Member State other than the Member State responsible has evidence that data processed in the Central Repository are inaccurate or that data were processed in the Central Repository contrary to this Regulation, it shall inform the Member State responsible without delay. The Member State responsible shall check the data concerned and, if necessary, correct or delete them without delay.
4. Where, prior to expiry of the period referred to in Article 34(1) an applicant has acquired the nationality of a Member State, the application files shall be deleted without delay from the Central Repository by the competent authority of the Member State of which the nationality has been acquired.
5. If the refusal of access to the RTP has been annulled by a court or an appeal board, the Member State which refused access to the RTP shall delete the data referred to in Article 28 without delay after the decision to cancel the refusal of access to the RTP has become final. The individual application subject to the court or appeal board decision mentioned above shall be re-examined by the competent authority taking into account the opinion of the court or the appeal board.
Article 36 - Lost or stolen token
2. Where the loss or theft of a token is reported by a third party to the competent authorities, the competent authorities shall block the access granted to the RTP and inform the Member State which granted access. The Member State responsible shall inform the registered traveller on the lost or stolen token by phone, fax, mail or e-mail.
3. Where the loss or theft of a token is reported by the registered traveller, the Member State responsible shall verify whether access has been granted to the RTP. The Member State responsible shall, at the request of the registered traveller, issue a new token. Otherwise, the access granted shall be blocked.
4. The registered traveller shall be liable to pay the cost of a new token.
CHAPTER IX - Development, operation and responsibilities
Article 37 - Adoption of implementation measures by the Commission
(a) for the specifications for the resolution and use of fingerprints for biometric verification in the RTP in accordance with Article 8;
(b) for the design of the physical architecture of the system including its communication infrastructure;
(c) for entering the data in accordance with Article 24;
(d) for accessing the data in accordance with Article 31, 32 and 33;
(e) for keeping, amending, deleting and advance deleting of data in accordance with Articles 34 and 35;
(f) for blocking the access granted in case of lost or stolen tokens in accordance with Article 36;
(g) for keeping and accessing the records in accordance with Article 45;
(h) the performance requirements;
(i) the definition of the business requirements including lay out for a token.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57.
Article 38 - Development and operational management
The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.
The Agency shall carry out a comprehensive test of the Central Repository together with the Member States. The Commission shall inform the European Parliament of the results of the test.
2. The Agency shall be responsible for the operational management of the Principal repository, the Back-up repository and the Uniform Interfaces. It shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used. The Agency shall also be responsible for the operational management of the Communication Infrastructure between the Central Repository and the Network Entry Points.
Operational management of the Central Repository shall consist of all the tasks necessary to keep the Central Repository functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality, in particular as regards the time required for interrogation of the Central Repository by consular posts and border crossing points, which should be as short as possible.
3. Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, the Agency shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with RTP data. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.
Article 39 - National responsibilities
(a) the development of its National System, the connection to the Central Repository and issuance of tokens;
(b) the organisation, management, operation and maintenance of its National System;
(c) the management and arrangements for access of the competent authorities to the Central Repository in accordance with this Regulation and the establishment and regular updating of a list of such staff and their profiles.
2. Each Member State shall designate a national authority, which shall provide the access of the competent authorities to the Central Repository, and connect that national authority to the Network Entry Point.
3. Each Member State shall observe automated procedures for processing the data.
4. Before being authorised to process data stored in the Central Repository, the staff of the authorities having a right to access or use the Central Repository shall receive appropriate training about data security and data protection rules.
5. Costs incurred by the National Systems as well as by hosting the National Interface shall be borne by the Union budget.
Article 40 - Responsibility for the use of data
(a) the data is collected lawfully;
(b) the data is transmitted lawfully to the Central Repository;
(c) the data is accurate and up-to-date when it is transmitted to the Central Repository.
2. The Agency shall ensure that the Central Repository is operated in accordance with this Regulation and its implementing measures referred to in Article 37. In particular, the Agency shall:
(a) take the necessary measures to ensure the security of the Central Repository and the communication infrastructure between the Central Repository and the Network Entry Points, without prejudice to the responsibilities of each Member State;
(b) ensure that only duly authorised staff have access to data processed in the Central Repository for the performance of the tasks of the Agency in accordance with this Regulation.
3. The Agency shall inform the European Parliament, the Council and the Commission of the measures it takes pursuant to paragraph 2 for the start of operations of the RTP.
Article 41 - Keeping of data in national files
2. The data shall not be kept in the national files longer than it is kept in the Central repository.
3. Any use of data which does not comply with paragraph 1 shall be considered a misuse under the national law of each Member State.
4. This Article may not be construed as requiring any technical adaptation of the Central Repository. Member States may keep data in accordance with this Article only at their own cost, risk and with their own technical means.
Article 42 - Communication of data to third countries or international organisations
Article 43 - Data security
2. Each Member State shall, in relation to its National System, adopt the necessary measures, including a security plan, in order to:
(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;
(b) deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purposes of the RTP (checks at entrance to the installation);
(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);
(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);
(e) prevent the unauthorised processing of data in the Central Repository and any unauthorised modification or deletion of data processed in the Central Repository (control of data entry);
(f) ensure that persons authorised to access the Central Repository have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only (data access control);
(g) ensure that all authorities with a right of access to the Central Repository create profiles describing the functions and responsibilities of persons who are authorised to enter, amend, delete, consult and search the data and make their profiles available to the supervisory authorities referred to in Article 52 without delay at their request (personnel profiles);
(h) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);
(i) ensure that it is possible to verify and establish what kind of data has been processed in the Central Repository, when, by whom and for what purpose (control of data recording);
(j) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the Central Repository or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);
(k) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).
3. The Agency shall take the necessary measures in order to achieve the objectives mentioned in paragraph 2 as regards the operation of the Central Repository, including the adoption of a security plan.
Article 44 - Liability
2. If any failure of a Member State to comply with its obligations under this Regulation causes damage to the RTP, that Member State shall be held liable for such damage, unless and insofar as the Agency or another Member State participating in the RTP failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.
3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.
Article 45 - Keeping of records
2. Such records may be used only for the data-protection monitoring of the admissibility of data processing as well as to ensure data security. The records shall be protected by appropriate measures against unauthorised access and deleted after a period of one year after the retention period of five years referred to in Article 33(1) has been expired, if they are not required for monitoring procedures which have already begun.
Article 46 - Self-monitoring
Article 47 - Penalties
CHAPTER X - Rights of the data subject and supervision
Article 48 - Right of information
(a) the identity of the controller referred to in Article 52(4), including his/her contact details;
(b) the purposes for which the data will be processed within the RTP;
(c) the categories of recipients of the data;
(d) the data retention period;
(e) that the collection of the data is mandatory for the examination of the application;
(f) the existence of the right of access to data relating to them, and the right to request that inaccurate data relating to them be corrected or that unlawfully processed data relating to them be deleted, including the right to receive information on the procedures for exercising those rights and contact details of the supervisory authorities referred to in Article 52(1), which shall hear claims concerning the protection of personal data.
2. The information referred to in paragraph 1 shall be provided in writing to the applicant when the data from the application form and the fingerprint data as referred to in Article 25(4) and (5) are collected.
3. The information referred to in paragraph 1 shall be provided to the persons referred to in Article 25(4)(f) in the forms to be signed by those persons providing proof of invitation, sponsorship and accommodation.
In the absence of such a form signed by those persons, this information shall be provided in accordance with Article 11 of Directive 95/46/EC.
Article 49 - Right of access, correction and deletion
2. Any person may request that data relating to him/her which are inaccurate be corrected and that data recorded unlawfully be deleted. The correction and deletion shall be carried out without delay by the Member State which transmitted the data, in accordance with its laws, regulations and procedures.
3. If the request as provided for in paragraph 2 is made to a Member State, other than the Member State responsible, the authorities of the Member State to which the request has been lodged shall contact the authorities of the Member State responsible within a time limit of 14 days. The Member State responsible shall check the accuracy of the data and the lawfulness of its processing in the Central Repository within a time limit of one month.
4. If it emerges that data recorded in the Central Repository are inaccurate or have been recorded unlawfully, the Member State which transmitted the data shall correct or delete the data in accordance with Article 35(2) and (3). The Member State responsible shall confirm in writing to the person concerned without delay that it has taken action to correct or delete data relating to him.
5. If the Member State responsible does not agree that data recorded in the Central Repository is inaccurate or has been recorded unlawfully, it shall explain in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him.
6. The Member State responsible shall also provide the person concerned with information explaining the steps which he/she can take if he/she does not accept the explanation provided. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the supervisory authorities referred to in Article 52 that is available in accordance with the laws, regulations and procedures of that Member State.
Article 50 - Cooperation to ensure the rights on data protection
2. In each Member State, the supervisory authority shall, upon request, assist and advise the person concerned in exercising his/her right to correct or delete data relating to him/her in accordance with Article 28(4) of Directive 95/46/EC.
3. The supervisory authority of the Member State responsible which transmitted the data and the supervisory authorities of the Member States to which the request has been lodged shall cooperate to this end.
Article 51 - Remedies
2. The assistance of the supervisory authorities shall remain available throughout the proceedings.
Article 52 - Supervision by the National Supervisory Authority
2. The supervisory authority shall ensure that an audit of the data processing operations in the National System is carried out in accordance with relevant international auditing standards at least every four years.
3. Member States shall ensure that their supervisory authority has sufficient resources to fulfil the tasks entrusted to it under this Regulation.
4. In relation to the processing of personal data in the RTP, each Member State shall designate the authority which is to be considered as controller in accordance with Article 2(d) of Directive 95/46/EC and which shall have central responsibility for the processing of data by this Member State. Each Member State shall communicate this authority to the Commission.
5. Each Member State shall supply any information requested by the supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 39 and 40(1), grant them access to the lists referred to in Article 39(1)(c) and to their records as referred to in Article 45 and allow them access at all times to all their premises.
Article 53 - Supervision by the European Data Protection Supervisor
2. The European Data Protection Supervisor shall ensure that an audit of the Agency's personal data processing activities is carried out in accordance with relevant international auditing standards at least every four years. A report of such audit shall be sent to the European Parliament, the Council, the Agency, the Commission and the supervisory authorities. The Agency shall be given an opportunity to make comments before the report is adopted.
3. The Agency shall supply information requested by the European Data Protection Supervisor, give him/her access to all documents and to its records referred to in Article 45(1) and allow him/her access to all its premises, at any time.
Article 54 - Cooperation between supervisory authorities and the European Data Protection Supervisor
2. They shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties over the interpretation or application of this Regulation, study problems with the exercise of independent supervision or with the exercise of the rights of the data subject, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.
3. The supervisory authorities and the European Data Protection Supervisor shall meet for that purpose at least twice a year. The costs of these meetings shall be borne by the European Data Protection Supervisor. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary.
4. A joint report of activities shall be sent to the European Parliament, the Council, the Commission and the Agency every two years. This report shall include a chapter of each Member State prepared by the supervisory authority of that Member State.
CHAPTER XI - Final Provisions
Article 55 - Start of transmission
2. The Agency shall notify the Commission that it has made the necessary technical arrangements referred to in Article 38(1).
Article 56 - Start of operations
(a) the measures referred to in Article 37(1) and (2) have been adopted;
(b) after validation of technical arrangements, the Member States have notified the Commission that they have made the necessary technical and legal arrangements to collect and transmit the data referred to in Article 22(1) to the Central Repository;
(c) the Agency has declared the successful completion of a comprehensive test of the Central Repository provided for in Article 38(1), and;
(d) the Agency has notified the Commission that the Central Repository is ready to start operations.
Article 57 - Committee procedure
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
Article 58 - Amendments to the annexes
Article 59 - Exercise of delegation
2. The delegation of power referred to in Articles 10(2) and 58 shall be conferred for an indeterminate period of time from X.X.201X. (Date of entry into force of this Regulation).
3. The delegation of powers referred to in Articles 10(2) and 58 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
5. A delegated act adopted pursuant to Articles 10(2) and 58 shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.
Article 60 - Notification
(a) the national form for proof of sponsorship and/or private accommodation referred to in Article 9(5), if applicable;
(b) the authority which is to be considered as controller referred to in Article 52(4);
(c) necessary technical and legal arrangements referred to in Article 56.
2. Member States shall notify the Agency of:
(a) competent authorities which have access to enter, amend, delete, consult or search data, referred to in Article 23;
(b) statistics compiled in accordance with Article 18(5) and Annex V.
3. The Agency shall notify the Commission that that it has made the necessary technical arrangements and the Central Repository is ready to start operations.
4. The Commission shall make the information notified pursuant to paragraph 1(a) available to the Member States and the public via a constantly updated electronic publication.
5. Bulgaria, Cyprus and Romania shall notify the Commission within 10 working days whether to recognise unilaterally the RTP membership of the registered traveller to benefit from facilitation of border checks at their external borders. The Commission shall publish the information communicated by those Member States in the Official Journal of the European Union.
Article 61 - Advisory group
Article 62 - Training
Article 63 - Monitoring and evaluation
2. For the purposes of technical maintenance, the Agency shall have access to the necessary information relating to the processing operations performed in the Central Repository.
3. Two years after the RTP is brought into operation and every two years thereafter, the Agency shall submit to the European Parliament, the Council and the Commission, a report on the technical functioning of the RTP including the security thereof.
4. Three years after the RTP is brought into operation and every four years thereafter, the Commission shall produce an overall evaluation of the RTP. This overall evaluation shall include an examination of results achieved against objectives and an assessment of the continuing validity of the underlying rationale, the application of this Regulation in respect of the RTP, the security of the RTP, the implementation of the collection and use of biometric data, compliance with data protection rules and the organisation of the procedures related to applications and issuance of tokens. The Commission shall transmit the evaluation to the European Parliament and the Council. The report shall be accompanied, where necessary, by appropriate proposals to amend this Regulation.
5. Member States shall provide the Agency and the Commission with the information necessary to draft the reports referred to in paragraphs 3 and 4 according to the quantitative parameters predefined by the Agency and the Commission respectively.
6. The Agency shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 4.
Article 64 - Entry into force and applicability
2. It shall apply from the date referred to in Article 56.
3. Articles 37, 38, 39, 43, 55, 56, 57, 58, 59 and 60 shall apply as from the date referred to in paragraph 1.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.