Legal provisions of COM(2016)272 - Establishment of 'Eurodac' for the comparison of fingerprints (recast)

Please note

This page contains a limited version of this dossier in the EU Monitor.



CHAPTERI

GENERAL PROVISIONS

Article 1

Purpose of 'Eurodac'

1. A system known as 'Eurodac' is hereby established, the purpose of which shall be to:

(a) assist in determining which Member State is to be responsible pursuant to Regulation (EU) No […/…] 604/2013 for examining an application for international protection lodged in a Member State by a third-country national or a stateless person, and otherwise to facilitate the application of Regulation (EU) No […/…] 604/2013 under the conditions set out in this Regulation.;

•0- new

(b) assist with the control of illegal immigration to and secondary movements within the Union and with the identification of illegally staying third-country nationals for determining the appropriate measures to be taken by Member States, including removal and repatriation of persons residing without authorisation.

^ 603/2013 (adapted)

■=> new

2. (c) This Regulation also lays down the conditions under which Member States' designated authorities and the European Police Office (Europol) may request the comparison of fingerprint ■=> and facial image ^ data with those stored in the Central System for law enforcement purposes ■=> for the prevention, detection or investigation of terrorist offences or of other serious criminal offences ^ .

32. Without prejudice to the processing of data intended for Eurodac by the Member State of origin in databases set up under the latter's national law, fingerprint data and other personal data may be processed in Eurodac only for the purposes set out in this Regulation and [Article 34(1) of Regulation (EU) No 604/2013].

•0- new
1. Member States are obliged to take the fingerprints and facial image of persons referred to in Article 10(1), 13(1) and 14(1) for the purposes of Article 1(1)(a) and (b) of this

Regulation and shall impose on the data-subject the requirement to provide his or her fingerprints and a facial image and inform them as such in accordance with Article 30 of this Regulation.

2. Taking fingerprints and facial images of minors from the age of six shall be carried out in a child-friendly and child-sensitive manner by officials trained specifically to enrol minor's fingerprints and facial images. The minor shall be informed in an age-appropriate manner using leaflets and/or infographics and/or demonstrations specifically designed to explain the fingerprinting and facial image procedure to minors and they shall be accompanied by a responsible adult, guardian or representative at the time their fingerprints and facial image are taken. At all times Member States must respect the dignity and physical integrity of the minor during the fingerprinting procedure and when capturing a facial image.

3. Member States may introduce administrative sanctions, in accordance with their national law, for non-compliance with the fingerprinting process and capturing a facial image in accordance with paragraph 1 of this Article. These sanctions shall be effective, proportionate and dissuasive. In this context, detention should only be used as a means of last resort in order to determine or verify a third-country national's identity.

4. Without prejudice to paragraph 3 of this Article, where enrolment of the fingerprints or facial image is not possible from third-country nationals who are deemed to be vulnerable persons and from a minor due to the conditions of the fingertips or face, the authorities of that Member State shall not use sanctions to coerce the taking of fingerprints or a facial image. A Member State may attempt to re-take the fingerprints or facial image of a minor or vulnerable person who refuses to comply, where the reason for non-compliance is not related to the conditions of the fingertips or facial image or the health of the individual and where it is duly justified to do so. Where a minor, in particular an unaccompanied or separated minor refuses to give their fingerprints or a facial image and there are reasonable grounds to suspect that there are child safeguarding or protection risks, the minor shall be referred to the national child protection authorities and /or national referral mechanisms.

^ 603/2013

■=> new

5. The procedure for taking fingerprints ■=> and a facial image ^ shall be determined and applied in accordance with the national practice of the Member State concerned and in accordance with the safeguards laid down in the Charter of Fundamental Rights of the European Union, in the Convention for the Protection of Human Rights and Fundamental Freedoms and in the United Nations Convention on the Rights of the Child.

Article 2 3

Definitions

1. For the purposes of this Regulation:

(a)'applicant for international protection' means a third-country national or a stateless person who has made an application for international protection as defined in Article 2(h) of Directive 2011/95/EU in respect of which a final decision has not yet been taken;

(b)'Member State of origin' means:

(i) in relation to a person covered by Article 9 10 (1), the Member State which transmits the personal data to the Central System and receives the results of the comparison;

(ii) in relation to a person covered by Article 14 13(1), the Member State which transmits the personal data to the Central System ■=> and receives the results of the comparison ^ ;

(iii) in relation to a person covered by Article 17 14(1), the Member State which transmits the personal data to the Central System and receives the results of the comparison;

■0- new

(c) ‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20(1) of the Treaty and who is not a national of a State which participates in this Regulation by virtue of an agreement with the European Union;

•0- new

(d) illegal stay means the presence on the territory of a Member State, of a third-country national who does not fulfill, or no longer fulfils the conditions of entry as set out in Article 5 of the Schengen Borders Code or other conditions for entry, stay or residence in that Member State;

^ 603/2013 (adapted)

■=> new

(ce)'beneficiary of international protection' means a third-country national or a stateless person who has been granted international protection as defined in Article 2(a) of Directive 2011/95/EU;

(df)'hit' means the existence of a match or matches established by the Central System by comparison between fingerprint data recorded in the computerised central database and those transmitted by a Member State with regard to a person, without prejudice to the requirement that Member States shall immediately check the results of the comparison pursuant to Article 25 26(4);

(eg)'National Access Point' means the designated national system which communicates with the Central System;

(fh)'Agency' ⌦ eu-LISA ⌫ means the ⌦ European ⌫ Agency ⌦ for the operational management of large-scale information systems in the area of freedom, security and justice ⌫ established by Regulation (EU) No 1077/2011;

(gi)'Europol' means the European Police Office established by Decision 2009/371/JHA;

(hj)'Eurodac data' means all data stored in the Central System in accordance with Article 11 12, and Article 14 13(2) ■=> and Article 14(2) ^ ;

(ik)'law enforcement' means the prevention, detection or investigation of terrorist offences or of other serious criminal offences;

(jl)'terrorist offences' means the offences under national law which correspond or are equivalent to those referred to in Articles 1 to 4 of Framework Decision 2002/475/JHA;

(km)'serious criminal offences' means the forms of crime which correspond or are equivalent to those referred to in Article 2(2) of Framework Decision 2002/584/JHA, if they are punishable under national law by a custodial sentence or a detention order for a maximum period of at least three years;

(ln)'fingerprint data' means the data relating to ■=> plain and rolled impressions of the ^ fingerprints of all ■=> ten fingers, where present ^ or at least the index fingers, and if those are missing, the prints of all other fingers of a person, or a latent fingerprint.;

•0- new

(o) facial image means digital images of the face with sufficient image resolution and quality to be used in automatic biometric matching.

^ 603/2013 (adapted)

■=> new

2. The terms defined in Article [..]2 of Directive [2016/…/EU[ 95/46/EC shall have the same meaning in this Regulation in so far as personal data are processed by the authorities of the Member States for the purposes laid down in Article 1(1)(a) of this Regulation.

3. Unless stated otherwise, the terms defined in Article [..]2 of Regulation (EU) No […/…] 604/2013 shall have the same meaning in this Regulation.

4. The terms defined in Article […] 2 of Directive [2016/…/EU]Framework Decision 2008/977/JHA shall have the same meaning in this Regulation in so far as personal data are processed by the \E> competent <S1 authorities of the Member States for the purposes laid down in Article 1(2)(1)(c) of this Regulation.

Article 3 4

System architecture and basic principles

1. Eurodac shall consist of:

(a) a computerised central fingerprint database ("Central System") composed of:

(i) a Central Unit,

(ii) a Business Continuity Plan and System;

(b)  a communication infrastructure between the Central System and Member States that provides an encrypted virtual network dedicated to ■=> a secure and encrypted communication channel for ^ Eurodac data ("Communication Infrastructure").

•0- new

2. The EURODAC Communication Infrastructure will be using the existing Secure Trans European Services for Telematics between Administrations (TESTA) network. A separate virtual private network dedicated to the EURODAC shall be established on the existing TESTA private virtual network to ensure the logical separation of EURODAC data from other data.

^ 603/2013

23. Each Member State shall have a single National Access Point.

34. Data on persons covered by Articles 9 10(1), 14 13(1) and 17 14(1) which are processed in the Central System shall be processed on behalf of the Member State of origin under the conditions set out in this Regulation and separated by appropriate technical means.

45. The rules governing Eurodac shall also apply to operations carried out by the Member States as from the transmission of data to the Central System until use is made of the results of the comparison.

^ 603/2013 (adapted)

Article 4 5

Operational management

1. The Agency ⌦ eu-LISA ⌫ shall be responsible for the operational management of Eurodac.

The operational management of Eurodac shall consist of all the tasks necessary to keep Eurodac functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality, in particular as regards the time required for interrogation of the Central System. A Business Continuity Plan and System shall be developed taking into account maintenance needs and unforeseen downtime of the system, including the impact of business continuity measures on data protection and security.

The Agency ⌦ 2. eu-LISA ⌫ shall ensure, in cooperation with the Member States, that at all times the best available and most secure technology and techniques, subject to a cost-benefit analysis, are used for the Central System.

11 new_____________________|

2. Eu-LISA shall be permitted to use real personal data of the Eurodac production system for testing purposes in the following circumstances:

(a) for diagnostics and repair when faults are discovered with the Central System; and

(b) for testing new technologies and techniques relevant to enhance the performance of the Central System or transmission of data to it.

In such cases, the security measures, access control and logging activities at the testing environment shall be equal to the ones for the Eurodac production system. Real personal data adopted for testing shall be rendered anonymous in such a way that the data-subject is no longer identifiable.

^ 603/2013 (adapted)

23. The Agency ⌦ eu-LISA ⌫ shall be responsible for the following tasks relating to the Communication Infrastructure:

(a) supervision;

(b) security;

(c) the coordination of relations between the Member States and the provider.

34. The Commission shall be responsible for all tasks relating to the Communication Infrastructure other than those referred to in paragraph 2 3, in particular:

(a) the implementation of the budget;

(b) acquisition and renewal;

(c) contractual matters.

•0- new

5. A separate secure electronic transmission channel between the authorities of Member States known as the ‘DubliNet’ communication network set-up under [Article 18 of Regulation (EC) No. 1560/2003] for the purposes set out in Articles 32, 33 and 46 of Regulation (EU) No. […/…] shall also be operated and managed by eu-LISA.

^ 603/2013 (adapted)

■=> new

46. Without prejudice to Article 17 of the Staff Regulations, the Agency ⌦ eu-LISA ⌫ shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to all its staff required to work with Eurodac data. This obligation shall also apply after such staff leave office or employment or after the termination of their duties.

Article 5 6

Member States' designated authorities for law enforcement purposes

1. For the purposes laid down in Article 1(2)(1)(c), Member States shall designate the authorities that are authorised to request comparisons with Eurodac data pursuant to this Regulation. Designated authorities shall be authorities of the Member States which are responsible for the prevention, detection or investigation of terrorist offences or of other

serious criminal offences. Designated authorities shall not include agencies or units exclusively responsible for intelligence relating to national security.

2. Each Member State shall keep a list of the designated authorities.

3. Each Member State shall keep a list of the operating units within the designated authorities that are authorised to request comparisons with Eurodac data through the National Access Point.

Article 6 7

Member States' verifying authorities for law enforcement purposes

1. For the purposes laid down in Article 1(2)(1)(c), each Member State shall designate a single national authority or a unit of such an authority to act as its verifying authority. The verifying authority shall be an authority of the Member State which is responsible for the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

The designated authority and the verifying authority may be part of the same organisation, if permitted under national law, but the verifying authority shall act independently when performing its tasks under this Regulation. The verifying authority shall be separate from the operating units referred to in Article 5 6(3) and shall not receive instructions from them as regards the outcome of the verification.

Member States may designate more than one verifying authority to reflect their organisational and administrative structures, in accordance with their constitutional or legal requirements.

2. The verifying authority shall ensure that the conditions for requesting comparisons of fingerprints with Eurodac data are fulfilled.

Only duly empowered staff of the verifying authority shall be authorised to receive and transmit a request for access to Eurodac in accordance with Article 19 20.

Only the verifying authority shall be authorised to forward requests for comparison of fingerprints ■=> and facial images ^ to the National Access Point.

Article 7 8

Europol

1. For the purposes laid down in Article 1(2)(1)(c), Europol shall designate a specialised unit with duly empowered Europol officials to act as its verifying authority, which shall act independently of the designated authority referred to in paragraph 2 of this Article when performing its tasks under this Regulation and shall not receive instructions from the designated authority as regards the outcome of the verification. The unit shall ensure that the conditions for requesting comparisons of fingerprints ■=> and facial images ^ with Eurodac data are fulfilled. Europol shall designate in agreement with any Member State the National Access Point of that Member State which shall communicate its requests for comparison of fingerprint ■=> and facial image ^ data to the Central System.

2. For the purposes laid down in Article 1(2) (1)(c), Europol shall designate an operating unit that is authorised to request comparisons with Eurodac data through its designated National Access Point. The designated authority shall be an operating unit of Europol which is competent to collect, store, process, analyse and exchange information to support and strengthen action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling within Europol's mandate.

Article 8 9

Statistics

1. The Agency \E> eu-LISA O shall draw up statistics on the work of the Central System every ■=> month ^ quarter, indicating in particular:

(a)  the number of data sets transmitted on persons referred to in Articles 9 10(1), 14 13(1) and 17 14(1);

(b)  the number of hits for applicants for international protection \E> persons referred to in Article 10(1) <S1 who have \E> subsequently <S1 lodged an application for international protection in another Member State ■=> , who were apprehended in connection with the irregular crossing of an external border and who were found illegally staying in a Member State ^ ;

(c)   the number of hits for persons referred to in Article 14 13(1) who have subsequently lodged an application for international protection I who were apprehended in connection with the irregular crossing of an external border and who were found illegally staying in a Member State ^ ;

(d)  the number of hits for persons referred to in Article 17 14(1) who had previously lodged an application for international protection in another Member State ■=> , who were apprehended in connection with the irregular crossing of an external border and who were found illegally staying in a Member State ^ ;

(e) the number of fingerprint data which the Central System had to request more than once from the Member States of origin because the fingerprint data originally transmitted did not lend themselves to comparison using the computerised fingerprint recognition system;

(f)  the number of data sets marked, unmarked, blocked and unblocked in accordance with Article 18 19(1) and (3) ■=> 17(2), (3) and (4) ^ ;

(g)  the number of hits for persons referred to in Article 18 19(1) ■=> and (4) ^ for whom hits have been recorded under points (b) ■=> , (c) <=■ and (d) of this Article;

(h) the number of requests and hits referred to in Article 20 21(1);

(i) the number of requests and hits referred to in Article 21 22(1).;

•0- new

(j) the number of requests made for persons referred to in Article 31;

(h) the number of hits received from the Central System as referred to in Article 26(6).

^ 603/2013 (adapted)

■=> new

2. ■=> The monthly statistical data for persons referred to in paragraph1(a) to (h) shall be published and made public by each month. ^ At the end of each year, \E> the yearly O statistical data ■=> for persons referred to in paragraph 1(a) to (h) ^ shall be ■=> published and made public by eu-LISA ^ established in the form of a compilation of the quarterly statistics for that year, including an indication of the number of persons for whom hits have been

recorded under paragraph 1(b), (c) and (d). The statistics shall contain a breakdown of data for each Member State. The results shall be made public.

•0- new

3. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects for research and analysis purposes without allowing for individual identification as well as the possibility to produce regular statistics pursuant to paragraph 1. These statistics shall be shared with other Justice and Home Affairs Agencies if they are relevant for the implementation of their tasks.

^ 603/2013 (adapted)

■=> new

CHAPTER II APPLICANTS FOR INTERNATIONAL PROTECTION

Article 9 10

Collection, \E> and <S1 transmission and comparison of fingerprints \E> and facial image

dataO

1. Each Member State shall promptly take the fingerprints of all fingers ■=> and capture a facial image ^ of every applicant for international protection of at least 14 | six ^ years of age and shall, as soon as possible and no later than 72 hours after the lodging of his or her application for international protection, as defined by Article [21(2)]of Regulation (EU) No 604/2013, transmit them together with the data referred to in Article 11 12(b) to (g) ■=> (c) to (n) ^ of this Regulation to the Central System.

Non-compliance with the 72-hour time-limit shall not relieve Member States of the obligation to take and transmit the fingerprints to the Central System. Where the condition of the fingertips does not allow the taking of the fingerprints of a quality ensuring appropriate comparison under Article 25 26, the Member State of origin shall retake the fingerprints of the applicant and resend them as soon as possible and no later than 48 hours after they have been successfully retaken.

2. By way of derogation from paragraph 1, where it is not possible to take the fingerprints ■=> and facial image ^ of an applicant for international protection on account of measures taken to ensure his or her health or the protection of public health, Member States shall take and send such fingerprints ■=> and facial image ^ as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time-limit in paragraph 1 by a maximum of a further 48 hours in order to carry out their national continuity plans.

3. Fingerprint data within the meaning of Article 11(a) transmitted by any Member State, with the exception of those transmitted in accordance with Article 10(b), shall be compared

automatically with the fingerprint data transmitted by other Member States and already stored in the Central System.

4. The Central System shall ensure, at the request of a Member State that the comparison referred to in paragraph 3 covers the fingerprint data previously transmitted by that Member State, in addition to the data from other Member States.

5. The Central System shall automatically transmit the hit or the negative result of the comparison to the Member State of origin. Where there is a hit, it shall transmit for all data sets corresponding to the hit the data referred to in Article 11(a) to (k) along with, where appropriate, the mark referred to in Article 18(1).

•0- new

3. Fingerprint data may also be taken and transmitted by members of the European Border [and Coast] Guard Teams or by Member State asylum experts when performing tasks and exercising powers in accordance with [Regulation on the European Border [and Coast] Guard and repealing Regulation (EC) No 2007/2004, Regulation (EC) No 863/2007 and Council Decision 2005/267/EC] and [Regulation (EU) No. 439/2010].

^ 603/2013 (adapted)

■=> new

Article 10 11

Information on the status of the data subject

The following information shall be sent to the Central System in order to be stored in accordance with Article 12 17 (1) for the purpose of transmission under Articles 9(5) ■=> 15 and 16 ^ :

(a)  when an applicant for international protection or another person as referred to in ■=> Article 21(1) <=■ ■=> (b), (c), ^ (d) ■=> or (e) ^ of Regulation (EU) No […/…] 604/2013 arrives in the Member State responsible following a transfer pursuant to a decision acceding to a take back request ■=> notification ^ as referred to in Article ■=> 26 <^| thereof, the Member State responsible shall update its data set recorded in conformity with Article 11 12 of this Regulation relating to the person concerned by adding his or her date of arrival;

(b)   when an applicant for international protection arrives in the Member State responsible following a transfer pursuant to a decision acceding to a take charge request according to Article ■=> 24 <=■ of Regulation (EU) No […/…] 604/2013, the Member State responsible shall send a data set recorded in conformity with Article 11 12 of this Regulation relating to the person concerned and shall include his or her date of arrival;

•0- new

(c) when an applicant for international protection arrives in the Member State of allocation pursuant to Article 34 of Regulation (EU) No. […/…], that Member State shall send a data set recorded in conformity with Article 12 of this Regulation relating to the person concerned and shall include his or her date of arrival and record that it is the Member State of allocation.

^ 603/2013 (adapted)

■=> new

(c) as soon as the Member State of origin establishes that the person concerned whose data was recorded in Eurodac in accordance with Article 11 of this Regulation has left the territory of the Member States, it shall update its data set recorded in conformity with Article 11 of this Regulation relating to the person concerned by adding the date when that person left the territory, in order to facilitate the application of Articles 19(2) and 20(5) of Regulation (EU) No 604/2013;

(d) as soon as the Member State of origin ensures that the person concerned whose data was recorded in Eurodac in accordance with Article 11 12 of this Regulation has left the territory of the Member States in compliance with a return decision or removal order issued following the withdrawal or rejection of the application for international protection as provided for in Article 19(3) of Regulation (EU) No 604/2013, it shall update its data set recorded in conformity with Article 11 12 of this Regulation relating to the person concerned by adding the date of his or her removal or when he or she left the territory;

(e) the Member State which becomes responsible in accordance with ■=> Article 19(1) ^ of Regulation (EU) No […/…] 604/2013 shall update its data set recorded in conformity with Article 11 12 of this Regulation relating to the applicant for international protection by adding the date when the decision to examine the application was taken.

Article 11 12

Recording of data

Only the following data shall be recorded in the Central System: (a) fingerprint data;

•0- new

(b) a facial image;

(c) surname(s) and forename(s), name(s) at birth and previously used names and any aliases, which may be entered separately;

(d) nationality(ies);

(e) place and date of birth;

^ 603/2013

(bf) Member State of origin, place and date of the application for international protection; in the cases referred to in Article 10 11(b), the date of application shall be the one entered by the Member State who transferred the applicant;

(cg) sex;

•0- new

(h) type and number of identity or travel document; three letter code of the issuing country and validity;

^ 603/2013

(di) reference number used by the Member State of origin;

•0- new

(j) unique application number of the application for international protection pursuant to Article 22(2) of Regulation (EU) No. […/…];

(k) the Member State of allocation in accordance with Article 11(c);

^ 603/2013 (adapted)

■=> new

(el) date on which the fingerprints ■=> and/or facial image ^ were taken;

(fm) date on which the data were transmitted to the Central System;

(gn) operator user ID;

(ho) where applicable in accordance with Article 10 11(a) or (b), the date of the arrival of the person concerned after a successful transfer;

\E> (p) where applicable in accordance with Article 10 11(b), the date of the arrival of the person concerned after a successful transfer; O

•0- new

(q) where applicable in accordance with Article 11(c), the date of the arrival of the person concerned after a successful transfer;

^ 603/2013 (adapted)

■=> new

(i) where applicable in accordance with Article 10(c), the date when the person concerned left the territory of the Member States;

(jr) where applicable in accordance with Article 10 11(d), the date when the person concerned left or was removed from the territory of the Member States;

(ks) where applicable in accordance with Article 10 11(e), the date when the decision to examine the application was taken.

CHAPTER III

THIRD-COUNTRY NATIONALS OR STATELESS PERSONS APPREHENDED IN CONNECTION WITH THE IRREGULAR CROSSING

OF AN EXTERNAL BORDER

Article 14 13 Collection and transmission of fingerprint data \E> and facial image data <E\

1. Each Member State shall promptly take the fingerprints of all fingers ■=> and capture a facial image ^ of every third-country national or stateless person of at least 14 | six ^ years of age who is apprehended by the competent control authorities in connection with the irregular crossing by land, sea or air of the border of that Member State having come from a third country and who is not turned back or who remains physically on the territory of the Member States and who is not kept in custody, confinement or detention during the entirety of the period between apprehension and removal on the basis of the decision to turn him or her back.

2. The Member State concerned shall, as soon as possible and no later than 72 hours after the date of apprehension, transmit to the Central System the following data in relation to any third-country national or stateless person, as referred to in paragraph 1, who is not turned back:

(a) fingerprint data;

•0- new

(b)      a facial image;

(c)        surname(s) and forename(s), name(s) at birth and previously used names and any aliases, which may be entered separately;

(d)       nationality(ies);

(e)        place and date of birth

^ 603/2013

(bf) Member State of origin, place and date of the apprehension;

(cg) sex;

•0- new

(h) type and number of identity or travel document; three letter code of the issuing country and validity;

^ 603/2013

■=> new

(di) reference number used by the Member State of origin; (ej) date on which the fingerprints ■=> and/or facial image ^ were taken; (fk) date on which the data were transmitted to the Central System; (gl) operator user ID.;

•0- new

(m) where applicable in accordance with paragraph 6, the date when the person concerned left or was removed from the territory of the Member States.

^ 603/2013

■=> new

3. By way of derogation from paragraph 2, the data specified in paragraph 2 relating to persons apprehended as described in paragraph 1 who remain physically on the territory of the Member States but are kept in custody, confinement or detention upon their apprehension for a period exceeding 72 hours shall be transmitted before their release from custody, confinement or detention.

4. Non-compliance with the 72-hour time-limit referred to in paragraph 2 of this Article shall not relieve Member States of the obligation to take and transmit the fingerprints to the Central System. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 25 26, the Member State of origin shall retake the fingerprints of persons apprehended as described in paragraph 1 of this Article, and resend them as soon as possible and no later than 48 hours after they have been successfully retaken.

5. By way of derogation from paragraph 1, where it is not possible to take the fingerprints ■=> and facial image ^ of the apprehended person on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and send such fingerprints ■=> and facial image ^ as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time-limit in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

•0- new

6. As soon as the Member State of origin ensures that the person concerned whose data was recorded in Eurodac in accordance with paragraph (1) has left the territory of the Member States in compliance with a return decision or removal order, it shall update its data set recorded in conformity with paragraph (2) relating to the person concerned by adding the date of his or her removal or when he or she left the territory.

7. Fingerprint data may also be taken and transmitted by members of the European Border [and Coast] Guard Teams when performing tasks and exercising powers in accordance with [Regulation on the European Border [and Coast] Guard and repealing Regulation (EC) No 2007/2004, Regulation (EC) No 863/2007 and Council Decision 2005/267/EC].

^ 603/2013 (adapted)

Article 15

Recording of data

1. The data referred to in Article 14(2) shall be recorded in the Central System.

Without prejudice to Article 8, data transmitted to the Central System pursuant to Article 14(2) shall be recorded solely for the purposes of comparison with data on applicants for international protection subsequently transmitted to the Central System and for the purposes id down in Article

The Central System shall not compare data transmitted to it pursuant to Article 14(2) with any data previously recorded in the Central System, or with data subsequently transmitted to the Central System pursuant to Article 14(2).

2. As regards the comparison of data on applicants for international protection subsequently transmitted to the Central System with the data referred to in paragraph 1, the procedures provided for in Article 9(3) and (5) and in Article 25(4) shall apply.

Article 16

Storage of data

1. Each set of data relating to a third-country national or stateless person as referred to in Article 14(1) shall be stored in the Central System for 18 months from the date on which his or her fingerprints were taken. Upon expiry of that period, the Central System shall automatically erase such data.

2. The data relating to a third-country national or stateless person as referred to in Article 14(1) shall be erased from the Central System in accordance with Article 28(3) as soon as the Member State of origin becomes aware of one of the following circumstances before the 18 month period referred to in paragraph 1 of this Article has expired:

(a)  the third-country national or stateless person has been issued with a residence document;

(b) the third-country national or stateless person has left the territory of the Member States;

(c) the third-country national or stateless person has acquired the citizenship of any Member State.

3. The Central System shall, as soon as possible and no later than after 72 hours, inform all Member States of origin of the erasure of data for the reason specified in paragraph 2(a) or (b) of this Article by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 14(1).

4. The Central System shall, as soon as possible and no later than after 72 hours, inform all Member States of origin of the erasure of data for the reason specified in paragraph 2(c) of this Article by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 9(1) or 14(1).

CHAPTERIV

THIRD-COUNTRY NATIONALSORSTATELESSPERSONSFOUND ILLEGALLYSTAYING INAMEMBERSTATE

Article 17 14

ComparisonCollection and transmissionof fingerprintand facial image

data

1. With a view to checking whether a third-country national or a stateless person found illegally staying within its territory has previously lodged an application for international protection in another Member State, a Member State may transmit to the Central System any fingerprint data relating to fingerprints which it may have taken of any such third-country national or stateless person of at least 14 years of age together with the reference number used by that Member State.

As a general rule there are grounds for checking whether the third-country national or stateless person has previously lodged an application for international protection in another Member State where:

(a) the third-country national or stateless person declares that he or she has lodged an application for international protection but without indicating the Member State in which he or she lodged the application;

(b)  the third-country national or stateless person does not request international protection but objects to being returned to his or her country of origin by claiming that he or she would be in danger, or

(c) the third-country national or stateless person otherwise seeks to prevent his or her removal by refusing to cooperate in establishing his or her identity, in particular by showing no, or false, identity papers.

2. Where Member States take part in the procedure referred to in paragraph 1, they shall transmit to the Central System the fingerprint data relating to all or at least the index fingers and, if those are missing, the prints of all the other fingers, of third-country nationals or stateless persons referred to in paragraph 1.

•0- new

1. Each Member State shall promptly take the fingerprints of all fingers and capture a facial image of every third-country national or stateless person of at least six years of age who is found illegally staying within its territory.

2. The Member State concerned shall, as soon as possible and no later than 72-hours after the date of apprehension, transmit to the Central System the following data in relation to any third-country national or stateless person, as referred to in paragraph 1:

(a)        fingerprint data;

(b)       a facial image;

(c)        surname(s) and forename(s), name(s) at birth and previously used names and any aliases, which may be entered separately;

(d)       nationality(ies);

(e)        place and date of birth

(f)        Member State of origin, place and date of the apprehension;

(g)       sex;

(h) type and number of identity or travel document; three letter code of the issuing country and validity;

(i)       reference number used by the Member State of origin;

(j)       date on which the fingerprints and/or facial image were taken;

(k)       date on which the data were transmitted to the Central System;

(l)       operator user ID;

(m) where applicable in accordance with paragraph 6, the date when the person concerned left or was removed from the territory of the Member States

^ 603/2013 (adapted)

■=> new

3. The fingerprint data of a third-country national or a stateless person as referred to in paragraph 1 shall be transmitted to the Central System solely for the purpose of comparison ■=> and compared ^ with the fingerprint data of applicants for international protection \E> persons fingerprinted for the purposes of Article 9 10(1), 14 13(1) and 17 14(1) O transmitted by other Member States and already recorded in the Central System.

The fingerprint data of such a third country national or a stateless person shall not be recorded in the Central System, nor shall they be compared with the data transmitted to the Central System pursuant to Article 14(2).

•0- new

4. Non-compliance with the 72-hour time-limit referred to in paragraph 3 of this Article shall not relieve Member States of the obligation to take and transmit the fingerprints to the Central

System. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 26, the Member State of origin shall retake the fingerprints of persons apprehended as described in paragraph 1 of this Article, and resend them as soon as possible and no later than 48 hours after they have been successfully retaken.

5. By way of derogation from paragraph 1, where it is not possible to take the fingerprints and facial image of the apprehended person on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and send such fingerprints and facial image as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time-limit in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

6. As soon as the Member State of origin ensures that the person concerned whose data was recorded in Eurodac in accordance with Article 13(1) of this Regulation has left the territory of the Member States in compliance with a return decision or removal order, it shall update its data set recorded in conformity with paragraph 2 of this Article relating to the person concerned by adding the date of his or her removal or when he or she left the territory.

^ 603/2013 (adapted)

■=> new

4. Once the results of the comparison of fingerprint data have been transmitted to the Member State of origin, the record of the search shall be kept by the Central System only for the purposes of Article 28. Other than for those purposes, no other record of the search may be stored either by Member States or by the Central System.

5. As regards the comparison of fingerprint data transmitted under this Article with the fingerprint data of applicants for international protection transmitted by other Member States which have already been stored in the Central System, the procedures provided for in Article 9(3) and (5) and in Article 25(4) shall apply.

CHAPTER V

\E> PROCEDURE FOR COMPARISON OF DATA FOR APPLICANTS

FOR INTERNATIONAL PROTECTION AND THIRD-COUNTRY

NATIONALS APPREHENDED CROSSING THE BORDER

IRREGULARLY OR ILLEGALLY STAYING IN THE TERRITORY OF

A MEMBER STATE O

Article 15

\E> Comparison of fingerprint and facial image data <E\

31. Fingerprint ■=> and facial image ^ data within the meaning of Article 11(a) transmitted by any Member State, with the exception of those transmitted in accordance with Article 10 11(b) ■=> and (c) ^ , shall be compared automatically with the fingerprint data transmitted by other Member States and already stored in the Central System \E> in accordance with Article 9 10(1), 14 13(1) and 17 14 (1) <S1 .

42. The Central System shall ensure, at the request of a Member State, that the comparison referred to in paragraph 3 1 \E> of this Article <S1 covers the fingerprint ■=> and facial image <^ data previously transmitted by that Member State, in addition to the \E> fingerprint <S1 ■=> and facial image ^ data from other Member States.

53. The Central System shall automatically transmit the hit or the negative result of the comparison to the Member State of origin ■=> following the procedures set out in Article 26(4) ^ . Where there is a hit, it shall transmit for all data sets corresponding to the hit the data referred to in Article 11(a) to (k) ■=> 12, 13(2) and 14(2) ^ along with, where appropriate, the mark referred to in Article 18 19(1) ■=> and (4) <=■ . ■=> Where a negative hit result is received, the data referred to in Article 12, 13(2) and 14(2) shall not be transmitted. <^

•0- new

4. Where evidence of a hit is received by a Member State from Eurodac that can assist that Member State to carry out its obligations under Article 1(1)(a), that evidence shall take precedence over any other hit received.

•0- new

Article 16 - Comparison of facial image data

Where the condition of the fingertips does not allow for the taking of fingerprints of a quality ensuring appropriate comparison under Article 26 or where a person referred to in Article 10(1), 13(1) and 14(1) refuses to comply with the fingerprinting process, a Member State may carry out a comparison of facial image data as a last resort.

(2) Facial image data and data relating to the sex of the data-subject may be compared automatically with the facial image data and personal data relating to the sex of the data-subject transmitted by other Member States and already stored in the Central System in accordance with Article 10(1), 13(1) and 14(1) with the exception of those transmitted in accordance with Article 11(b) and (c).

(3) The Central System shall ensure, at the request of a Member State that the comparison referred to in paragraph 1 of this Article covers the facial image data previously transmitted by that Member State, in addition to the facial image data from other Member States.

(4) The Central System shall automatically transmit the hit or the negative result of the comparison to the Member State of origin following the procedures set out in Article 26(4). Where there is a hit, it shall transmit for all data sets corresponding to the hit the data referred to in Article 12, 13(2) and 14(2) along with, where appropriate, the mark referred to in Article 17(1) and (4). Where a negative hit result is received, the data referred to in Article 12, 13(2) and 14(2) shall not be transmitted.

1

(5) Where evidence of a hit is received by a Member State from Eurodac that can assist that Member State to carry out its obligations under Article 1(1)(a), that evidence shall take precedence over any other hit received.

^ 603/2013 (adapted)

CHAPTERVVI

BENEFICIARIES OFINTERNATIONALPROTECTION DATA STORAGE,ADVANCEDDATAERASUREANDMARKINGOF

DATA

Article 12 17

Data storage

1. ⌦ For the purposes laid down in Article 10(1), ⌫ Eeach set of data ⌦ relating to an applicant for international protection ⌫ , as referred to in Article 11 12, shall be stored in the Central System for ten years from the date on which the fingerprints were taken.

*

new

2. For the purposes laid down in Article 13(1), each set of data relating to a third-country national or stateless person as referred to in Article 13(2) shall be stored in the Central System for five years from the date on which his or her fingerprints were taken.

3. For the purposes laid down in Article 14(1), each set of data relating to a third-country national or stateless person as referred to in Article 14(2) shall be stored in the Central System for five years from the date on which his or her fingerprints were taken.

^ 603/2013 (adapted)

■=> new

24. Upon expiry of the period \E> data storage periods <S1 referred to in paragraphs 1 ■=> to 3 <^ \E> of this Article <S1 , the Central System shall automatically erase the data \E> of the data-subjects <S1 from the Central System.

Article 13 18 Advance \E> Advanced <S1 data erasure

1. Data relating to a person who has acquired citizenship of any Member State before expiry of the period referred to in Article 1217(1) ■=> , (2) or (3) ^ shall be erased from the Central System in accordance with Article 27 28(4) as soon as the Member State of origin becomes aware that the person concerned has acquired such citizenship.

2. The Central System shall, as soon as possible and no later than after 72 hours, inform all Member States of origin of the erasure of data in accordance with paragraph 1 by another

Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 9 10(1), or 14 13 (1) ■=> or 14(1) <=■ .

Article 18 19

Marking of data

1. For the purposes laid down in Article 1(1)(a), the Member State of origin which granted international protection to an applicant for international protection whose data were previously recorded in the Central System pursuant to Article 11 12 shall mark the relevant data in conformity with the requirements for electronic communication with the Central System established by \E> eu-LISA <E\ the Agency. That mark shall be stored in the Central System in accordance with Article 12 17(1) for the purpose of transmission under Article 9(5) ■=> 15 <=■ . The Central System shall ■=> , as soon as possible and no later than 72 hours, <^ inform all Member States of origin of the marking of data by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 9 10 (1), or 14 13 (1) ■=> or 14(1) <=■ . Those Member States of origin shall also mark the corresponding data sets.

2. The data of beneficiaries of international protection stored in the Central System and marked pursuant to paragraph 1 of this Article shall be made available for comparison for the purposes laid down in Article 1(2)(1)(c) for a period of three years after the date on which the data subject was granted international protection.

Where there is a hit, the Central System shall transmit the data referred to in Article 11 12(a) to (k) ■=> (b) to (s) ^ for all the data sets corresponding to the hit. The Central System shall not transmit the mark referred to in paragraph 1 of this Article. Upon the expiry of the period of three years, the Central System shall automatically block such data from being transmitted in the event of a request for comparison for the purposes laid down in Article 1(2) (1)(c), whilst leaving those data available for comparison for the purposes laid down in Article 1(1)(a) until the point of their erasure. Blocked data shall not be transmitted, and the Central System shall return a negative result to the requesting Member State in the event of a hit.

3. The Member State of origin shall unmark or unblock data concerning a third-country national or stateless person whose data were previously marked or blocked in accordance with paragraphs 1 or 2 of this Article if his or her status is revoked or ended or the renewal of his or her status is refused under [Articles 14 or 19 of Directive 2011/95/EU].

•0- new

4. For the purposes laid down in Article 1(1)(b), the Member State of origin which granted a residence document to an illegally staying third-country national or stateless person whose data were previously recorded in the Central System pursuant to Article 13(2) and 14(2) shall mark the relevant data in conformity with the requirements for electronic communication with the Central System established by eu-LISA. That mark shall be stored in the Central System in accordance with Article 17(2) and (3) for the purpose of transmission under Article 15 and 16. The Central System shall, as soon as possible and no later than 72-hours, inform all Member States of origin of the marking of data by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Articles 13(1) or 14(1). Those Member States of origin shall also mark the corresponding data sets.

5. The data of illegally staying third-country nationals or stateless persons stored in the Central System and marked pursuant to paragraph 4 of this Article shall be made available for comparison for the purposes laid down in Article 1(1)(c) until such data is automatically erased from the Central System in accordance with Article 17(4).

^ 603/2013 (adapted)

■=> new

CHAPTER VI VII

PROCEDURE FOR COMPARISON AND DATA TRANSMISSION FOR LAW ENFORCEMENT PURPOSES

Article 19 20

Procedure for comparison of fingerprint data with Eurodac data

1. For the purposes laid down in Article 1(2)(1)(c), the designated authorities referred to in Articles 5 6(1) and 7 8(2) may submit a reasoned electronic request as provided for in Article

20 21(1) together with the reference number used by them, to the verifying authority for the transmission for comparison of fingerprint ■=> and facial image ^ data to the Central System via the National Access Point. Upon receipt of such a request, the verifying authority shall verify whether all the conditions for requesting a comparison referred to in Articles 20 21 or

21 22, as appropriate, are fulfilled.

2. Where all the conditions for requesting a comparison referred to in Articles 20 21 or 21 22 are fulfilled, the verifying authority shall transmit the request for comparison to the National Access Point which will process it to the Central System in accordance with Articles 9(3) and (5) ■=> 15 and 16 ^ for the purpose of comparison with the \E> fingerprint <S1 ■=> and facial image ^ data transmitted to the Central System pursuant to Articles 9 10 (1), and 14 13(2) ■=> (1) and 14(1) ^ .

•0- new

3. A comparison of a facial image with other facial image data in the Central System pursuant to Article 1(1)(c) may be carried out in accordance with Article 16(1), if such data is available at the time the reasoned electronic request is made pursuant to Article 21(1).

^ 603/2013 (adapted)

■=> new

34. In exceptional cases of urgency where there is a need to prevent an imminent danger associated with a terrorist offence or other serious criminal offence, the verifying authority may transmit the fingerprint data to the National Access Point for comparison immediately upon receipt of a request by a designated authority and only verify ex-post whether all the conditions for requesting a comparison referred to in Article 20 21 or Article 21 22 are fulfilled, including whether an exceptional case of urgency actually existed. The ex-post verification shall take place without undue delay after the processing of the request.

45. Where an ex-post verification determines that the access to Eurodac data was not justified, all the authorities that have accessed such data shall erase the information communicated from Eurodac and shall inform the verifying authority of such erasure.

Article 20 21

Conditions for access to Eurodac by designated authorities

1. For the purposes laid down in Article 1(2)(1)(c), designated authorities may submit a reasoned electronic request for the comparison of fingerprint data with the data stored in the Central System within the scope of their powers only if comparisons with the following databases did not lead to the establishment of the identity of the data subject:

national fingerprint databases;

the automated fingerprinting identification systems of all other Member States under Decision 2008/615/JHA where comparisons are technically available, unless there are reasonable grounds to believe that a comparison with such systems would not lead to the establishment of the identity of the data subject. Such reasonable grounds shall be included in the reasoned electronic request for comparison with Eurodac data sent by the designated authority to the verifying authority; and

the Visa Information System provided that the conditions for such a comparison laid down in Decision 2008/633/JHA are met;

and where the following cumulative conditions are met:

(a)  the comparison is necessary for the purpose of the prevention, detection or investigation of terrorist offences or of other serious criminal offences, which means that there is an overriding public security concern which makes the searching of the database proportionate;

(b)  the comparison is necessary in a specific case (i.e. systematic comparisons shall not be carried out); and

(c)  there are reasonable grounds to consider that the comparison will substantially contribute to the prevention, detection or investigation of any of the criminal offences in question. Such reasonable grounds exist in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls in a category covered by this Regulation.

2. Requests for comparison with Eurodac data shall be limited to searching with fingerprint ■=> or facial image ^ data.

Article 21 22

Conditions for access to Eurodac by Europol

1. For the purposes laid down in Article 1(2)(1)(c), Europol's designated authority may submit a reasoned electronic request for the comparison of fingerprint data with the data stored in the Central System within the limits of Europol's mandate and where necessary for the performance of Europol's tasks only if comparisons with fingerprint data stored in any information processing systems that are technically and legally accessible by Europol did not lead to the establishment of the identity of the data subject and where the following cumulative conditions are met:

(a) the comparison is necessary to support and strengthen action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling under Europol's mandate, which means that there is an overriding public security concern which makes the searching of the database proportionate;

(b)  the comparison is necessary in a specific case (i.e. systematic comparisons shall not be carried out); and

(c)  there are reasonable grounds to consider that the comparison will substantially contribute to the prevention, detection or investigation of any of the criminal offences in question. Such reasonable grounds exist in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls in a category covered by this Regulation.

2. Requests for comparison with Eurodac data shall be limited to comparisons of fingerprint ■=> and facial image ^ data.

3. Processing of information obtained by Europol from comparison with Eurodac data shall be subject to the authorisation of the Member State of origin. Such authorisation shall be obtained via the Europol national unit of that Member State.

Article 22 23

Communication between the designated authorities, the verifying authorities and the

National Access Points

1. Without prejudice to Article 26 27, all communication between the designated authorities, the verifying authorities and the National Access Points shall be secure and take place electronically.

2. For the purposes laid down in Article 1(2)(1)(c), fingerprints shall be digitally processed by the Member States and transmitted in the data format referred to \S> as set out O in ■=> the agreed Interface Control Document ^ Annex I, in order to ensure that the comparison can be carried out by means of the computerised fingerprint recognition system.

CHAPTER VII VIII DATA PROCESSING, DATA PROTECTION AND LIABILITY

Article 23 24

Responsibility for data processing

1. The Member State of origin shall be responsible for ensuring that:

(a) fingerprints ■=> and facial images ^ are taken lawfully;

(b)  fingerprint data and the other data referred to in Article 11 12, Article 14 13(2) and Article 17 14 (2) are lawfully transmitted to the Central System;

(c)  data are accurate and up-to-date when they are transmitted to the Central System;

(d)  without prejudice to the responsibilities of \E> eu-LISA O the Agency, data in the Central System are lawfully recorded, stored, corrected and erased;

(e)  the results of fingerprint ■=> and facial image ^ data comparisons transmitted by the Central System are lawfully processed.

2. In accordance with Article 34 36 , the Member State of origin shall ensure the security of the data referred to in paragraph 1 before and during transmission to the Central System as well as the security of the data it receives from the Central System.

3. The Member State of origin shall be responsible for the final identification of the data pursuant to Article 25 26(4).

4. The Agency \E> eu-LISA O shall ensure that the Central System is operated in accordance with the provisions of this Regulation. In particular, the Agency \E> eu-LISA O shall:

(a)  adopt measures ensuring that persons working with the Central System process the data recorded therein only in accordance with the purposes of Eurodac as laid down in Article 1;

(b)  take the necessary measures to ensure the security of the Central System in accordance with Article 34 36 ;

(c)  ensure that only persons authorised to work with the Central System have access thereto, without prejudice to the competences of the European Data Protection Supervisor.

The Agency \E> eu-LISA O shall inform the European Parliament and the Council as well as the European Data Protection Supervisor of the measures it takes pursuant to the first subparagraph.

Article 24 25

Transmission

1. Fingerprints shall be digitally processed and transmitted in the data format referred to \S> as set out O in ■=> the agreed Interface Control Document ^ Annex I. As far as necessary for the efficient operation of the Central System, the Agency \E> eu-LISA O shall establish the technical requirements for transmission of the data format by Member States to the Central System and vice versa. The Agency \E> eu-LISA O shall ensure that the fingerprint data ■=> and facial images ^ transmitted by the Member States can be compared by the computerised fingerprint ■=> and facial ^ recognition system.

2. Member States shall transmit the data referred to in Article 11 12, Article 14 13 (2) and Article 17 14 (2) electronically. The data referred to in Article 11 12, and Article 14 13(2) ■=> and Article 14(2) ^ shall be automatically recorded in the Central System. As far as necessary for the efficient operation of the Central System, the Agency \E> eu-LISA O shall establish the technical requirements to ensure that data can be properly electronically transmitted from the Member States to the Central System and vice versa.

3. The reference number referred to in Articles 11(d) 12(i), 14(2)(d) 13(2)(i), 17 14(1) O (2)(i) ^ and 19 20(1) shall make it possible to relate data unambiguously to one particular person and to the Member State which is transmitting the data. In addition, it shall make it possible to tell whether such data relate to a person referred to in Article 9 10 (1), 14 13 (1) or 17 14(1).

4. The reference number shall begin with the identification letter or letters by which, in accordance with the norm referred to in Annex I, the Member State transmitting the data is identified. The identification letter or letters shall be followed by the identification of the category of person or request. '1' refers to data relating to persons referred to in Article 9 10(1), '2' to persons referred to in Article 14 13(1), '3' to persons referred to in Article 17

14(1), '4' to requests referred to in Article 20 21, '5' to requests referred to in Article 21 22 and '9' to requests referred to in Article 29 30 .

5. The Agency \E> eu-LISA O shall establish the technical procedures necessary for Member States to ensure receipt of unambiguous data by the Central System.

6 The Central System shall confirm receipt of the transmitted data as soon as possible. To that end, the Agency \E> eu-LISA O shall establish the necessary technical requirements to ensure that Member States receive the confirmation receipt if requested.

Article 25 26

Carrying out comparisons and transmitting results

1. Member States shall ensure the transmission of fingerprint data of an appropriate quality for the purpose of comparison by means of the computerised fingerprint ■=> and facial <=■ recognition system. As far as necessary to ensure that the results of the comparison by the Central System reach a very high level of accuracy, the Agency \E> eu-LISA <Zi shall define the appropriate quality of transmitted fingerprint data. The Central System shall, as soon as possible, check the quality of the fingerprint ■=> and facial image ^ data transmitted. If fingerprint ■=> or facial image ^ data do not lend themselves to comparison using the computerised fingerprint ■=> and facial ^ recognition system, the Central System shall inform the Member State concerned. That Member State shall then transmit fingerprint ■=> or facial image ^ data of the appropriate quality using the same reference number as the previous set of fingerprint ■=> or facial image ^ data.

2. The Central System shall carry out comparisons in the order of arrival of requests. Each request shall be dealt with within 24 hours. A Member State may for reasons connected with national law require particularly urgent comparisons to be carried out within one hour. Where such time-limits cannot be respected owing to circumstances which are outside the Agency's \E> eu-LISA's <S1 responsibility, the Central System shall process the request as a matter of priority as soon as those circumstances no longer prevail. In such cases, as far as is necessary for the efficient operation of the Central System, the Agency \E> eu-LISA O shall establish criteria to ensure the priority handling of requests.

3. As far as necessary for the efficient operation of the Central System, the Agency \E> eu-LISA O shall establish the operational procedures for the processing of the data received and for transmitting the result of the comparison.

4. The result of the comparison \E> of fingerprint data carried out pursuant to Article 15 <S1 shall be immediately checked in the receiving Member State by a fingerprint expert as defined in accordance with its national rules, specifically trained in the types of fingerprint comparisons provided for in this Regulation. For the purposes laid down in Article 1(1)(a) and (b) of this Regulation, final identification shall be made by the Member State of origin in cooperation with the other Member States concerned, pursuant to Article 34 of Regulation (EU) No 604/2013.

•0- new

5. The result of the comparison of facial image data carried out pursuant to Article 16 shall be immediately checked and verified in the receiving Member State. For the purposes laid down in Article 1(1)(a) and (b) of this Regulation, final identification shall be made by the Member State of origin in cooperation with the other Member States concerned.

^ 603/2013 (adapted)

■=> new

Information received from the Central System relating to other data found to be unreliable shall be erased as soon as the unreliability of the data is established.

56. Where final identification in accordance with paragraph 4 reveals that the result of the comparison received from the Central System does not correspond to the fingerprint ■=> or facial image ^ data sent for comparison, Member States shall immediately erase the result of the comparison and communicate this fact as soon as possible and no later than after three working days to the Commission and to \E> eu-LISA <S1 the Agency ■=> and inform them of the reference number of the Member State of origin and the reference number of the Member State that received the result ^ .

Article 26 27

Communication between Member States and the Central System

Data transmitted from the Member States to the Central System and vice versa shall use the Communication Infrastructure. As far as is necessary for the efficient operation of the Central System, the Agency \E> eu-LISA O shall establish the technical procedures necessary for the use of the Communication Infrastructure.

Article 27 28

Access to, and correction or erasure of, data recorded in Eurodac

1. The Member State of origin shall have access to data which it has transmitted and which are recorded in the Central System in accordance with this Regulation.

No Member State may conduct searches of the data transmitted by another Member State, nor may it receive such data apart from data resulting from the comparison referred to in Article 9(5) ■=> 15 and 16 ^ .

2. The authorities of Member States which, pursuant to paragraph 1 of this Article, have access to data recorded in the Central System shall be those designated by each Member State for the purposes laid down in Article 1(1)(a) and (b). That designation shall specify the exact unit responsible for carrying out tasks related to the application of this Regulation. Each Member State shall without delay communicate to the Commission and the Agency \E> eu-LISA O a list of those units and any amendments thereto. The Agency \E> eu-LISA O shall publish the consolidated list in the Official Journal of the European Union. Where there are amendments thereto, the Agency \E> eu-LISA O shall publish once a year an updated consolidated list online.

3. Only the Member State of origin shall have the right to amend the data which it has transmitted to the Central System by correcting or supplementing such data, or to erase them, without prejudice to erasure carried out in pursuance of Article ■=> 18 <=■ 12(2) or 16(1).

4. If a Member State or the Agency \E> eu-LISA O has evidence to suggest that data recorded in the Central System are factually inaccurate, it shall ■=> , without prejudice to the notification of a personal data breach pursuant to Article [33..] of Regulation (EU) No […/ 2016], ^ advise the Member State of origin as soon as possible.

If a Member State has evidence to suggest that data were recorded in the Central System in breach of this Regulation, it shall advise \E> eu-LISA O the Agency, the Commission and the Member State of origin as soon as possible. The Member State of origin shall check the data concerned and, if necessary, amend or erase them without delay.

5. The Agency \E> eu-LISA O shall not transfer or make available to the authorities of any third country data recorded in the Central System. This prohibition shall not apply to transfers of such data to third countries to which Regulation (EU) No […/…] 604/2013 applies.

Article 28 29

Keeping of records

1. The Agency \E> eu-LISA O shall keep records of all data processing operations within the Central System. These records shall show the purpose, date and time of access, the data transmitted, the data used for interrogation and the name of both the unit entering or retrieving the data and the persons responsible.

2. The records referred to in paragraph 1 of this Article may be used only for the data protection monitoring of the admissibility of data processing as well as to ensure data security pursuant to Article 34. The records must be protected by appropriate measures against unauthorised access and erased after a period of one year after the storage period referred to in Article ■=> 17 <=■ 12(1) and in Article 16(1) has expired, unless they are required for monitoring procedures which have already begun.

3. For the purposes laid down in Article 1(1)(a) and (b), each Member State shall take the necessary measures in order to achieve the objectives set out in paragraphs 1 and 2 of this Article in relation to its national system. In addition, each Member State shall keep records of the staff duly authorised to enter or retrieve the data.

Article 29 30

Rights \E> of information O of the data subject

1. A person covered by Article 9 10 (1), Article 14 13(1) or Article 17 14(1) shall be informed by the Member State of origin in writing, and where necessary, orally, in a language that he or she understands or is reasonably supposed to understand ■=> in a concise, transparent, intelligible and easily accessible form, using clear and plain language ^ , of the following:

(a)  the identity of the controller within the meaning of Article 2(d) of Directive [../../EU]95/46/EC and of his or her representative, if any ■=> and the contact details of the data protection officer ^ ;

(b)  the purpose for which his or her data will be processed in Eurodac, including a description of the aims of Regulation (EU) No […/…] 604/2013, in accordance with ■=> Article 6 ^ thereof and an explanation in intelligible form, using clear and plain language, of the fact that Eurodac may be accessed by the Member States and Europol for law enforcement purposes;

(c) the recipients ■=> or categories of recipients ^ of the data;

(d)  in relation to a person covered by Article 9 10 (1) or 14 13(1) ■=> or 14(1) <=■ , the obligation to have his or her fingerprints taken;

•0- new

(e) the period for which the data will be stored pursuant to Article 17;

^ 603/2013 (adapted)

■=> new

(ef) \E> the existence of <S1 the right ■=> to request from the controller <^ of access to data relating to him or her, and the right to request that inaccurate data relating to him or her be corrected \E> rectified <S1 ■=> and the completion of incomplete personal data ^ or that unlawfully processed \E> personal <S1 data relating to \E> concerning O him or her be erased or restricted, as well as the right to receive information on the procedures for exercising those rights including the contact details of the controller and the national supervisory authorities referred to in Article 30 32(1).;

•0- new

(g) the right to lodge a complaint to the supervisory authority.

^ 603/2013 (adapted)

■=> new

2. In relation to a person covered by Article 9 10(1) or 14 13 (1) ■=> and 14(1) ^ , the information referred to in paragraph 1 of this Article shall be provided at the time when his or her fingerprints are taken.

In relation to a person covered by Article 17(1), the information referred to in paragraph 1 of this Article shall be provided no later than at the time when the data relating to that person are transmitted to the Central System. That obligation shall not apply where the provision of such information proves impossible or would involve a disproportionate effort.

Where a person covered by Article 9 10 (1), Article 14 13(1) and Article 17 14(1) is a minor, Member States shall provide the information in an age-appropriate manner.

3. A common leaflet, containing at least the information referred to in paragraph 1 of this Article and the information referred to in ■=> Article 6(2) ^of Regulation (EU) No […/…] 604/2013 shall be drawn up in accordance with the procedure referred to in Article 44(2) of that Regulation.

The leaflet shall be clear and simple, drafted ■=> in a concise, transparent, intelligible and easily accessible form and ^ in a language that the person concerned understands or is reasonably supposed to understand.

The leaflet shall be established in such a manner as to enable Member States to complete it with additional Member State-specific information. This Member State-specific information shall include at least the rights of the data subject, the possibility of assistance ■=> information ^ by the national supervisory authorities, as well as the contact details of the

office of the controller ■=> and of the data protection officer, ^ and the national supervisory authorities.

Article 31

\E> Right of access to, rectification and erasure of personal data <E\

41. For the purposes laid down in Article 1(1)(a) and (b) of this Regulation, in each Member State any data subject may, in accordance with the laws, regulations and procedures of that State, exercise the rights provided for in Article 12 of Directive 95/46/EC ■=> the data subject's rights of access, rectification and erasure shall be exercised in accordance ,with Chapter III of Regulation (EU) No. […/ 2016] and applied as set out in this Article ^ .

Without prejudice to the obligation to provide other information in accordance with Article 12(a) of Directive 95/46/EC, \E> 2. The right of access of <S1 the data subject \E> in each Member State <S1 shall have [x> include <S1 the right to obtain communication of the data relating to him or her recorded in the Central System and of the Member State which transmitted them to the Central System. Such access to data may be granted only by a Member State.

5. For the purposes laid down in Article 1(1), in each Member State, any person may request that data which are factually inaccurate be corrected or that data recorded unlawfully be erased. The correction and erasure shall be carried out without excessive delay by the Member State which transmitted the data, in accordance with its laws, regulations and procedures.

62. For the purposes laid down in Article 1(1), iIf the rights of correction \S> rectification O and erasure are exercised in a Member State other than that, or those, which transmitted the data, the authorities of that Member State shall contact the authorities of the Member State or States which transmitted the data so that the latter may check the accuracy of the data and the lawfulness of their transmission and recording in the Central System.

73. For the purposes laid down in Article 1(1), iIf it emerges that data recorded in the Central System are factually inaccurate or have been recorded unlawfully, the Member State which transmitted them shall correct \E> rectify <S1 or erase the data in accordance with Article 27 28(3). That Member State shall confirm in writing to the data subject without excessive delay that it has taken action to correct \E> , rectify, <S1 ■=> complete, <^ or erase ■=> or restrict the processing of <^ \E> personal <S1 data relating to him or her.

84. For the purposes laid down in Article 1(1), iIf the Member State which transmitted the data does not agree that data recorded in the Central System are factually inaccurate or have been recorded unlawfully, it shall explain in writing to the data subject without excessive delay why it is not prepared to correct or erase the data.

That Member State shall also provide the data subject with information explaining the steps which he or she can take if he or she does not accept the explanation provided. This shall include information on how to bring an action or, if appropriate, a complaint before the competent authorities or courts of that Member State and any financial or other assistance that is available in accordance with the laws, regulations and procedures of that Member State.

95. Any request under paragraphs 4 1 and 5 2 E> of this Article for access, rectification or erasure <S1 shall contain all the necessary particulars to identify the data subject, including fingerprints. Such data shall be used exclusively to permit the exercise of the \E> data subject's <S1 rights referred to in paragraphs 4 1 and 5 2 and shall be erased immediately afterwards.

106. The competent authorities of the Member States shall cooperate actively to enforce promptly the \S> data subject's <S1 rights laid down in paragraphs 5, 6 and 7 \S> for rectification and erasure <S1 .

117. Whenever a person requests \E> access to <S1 data relating to him or her in accordance with paragraph 4, the competent authority shall keep a record in the form of a written document that such a request was made and how it was addressed, and shall make that document available to the national supervisory authorities without delay.

12. For the purposes laid down in Article 1(1) of this Regulation, in each Member State, the national supervisory authority shall, on the basis of his or her request, assist the data subject in accordance with Article 28(4) of Directive 95/46/EC in exercising his or her rights.

138. For the purposes laid down in Article 1(1) of this Regulation, tThe national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State in which the data subject is present shall assist and, where requested, advise him or her in exercising \S> provide information to the data subject concerning the exercise of <S1 his or her right to ■=> request from the data controller access, <^ correct \E> rectification, O ■=> completion, ^ or erase \E> erasure O ■=> or restriction of the processing of <^ \E> personal <S1 data \E> concerning him or her <S1 . Both national \S> The <S1 supervisory authorities shall cooperate to this end ■=> in accordance with Chapter VII of Regulation (EU) […/2016] ^ . Requests for such assistance may be made to the national supervisory authority of the Member State in which the data subject is present, which shall transmit the requests to the authority of the Member State which transmitted the data.

14. In each Member State any person may, in accordance with the laws, regulations and procedures of that State, bring an action or, if appropriate, a complaint before the competent authorities or courts of the State if he or she is refused the right of access provided for in paragraph 4.

15. Any person may, in accordance with the laws, regulations and procedures of the Member State which transmitted the data, bring an action or, if appropriate, a complaint before the competent authorities or courts of that State concerning the data relating to him or her recorded in the Central System, in order to exercise his or her rights under paragraph 5. The obligation of the national supervisory authorities to assist and, where requested, advise the data subject in accordance with paragraph 13 shall subsist throughout the proceedings.

Article 30 32

Supervision by the national supervisory authorities

1. For the purposes laid down in Article 1(1) of this Regulation, each Member State shall provide that tThe national supervisory authority or authorities \E> of each Member State <S1 designated pursuant to Article ■=> 41 <=■ 28(1) of Directive 95/46/EC ■=> referred to in Article [46(1)] of Regulation (EU) […/2016] ^ shall monitor independently, in accordance with its respective national law, the lawfulness of the processing, in accordance with this Regulation, of personal data by the Member State in question \E> for the purposes laid out in Article 1(1)(a) and (b) <S1 , including their transmission to the Central System.

2. Each Member State shall ensure that its national supervisory authority has access to advice from persons with sufficient knowledge of fingerprint data.

Article 31 33

Supervision by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall ensure that all the personal data processing activities concerning Eurodac, in particular by ⌦ eu-LISA ⌫ the Agency, are carried out in accordance with Regulation (EC) No 45/2001 and with this Regulation.

2. The European Data Protection Supervisor shall ensure that an audit of the Agency's ⌦ eu-LISA's ⌫ personal data processing activities is carried out in accordance with international auditing standards at least every three years. A report of such audit shall be sent to the European Parliament, the Council, the Commission, ⌦ eu-LISA ⌫ the Agency, and the national supervisory authorities. The Agency ⌦ eu-LISA ⌫ shall be given an opportunity to make comments before the report is adopted.

Article 32 34

Cooperation between national supervisory authorities and the European Data

Protection Supervisor

1. The national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively in the framework of their responsibilities and shall ensure coordinated supervision of Eurodac.

2. Member States shall ensure that every year an audit of the processing of personal data for the purposes laid down in Article 1(21)(c) is carried out by an independent body, in accordance with Article 33(2) 35(1), including an analysis of a sample of reasoned electronic requests.

The audit shall be attached to the annual report of the Member States referred to in Article 40(7) 42(8).

3. The national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties of interpretation or application of this Regulation, study problems with the exercise of independent supervision or in the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

4. For the purpose laid down in paragraph 3, the national supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year. The costs and servicing of these meetings shall be for the account of the European Data Protection Supervisor. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary. A joint report of activities shall be sent to the European Parliament, the Council, the Commission and the Agency ⌦ eu-LISA ⌫ every two years.

Article 33 35

Protection of personal data for law enforcement purposes

1. Each Member State shall provide that the provisions adopted under national law implementing Framework Decision 2008/977/JHA are also applicable to the processing of personal data by its national authorities for the purposes laid down in Article 1(2) of this Regulation.

21. The ⌦ supervisory authority or authorities of each Member State referred to in Article [39(1)] of Directive [2016/… /EU] shall ⌫ monitoring of the lawfulness of the processing of personal data under this Regulation by the Member States for the purposes laid down in Article 1(21)(c) of this Regulation, including their transmission to and from Eurodac, shall be

carried out by the national supervisory authorities designated pursuant to Framework Decision 2008/977/JHA.

32. The processing of personal data by Europol pursuant to this Regulation shall be in accordance with Decision 2009/371/JHA and shall be supervised by an independent external data protection supervisor. Articles 30, 31 and 32 of that Decision shall be applicable to the processing of personal data by Europol pursuant to this Regulation. The independent external data protection supervisor shall ensure that the rights of the individual are not violated.

43. Personal data obtained pursuant to this Regulation from Eurodac for the purposes laid down in Article 1(21)(c) shall only be processed for the purposes of the prevention, detection or investigation of the specific case for which the data have been requested by a Member State or by Europol.

54. ⌦ Without prejudice to Article [23 and 24] of Directive [2016/ …/EU], ⌫ Tthe Central System, the designated and verifying authorities and Europol shall keep records of the searches for the purpose of permitting the national data protection authorities and the European Data Protection Supervisor to monitor the compliance of data processing with Union data protection rules, including for the purpose of maintaining records in order to prepare the annual reports referred to in Article 40(7) 42(8). Other than for such purposes, personal data, as well as the records of the searches, shall be erased in all national and Europol files after a period of one month, unless the data are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol.

Article 34 36

Data security

1. The Member State of origin shall ensure the security of the data before and during transmission to the Central System.

2. Each Member State shall, in relation to all data processed by its competent authorities pursuant to this Regulation, adopt the necessary measures, including a security plan, in order

to:

(a)   physically protect the data, including by making contingency plans for the protection of critical infrastructure;

(b)   deny unauthorised persons access to ■=> data-processing equipment and <^ national installations in which the Member State carries out operations in accordance with the purposes of Eurodac ( ■=> equipment, access control and ^ checks at entrance to the installation);

(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)   prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data (storage control);

•0- new

(e) prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);

^ 603/2013 (adapted)

(ef) prevent the unauthorised processing of data in Eurodac and any unauthorised modification or erasure of data processed in Eurodac (control of data entry);

(fg) ensure that persons authorised to access Eurodac have access only to the data covered by their access authorisation, by means of individual and unique user IDs and confidential access modes only (data access control);

(gh) ensure that all authorities with a right of access to Eurodac create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, erase and search the data, and make those profiles and any other relevant information which those authorities may require for supervisory purposes available to the national supervisory authorities referred to in ⌦ Chapter VI of of Regulation (EU) No. […/2016] ⌫ Article 28 of Directive 95/46/EC] and in ⌦ Chapter VI ofArticle of Directive [2016/.../EU] ⌫ ⌦ Article [..] of Directive [2016/.../EU] ⌫ 25 of Framework Decision 2008/977/JHA without delay at their request (personnel profiles);

(hi) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(ij) ensure that it is possible to verify and establish what data have been processed in Eurodac, when, by whom and for what purpose (control of data recording);

(jk) prevent the unauthorised reading, copying, modification or erasure ⌦ deletion ⌫ of personal data during the transmission of personal data to or from Eurodac or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

•0- new

(l) ensure that installed systems may, in case of interruption, be restored (recovery);

(m) ensure that the functions of Eurodac perform, that the appearance of faults in the functions is reported (reliability) and that stored personal data cannot be corrupted by means of malfunctioning of the system (integrity);

^ 603/2013 (adapted)

■=> new

(kn) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring in order to ensure compliance with this Regulation (self-auditing) and to automatically detect within 24 hours any relevant events arising from the application of measures listed in points (b) to (j) ■=> (k) ^ that might indicate the occurrence of a security incident.

3. Member States shall inform the Agency \E> eu-LISA <Zi of security incidents detected on their systems ■=> without prejudice to the notification and communication of a personal data breach pursuant to [Articles 31 and 32] of Regulation (EU) No […/2016] respectively [Articles 28 and 29] ^ . The Agency \E> eu-LISA O shall inform the Member States,

Europol and the European Data Protection Supervisor in case of security incidents. The Member States concerned, the Agency ⌦ eu-LISA ⌫ and Europol shall collaborate during a security incident.

4. The Agency ⌦ eu-LISA ⌫ shall take the necessary measures in order to achieve the objectives set out in paragraph 2 as regards the operation of Eurodac, including the adoption of a security plan.

Article 35 37

Prohibition of transfers of data to third countries, international organisations or private

entities

1. Personal data obtained by a Member State or Europol pursuant to this Regulation from the Central System shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. This prohibition shall also apply if those data are further processed at national level or between Member States within the meaning of [Article […]2(b) of Directive [2016/../EU] Framework Decision 2008/977/JHA].

2. Personal data which originated in a Member State and are exchanged between Member States following a hit obtained for the purposes laid down in Article 1(2)(1)(c) shall not be transferred to third countries if there is a serious ⌦ real ⌫ risk that as a result of such transfer the data subject may be subjected to torture, inhuman and degrading treatment or punishment or any other violation of his or her fundamental rights.

•0- new

3. No information regarding the fact that an application for international protection has been made in a Member State shall be disclosed to any third-country for persons related to Article 10(1), particularly where that country is also the applicant's country of origin.

^ 603/2013 (adapted)

■=> new

34. The prohibitions referred to in paragraphs 1 and 2 shall be without prejudice to the right of Member States to transfer such data ■=> in accordance with Chapter V of Regulation (EU) No […/2016] respectively with the national rules adopted pursuant to Directive [2016/…/EU] <^ to third countries to which Regulation (EU) No […/…] 604/2013 applies.

•0- new

Article 38 - Transfer of data to third countries for the purpose of return

1. By way of derogation from Article 37 of this Regulation, the personal data relating to persons referred to in Articles 10(1), 13(2), 14(1) obtained by a Member State following a hit for the purposes laid down in Article 1(1)(a) or (b) may be transferred or made available to a third-country in accordance with Article 46 of Regulation (EU) No. […/2016], if necessary in

order to prove the identity of third-country nationals for the purpose of return, only where the following conditions are satisfied:

(b)      the third country explicitly agrees to use the data only for the purpose for which they were provided and to what is lawful and necessary to secure the purposes laid down in Article 1(1)(b) and to delete that data where it is no longer justified to keep it;

(c)       the Member State of origin which entered the data in the Central System has given its consent and the individual concerned has been informed that his or her personal information may be shared with the authorities of a third-country.

2. No information regarding the fact that an application for international protection has been made in a Member State shall be disclosed to any third-country for persons related to Article 10(1), particularly where that country is also the applicant's country of origin.

3. A third-country shall not have direct access to the Central System to compare or transmit fingerprint data or any other personal data of a third-country national or stateless person and shall not be granted access via a Member State's designated National Access Point.

^ 603/2013 (adapted)

■=> new

Article 36 39

Logging and documentation

1. Each Member State and Europol shall ensure that all data processing operations resulting from requests for comparison with Eurodac data for the purposes laid down in Article 1(2)(1)(c) are logged or documented for the purposes of checking the admissibility of the request, monitoring the lawfulness of the data processing and data integrity and security, and self-monitoring.

2. The log or documentation shall show in all cases:

(a) the exact purpose of the request for comparison, including the concerned form of a terrorist offence or other serious criminal offence and, for Europol, the exact purpose of the request for comparison;

(b)  the reasonable grounds given not to conduct comparisons with other Member States under Decision 2008/615/JHA, in accordance with Article 20 21(1) of this Regulation;

(c) the national file reference;

(d)  the date and exact time of the request for comparison by the National Access Point to the Central System;

(e) the name of the authority having requested access for comparison, and the person responsible who made the request and processed the data;

(f)  where applicable, the use of the urgent procedure referred to in Article 19(3) 20(4) and the decision taken with regard to the ex-post verification;

(g) the data used for comparison;

(h) in accordance with national rules or with Decision 2009/371/JHA, the identifying mark of the official who carried out the search and of the official who ordered the search or supply.

3. Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs \E> which do not <S1 containing non-personal data may be used for the monitoring and evaluation referred to in Article 40 42 . The competent national supervisory authorities responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security shall have access to these logs at their request for the purpose of fulfilling their duties \E> tasks <S1 .

Article 37 40

Liability

1. Any person who, or Member State which, has suffered E> material or immaterialO damage as a result of an unlawful processing operation or any act incompatible with this Regulation shall be entitled to receive compensation from the Member State responsible for the damage suffered. That State shall be exempted from its liability, in whole or in part, if it proves that it is not \E> in any way <S1 responsible for the event giving rise to the damage.

2. If the failure of a Member State to comply with its obligations under this Regulation causes damage to the Central System, that Member State shall be liable for such damage, unless and insofar as the Agency \E> eu-LISA O or another Member State failed to take reasonable steps to prevent the damage from occurring or to minimise its impact.

3. Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State ■=> in accordance with Articles [75 and 76] of Regulation (EU) […/2016] and Articles [52 and 53] of Directive [2016/… /EU] ^ .

CHAPTER VIII AMENDMENTS TO REGULATION (EU) NO 1077/2011

Article 38

Amendments to Regulation (EU) No 1077/2011

(EU) No 1077/2011 is amended as

(1) Article 5 is replaced by the following:

"Article 5

Tasks relating to Eurodac

In relation to Eurodac, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of Eurodac for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country

or a stateless person), and on requests for the

Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes45; and

(b) tasks relating to training on the technical use of Eurodac."»

(2) Article 12(1) is amended as follows:

(a) points (u) and (v) are replaced by the following:

"(u) adopt the annual report on the activities of the Central System of Eurodac pursuant to Article 40(1) of Regulation (EU) No 603/2013;

(v) make comments on the European Data Protection Supervisor's reports on the audits pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013 and ensure appropriate follow-up of those audits;";»

(b) point (x) is replaced by the following:

"(x) compile statistics on the work of the Central System of Eurodac pursuant to Article 8(2) of Regulation (EU) No 603/2013;";»

(c) point (z) is replaced by the following:

"(z) ensure annual publication of the list of units pursuant to Article 27(2) of Regulation (EU) No 603/2013;";»

(3) Article 15(4) is replaced by the following:

"4. Europol and Eurojust may attend the meetings of the Management Board as observers when a question concerning SIS II, in relation to the application of Decision 2007/533/JHA, is on the agenda. Europol may also attend the meetings of the Management Board as observer when a question concerning VIS, in relation to the application of Decision 2008/633/JHA, or a question concerning Eurodac, in relation to the application of Regulation (EU) No 603/2013, is on the agenda.";»

(4) Article 17 is amended as follows:

(a) in paragraph 5, point (g) is replaced by the following:

"(g) without prejudice to Article 17 of the Staff Regulations, establish confidentiality requirements in order to comply with Article 17 of (EC) No 1987/2006, Article 17 of

Article 26(9) of Regulation (EC) No 767/2008 and Article 4(4) of Regulation (EU) No 603/2013;";»

(b) in paragraph 6, point (i) is replaced by the following:

"(i) reports on the technical functioning of each large-scale IT system referred to in Article 12(1)(t) and the annual report on the activities of the Central System of Eurodac referred to in Article 12(1)(u), on the basis of the results of monitoring and evaluation.";»

(5) Article 19(3) is replaced by the following:

45

OJ L 180, 29.6.2013, p. 1.;

"3. Europol and Eurojust may each appoint a representative to the SIS II Advisory Group. Europol may also appoint a representative to the VIS and Eurodac Advisory Groups.".»

CHAPTERIX FINAL PROVISIONS

Article 39 41

Costs

1. The costs incurred in connection with the establishment and operation of the Central System and the Communication Infrastructure shall be borne by the general budget of the European Union.

2. The costs incurred by national access points and the costs for connection to the Central System shall be borne by each Member State.

3. Each Member State and Europol shall set up and maintain at their expense the technical infrastructure necessary to implement this Regulation, and shall be responsible for bearing its costs resulting from requests for comparison with Eurodac data for the purposes laid down in Article 1(21)(c).

Article 40 42

Annual report: monitoring and evaluation

1. The Agency ⌦ eu-LISA ⌫ shall submit to the European Parliament, the Council, the Commission and the European Data Protection Supervisor an annual report on the activities of the Central System, including on its technical functioning and security. The annual report shall include information on the management and performance of Eurodac against pre-defined quantitative indicators for the objectives referred to in paragraph 2.

2. The Agency ⌦ eu-LISA ⌫ shall ensure that procedures are in place to monitor the functioning of the Central System against objectives relating to output, cost-effectiveness and quality of service.

3. For the purposes of technical maintenance, reporting and statistics, the Agency ⌦ eu-LISA ⌫ shall have access to the necessary information relating to the processing operations performed in the Central System.

•0- new

4. By [2020] eu-LISA shall conduct a study on the technical feasibility of adding facial recognition software to the Central System for the purposes of comparing facial images. The study shall evaluate the reliability and accuracy of the results produced from facial recognition software for the purposes of EURODAC and shall make any necessary recommendations prior to the introduction of the facial recognition technology to the Central System.

^ 603/2013 (adapted)

■=> new

45. By 20 July 2018 ■=>[…] <=■ and every four years thereafter, the Commission shall produce an overall evaluation of Eurodac, examining the results achieved against objectives and the impact on fundamental rights, including whether law enforcement access has led to indirect discrimination against persons covered by this Regulation, and assessing the continuing validity of the underlying rationale and any implications for future operations, and shall make any necessary recommendations. The Commission shall transmit the evaluation to the European Parliament and the Council.

56. Member States shall provide the Agency \E> eu-LISA O and the Commission with the information necessary to draft the annual report referred to in paragraph 1.

67. The Agency \E> eu-LISA O , Member States and Europol shall provide the Commission with the information necessary to draft the overall evaluation provided for in paragraph 4 5. This information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

78. While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of the comparison of fingerprint data with Eurodac data for law enforcement purposes, containing information and statistics on:

the exact purpose of the comparison, including the type of terrorist offence or serious criminal offence,

grounds given for reasonable suspicion,

the reasonable grounds given not to conduct comparison with other Member States under Decision 2008/615/JHA, in accordance with Article 20 21(1) of this Regulation,

number of requests for comparison,

the number and type of cases which have ended in successful identifications, and

the need and use made of the exceptional case of urgency, including those cases where that urgency was not accepted by the ex post verification carried out by the verifying authority.

Member States' and Europol annual reports shall be transmitted to the Commission by 30 June of the subsequent year.

89. On the basis of Member States and Europol annual reports provided for in paragraph 7 8 and in addition to the overall evaluation provided for in paragraph 4 5, the Commission shall compile an annual report on law enforcement access to Eurodac and shall transmit it to the European Parliament, the Council and the European Data Protection Supervisor.

Article 41 43

Penalties

Member States shall take the necessary measures to ensure that any processing of data entered in the Central System contrary to the purposes of Eurodac as laid down in Article 1 is

punishable by penalties, including administrative and/or criminal penalties in accordance with national law, that are effective, proportionate and dissuasive.

Article 42 44

Territorial scope

The provisions of this Regulation shall not be applicable to any territory to which [Regulation (EU) No 604/2013 does not apply].

Article 43 45

Notification of designated authorities and verifying authorities

1. By ■=> […] ^ 20 October 2013, each Member State shall notify the Commission of its designated authorities, of the operating units referred to in Article 5 6(3) and of its verifying authority, and shall notify without delay any amendment thereto.

2. By ■=> […] ^ 20 October 2013, Europol shall notify the Commission of its designated authority, of its verifying authority and of the National Access Point which it has designated, and shall notify without delay any amendment thereto.

3. The Commission shall publish the information referred to in paragraphs 1 and 2 in the Official Journal of the European Union on an annual basis and via an electronic publication that shall be available online and updated without delay.

Article 44

Transitional provision

Data blocked in the Central System in accordance with Article 12 of Regulation (EC) No 2725/2000 shall be unblocked and marked in accordance with Article 18(1) of this Regulation on 20 July 2015.

Article 45 46

Repeal

Regulation (EC) No 2725/2000 and Regulation (EC) No 407/2002 are \E> (EU) No 603/2013 is <S1 repealed with effect from 20 July 2015 ■=>[…]<=■ .

References to the repealed Regulations shall be construed as references to this Regulation and shall be read in accordance with the correlation table in the Annex III.

Article 46 47

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 20 July 2015 ■=>[…]<=■ .

•0- new

Articles 2(2), 32, 32 and, for the purposes referred to in Article 1(1)(a) and (b), Articles 28(4), 30 and 37 shall apply from the date referred to in Article 91(2) of Regulation (EU) […/2016]. Until this date Articles 2(2), 27(4), 29, 30 and 35 of Regulation 603/2013 shall apply.

Articles 2(4), 35, and for the purposes referred to in Article 1(1)(c), Article 28(4), 30, 37 and 40 shall apply from the date referred to in Article 62(1) of Directive [2016/ …/EU]. Until this date Articles 2(4), 27(4), 29, 33, 35 and 37 of Regulation 603/2013 shall apply.

Comparisons of facial images with the use of facial recognition software as set out in Articles 15 and 16 of this Regulation shall apply from the date upon which the facial recognition technology has been introduced into the Central System. Facial recognition software shall be introduced into the Central System [two years from the date of entry into force of this Regulation]. Until that day, facial images shall be stored in the Central System as part of the data-subject's data sets and transmitted to a Member State following the comparison of fingerprints where there is a hit result.

^ 603/2013 (adapted)

■=> new

Member States shall notify the Commission and the Agency \E> eu-LISA O as soon as they have made the technical arrangements to transmit data to the Central System \E> under Articles XX-XX O , and in any event no later than 20 July 2015 ■=>[…]<=■ .

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.