Commission Delegated Regulation (EU) 2021/2223 of 30 September 2021 supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics
Commission Delegated Regulation (EU) 2021/2223of 30 September 2021supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHAOJ L 135, 22.5.2019, p. 27., and in particular Article 39(5) thereof,Whereas:(1)Regulation (EU) 2019/817 together with Regulation (EU) 2019/818 of the European Parliament and of the CouncilRegulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85)., establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.(2)That framework includes a number of components and tools supporting interoperability, including a central repository for reporting and statistics ("the central repository"). The central repository stores anonymised data extracted from the underlying EU information systems, the shared biometric matching service, the common identity repository and the multi-identity detector, in order to provide cross-system statistical reporting for policy, operational and data quality purposes.(3)The European Agency for the Operational Management of Large-scale IT Systems in the Area of Freedom, Security and Justice ("eu-LISA") is responsible for establishing, implementing and hosting the central repository and for its operational management.(4)In order to enable the central repository to provide cross-system statistical data, it is necessary to lay down detailed rules on its operation, including specific standards for the processing of personal data, and security rules.(5)In order to make it impossible to identify individuals from the statistical data in the central repository, eu-LISA should develop a data anonymisation tool as part of its architecture. The anonymisation process should be automated.(6)Controlled and secured access should be granted only to authorised staff of the competent authorities, Union institutions and agencies, so that they can consult the data and statistics in the central repository. For that purpose, eu-LISA should develop a reporting tool as part of its architecture. eu-LISA staff should not have direct access to any personal data stored in the EU information systems or the interoperability components.(7)In order to keep trace of the cross-matching of identity files within or between the corresponding EU information systems for relevant statistical purposes, the central repository should keep a unique reference number. It should not be possible to use that number to retrieve information from the identity files.(8)The technical solution hosting the central repository should be implemented at eu-LISA’s technical site and at the backup site in order to ensure it remains available at all times.(9)Given that Regulation (EU) 2019/817 builds upon the Schengen acquis, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/817 in its national law. It is therefore bound by this Regulation.(10)This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take partThis Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(11)As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquisOJ L 176, 10.7.1999, p. 36., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/ECCouncil Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31)..(12)As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 53, 27.2.2008, p. 52., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/ECCouncil Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1)..(13)As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 160, 18.6.2011, p. 21. which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EUCouncil Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19)..(14)As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.(15)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 17 June 2021,HAS ADOPTED THIS REGULATION:
Article 1DefinitionsFor the purposes of this Regulation, the following definitions apply:(1)"statistical data" means the data, which is anonymised and used solely for the purpose of producing statistical reports pursuant to Regulation (EU) 2017/2226Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011(OJ L 327, 9.12.2017, p. 20)., Regulation (EU) 2018/1240Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1)., Regulation (EU) 2018/1860Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1)., Regulation (EU) 2018/1861Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14)., Regulation (EU) 2018/1862Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56). and Regulation (EU) 2019/816Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1). of the European Parliament and of the Council;(2)"(statistical) reports" means an organised collection of statistical data, produced by the central repository in an automated manner according to a set of pre-established rules and stored in the central repository;(3)"customisable reports" means statistical reports that are extracted on the basis of statistical data contained in the central repository in accordance with specific rules determined ad hoc by a user and stored in the central repository;(4)"critical identity data" means any of the following data or a combination thereof, from which individuals can be identified:(a)name, first name, surname, family name, given names, alias of any person whose data may be stored in any EU information system;(b)number of travel document;(c)address (street name, house number);(d)telephone, IP address;(e)email addresses;(f)biometric data.
Article 2Information to be contained in the central repository1.The data referred to in Article 39(2) of Regulation (EU) 2019/817 shall be made available and stored in the central repository in accordance with this Regulation.2.The central repository shall contain statistical data, including reports on system usage for the purposes of monitoring the functioning of the interoperability components referred to in Article 66 of Regulation (EU) 2019/817.3.The central repository shall contain technical reports to ensure monitoring by eu-LISA of the development and functioning of the interoperability components in accordance with Article 78(1) of Regulation (EU) 2019/817.4.The central repository shall keep a unique reference number enabling to keep trace of the cross-matching of identity files within or between the corresponding EU information systems for statistical purposes. It shall not be possible to use that reference number to retrieve the underlying identity files.5.The central repository shall enable the duly authorised staff of the competent authorities referred to in Article 39(2) of Regulation (EU) 2019/817 to obtain the following:(a)reports pursuant to Article 63 of Regulation (EU) 2017/2226, containing the following statistics on records kept in the Entry/Exit System:(i)customisable reports and statistics on entries and exits, refusals of entry and overstays of third-country nationals;(ii)daily statistics on overstayers, third-country nationals who were refused entry, third-country nationals whose authorisation for stay was revoked or extended and third country nationals exempt from the requirement to give fingerprints;(iii)customisable reports and statistics on data quality pursuant to Article 38(4) of Regulation (EU) 2017/2226 and regular statistics for ensuring the monitoring by eu-LISA of the development and the functioning of the Entry/Exit System referred to in Article 72(1) of that Regulation;(b)reports pursuant to Article 84 of Regulation (EU) 2018/1240, containing the following statistics on the records kept in the European Travel Information and Authorisation System (ETIAS):(i)daily statistics on the number and nationality of applicants whose travel authorisation was issued or refused, including the grounds for refusal, and of third-country nationals whose travel authorisation was annulled or revoked;(ii)customisable reports and statistics to improve the assessment of security, illegal immigration and high epidemic risks, to enhance the efficiency of border checks, to help the ETIAS Central Unit and the ETIAS National Units process travel authorisation applications and to support evidence-based Union migration policy-making;(iii)statistical data concerning the ETIAS watchlist pursuant to Article 92(4) of that Regulation;(iv)regular statistics for ensuring the monitoring by eu-LISA of the development and the functioning of the ETIAS Information System pursuant to Article 92(1) of that Regulation;(c)reports pursuant to Article 33(2) of Regulation (EU) 2018/1240, containing the following statistics:(i)those generated by the Entry/Exit System indicating abnormal rates of overstaying and refusals of entry for a specific group of travellers;(ii)those generated by the European Travel Information and Authorisation System pursuant to Article 84 of that Regulation indicating abnormal rates of refusals of travel authorisations due to a security, illegal immigration, or high epidemic risk associated with a specific group of travellers;(iii)those generated by the European Travel Information and Authorisation System pursuant to Article 84 of that Regulation and the Entry/Exit System indicating correlations between information collected through the application form and overstaying by travellers or refusals of entry;(d)reports pursuant to Article 16 of Regulation (EU) 2018/1860, containing daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate;(e)reports pursuant to Regulation (EU) 2018/1861, containing the following statistics on the records kept in the Schengen Information System:(i)daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate, pursuant to Article 60(3) of that Regulation;(ii)annual reports on the number of hits per category of alert, how many times the Schengen Information System was searched and how many times it was accessed for the purpose of entering, updating or deleting an alert, both for each Member State and in aggregate, pursuant to Article 60(3) of Regulation (EU) 2018/1861 and Article 19 of Regulation (EU) 2018/1860;(iii)at the request of the Commission, additional specific statistical reports, either on a regular or ad hoc basis, on the performance and the use of the Schengen Information System and on the exchange of supplementary information, pursuant to Article 60(5), second subparagraph of Regulation (EU) 2018/1861 and Article 19 of Regulation (EU) 2018/1860;(iv)at the request of the European Border and Coast Guard Agency, additional specific statistical reports, either on a regular or ad hoc basis, for the purpose of carrying out risk analyses and vulnerability assessments, pursuant to Article 60(5), third subparagraph of Regulation (EU) 2018/1861 and Article 19 of Regulation (EU) 2018/1860;(v)reports and statistics for the purposes of technical maintenance, reporting, data quality reporting and statistics pursuant to Article 60(2) of Regulation (EU) 2018/1861 and Article 19 of Regulation (EU) 2018/1860;(vi)reports on data quality issues pursuant to Article 15(4) of Regulation (EU) 2018/1861 and Article 19 of Regulation (EU) 2018/1860.6.The technical reports referred to in paragraph 2 shall contain statistics on the usage of the system, availability, incidents, performance capacity, biometric accuracy, data quality and, where applicable, pending transactions.7.The business reports produced by the central repository shall be customisable by the user in order to allow the filtering or grouping of the data by means of a reporting tool made available with the central repository.8.A catalogue of reports shall be made available. Requests for new reports or changes to existing ones shall follow eu-LISA change management policy.
Article 3Data repository and reporting tool1.The central repository shall use a technical solution hosting data extracted from the underlying EU information systems and interoperability components.2.The technical solution shall contain a reporting tool configured to create, maintain and execute the reports and customisable reports referred to in Article 2.3.The reporting tool shall allow for the generation of business reports and technical reports, and their retrieval by the user.4.The reporting tool shall enable the provision of cross-system statistical data and analytical reporting for policy, operational and data quality purposes, where provided for by Union law.5.All reports shall be managed within the technical solution. The appropriate security and integrity measures shall be implemented in the technical solution, in order to meet the requirements of the security plan provided for Article 42(3) of Regulation (EU) 2019/817.6.The technical solution shall be implemented at eu-LISA’s technical site and at the backup site.
Article 4Data extractionThe central repository shall obtain from the EU information systems read-only copies of the data referred to in Article 39(2) and Article 66(1), (2) and (3) of Regulation (EU) 2019/817 in order to produce the statistics and reports referred to in Articles 39 and 66 of that Regulation. The data shall be obtained on a regular basis and at least daily, by means of one-way extraction.
Article 5Data anonymisation tool1.The data extracted from the underlying EU information systems and interoperability components shall be anonymised using a data anonymisation tool. Only anonymised data shall be stored in the central repository.2.The data anonymisation tool shall identify critical identity data in the EU information systems and shall anonymise it by means of an automated process before statistical data is stored in the central repository. The anonymisation process shall be irreversible.
Article 6Access1.Access to the central repository by duly authorised staff shall be granted and managed in accordance with Article 63 of Regulation (EU) 2017/2226, Article 84 of Regulation (EU) 2018/1240, Article 60 of Regulation (EU) 2018/1861, and Article 16 of Regulation (EU) 2018/1860.2.The central repository shall be accessible by the Member States, the Commission and the Union agencies, in accordance with their access rights under Union law, via a secure network connection (TESTA).3.Only duly authorised staff of the competent authorities in accordance with Article 39(2) and Article 66(1) to (5) of Regulation (EU) 2019/817 shall be granted access to the tool referred to in Article 3(2) of this Regulation.4.Competent authorities shall access the central repository by means of user profiles. eu-LISA shall keep a list of the user profiles. One authority may have several profiles, depending on its access rights.5.Access to the central repository shall be logged. The information logged shall contain at least:(a)a timestamp;(b)authority;(c)type of the report concerned.6.Logs enabling the identification of users accessing the central repository shall be kept at national level and by the Commission, the European Border and Coast Guard Agency and Europol. eu-LISA shall keep logs of all accessing operations. The logs shall be stored in the central repository for one year, after which they shall be automatically erased.7.Any conflicting roles within the central repository shall be identified and access shall be granted in accordance with the following principles:(a)"need-to-know";(b)least privilege access;(c)segregation of duties.8.Data quality reports issued pursuant to Article 15(4) of Regulation (EU) 2018/1861 shall include a tool for Member States to provide eu-LISA with feedback on the correction of the issues encountered.
Article 7Data processorFor the purpose of anonymising personal data pursuant to Article 5, eu-LISA shall be the data processor within the meaning of Article 3, point (12) of Regulation (EU) 2018/1725.
Article 8Other data protection and security aspects1.The data stored in the central repository shall be consulted solely for the purpose of reporting and statistics.2.eu-LISA shall implement the necessary security measures to ensure the integrity of data in the central repository. Any changes to the data shall be traceable for auditing purposes.
Article 9Entry into forceThis Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 30 September 2021.For the CommissionThe PresidentUrsula von der Leyen