Commission Delegated Regulation (EU) 2021/2223 of 30 September 2021 supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics
Commission Delegated Regulation (EU) 2021/2223of 30 September 2021supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statisticsTHE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHAOJ L 135, 22.5.2019, p. 27., and in particular Article 39(5) thereof,Whereas:(1)Regulation (EU) 2019/817 together with Regulation (EU) 2019/818 of the European Parliament and of the CouncilRegulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85)., establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.(2)That framework includes a number of components and tools supporting interoperability, including a central repository for reporting and statistics ("the central repository"). The central repository stores anonymised data extracted from the underlying EU information systems, the shared biometric matching service, the common identity repository and the multi-identity detector, in order to provide cross-system statistical reporting for policy, operational and data quality purposes.(3)The European Agency for the Operational Management of Large-scale IT Systems in the Area of Freedom, Security and Justice ("eu-LISA") is responsible for establishing, implementing and hosting the central repository and for its operational management.(4)In order to enable the central repository to provide cross-system statistical data, it is necessary to lay down detailed rules on its operation, including specific standards for the processing of personal data, and security rules.(5)In order to make it impossible to identify individuals from the statistical data in the central repository, eu-LISA should develop a data anonymisation tool as part of its architecture. The anonymisation process should be automated.(6)Controlled and secured access should be granted only to authorised staff of the competent authorities, Union institutions and agencies, so that they can consult the data and statistics in the central repository. For that purpose, eu-LISA should develop a reporting tool as part of its architecture. eu-LISA staff should not have direct access to any personal data stored in the EU information systems or the interoperability components.(7)In order to keep trace of the cross-matching of identity files within or between the corresponding EU information systems for relevant statistical purposes, the central repository should keep a unique reference number. It should not be possible to use that number to retrieve information from the identity files.(8)The technical solution hosting the central repository should be implemented at eu-LISA’s technical site and at the backup site in order to ensure it remains available at all times.(9)Given that Regulation (EU) 2019/817 builds upon the Schengen acquis, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/817 in its national law. It is therefore bound by this Regulation.(10)This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take partThis Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(11)As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquisOJ L 176, 10.7.1999, p. 36., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/ECCouncil Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31)..(12)As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 53, 27.2.2008, p. 52., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/ECCouncil Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1)..(13)As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 160, 18.6.2011, p. 21. which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EUCouncil Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19)..(14)As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.(15)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 17 June 2021,HAS ADOPTED THIS REGULATION: