Commission Delegated Regulation (EU) 2023/333 of 11 July 2022 supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council as regards determining cases where identity data are considered as same or similar for the purpose of the multiple identity detection
Commission Delegated Regulation (EU) 2023/333of 11 July 2022supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council as regards determining cases where identity data are considered as same or similar for the purpose of the multiple identity detectionTHE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHAOJ L 135, 22.5.2019, p. 27., and in particular Article 28(5) thereof,Whereas:(1)Regulation (EU) 2019/817 together with Regulation (EU) 2019/818 of the European Parliament and of the CouncilRegulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85)., establishes a framework to ensure interoperability between the EU information systems in the field of borders, visa, police and judicial cooperation, asylum and migration.(2)That framework includes a number of interoperability components, including a multiple-identity detector. The multiple-identity detector creates and stores links between data in the different EU information systems in order to detect multiple identities, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The linking of data is essential for the multiple-identity detector to fulfil its objectives.(3)The multiple-identity detection process results in the creation of automated white and yellow links. A white link indicates that the identity data of the linked files are the same or similar whereas a yellow link indicates that the identity data of the linked files cannot be considered to be similar and that manual verification of the different identities should be carried out.(4)Considering the burden on persons whose data is registered in the EU information systems, and the national authorities as well as with Union agencies, it is necessary to limit the number of cases in which yellow links are generated by the multiple-identity detector and therefore require manual verification.(5)Pursuant to Regulation (EU) 2019/817, the European Agency for the Operational Management of Large-Scale Information Systems in the area of Freedom, Security and Justice ("eu-LISA"), established by Regulation (EU) No 1077/2011 of the European Parliament and of the CouncilRegulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p. 1)., should be responsible for the preparation, development and operational management of the interoperability components, including the multi-identity detector.(6)Prior to the development of the multi-identity detector, it is necessary to lay down the procedures to determine the cases in which identity data concerning a person stored across several systems are considered the same or similar for the purpose of multiple-identity detection.(7)Given that Regulation (EU) 2019/817 builds upon the Schengen acquis, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2019/817 in its national law. It is therefore bound by this Regulation.(8)This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take partThis Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(9)As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquisOJ L 176, 10.7.1999, p. 36., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/ECCouncil Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31)..(10)As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 53, 27.2.2008, p. 52., which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/ECCouncil Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1)..(11)As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 160, 18.6.2011, p. 21. which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EUCouncil Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19)..(12)As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.(13)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 27 April 2021,HAS ADOPTED THIS REGULATION: