Council Decision 2007/533/JHAShow full title

CHAPTER XIGENERAL DATA PROCESSING RULES

Article 46Processing of SIS II data

1.The Member States may process the data referred to in Articles 20, 26, 32, 34, 36 and 38 only for the purposes laid down for each category of alert referred to in those Articles.

2.Data may only be copied for technical purposes, provided that such copying is necessary in order for the authorities referred to in Article 40 to carry out a direct search. The provisions of this Decision shall apply to such copies. Alerts issued by one Member State may not be copied from its N.SIS II into other national data files.

3.Technical copies, as referred to in paragraph 2, which lead to off-line databases may be retained for a period not exceeding 48 hours. That period may be extended in an emergency until the emergency comes to an end.

Member States shall keep an up-to-date inventory of such copies, make this inventory available to their national supervisory authority, and ensure that the provisions of this Decision, in particular those of Article 10, are applied in respect of such copies.

4.Access to data shall only be authorised within the limits of the competence of the national authorities referred to in Article 40 and to duly authorised staff.

5.With regard to the alerts laid down in Articles 26, 32, 34, 36 and 38 of this Decision, any processing of information contained therein for purposes other than those for which it was entered in SIS II must be linked with a specific case and justified by the need to prevent an imminent serious threat to public policy and public security, on serious grounds of national security or for the purposes of preventing a serious criminal offence. Prior authorisation from the Member State issuing the alert must be obtained for this purpose.

6.Data may not be used for administrative purposes.

7.Any use of data which does not comply with paragraphs 1 to 6 shall be considered as misuse under the national law of each Member State.

8.Each Member State shall send to the Management Authority a list of its competent authorities which are authorised to search directly the data contained in SIS II pursuant to this Decision, as well as any changes to the list. The list shall specify, for each authority, which data it may search and for what purposes. The Management Authority shall ensure the annual publication of the list in the Official Journal of the European Union.

9.In so far as European Union law does not lay down specific provisions, the law of each Member State shall apply to data entered in its N.SIS II.

Article 47SIS II data and national files

1.Article 46(2) shall not prejudice the right of a Member State to keep in its national files SIS II data in connection with which action has been taken on its territory. Such data shall be kept in national files for a maximum period of three years, except if specific provisions in national law provide for a longer retention period.

2.Article 46(2) shall not prejudice the right of a Member State to keep in its national files data contained in a particular alert issued in SIS II by that Member State.

Article 48Information in case of non-execution of alert

If a requested action cannot be performed, the requested Member State shall immediately inform the Member State issuing the alert.

Article 49Quality of the data processed in SIS II

1.A Member State issuing an alert shall be responsible for ensuring that the data are accurate, up-to-date and entered in SIS II lawfully.

2.Only the Member State issuing an alert shall be authorised to modify, add to, correct, update or delete data which it has entered.

3.If a Member State other than that which issued an alert has evidence suggesting that an item of data is factually incorrect or has been unlawfully stored, it shall, through the exchange of supplementary information, inform the Member State that issued the alert thereof at the earliest opportunity and not later than 10 days after the said evidence has come to its attention. The Member State that issued the alert shall check the communication and, if necessary, correct or delete the item in question without delay.

4.If the Member States are unable to reach agreement within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor who shall, jointly with the national supervisory authorities concerned, act as mediator.

5.The Member States shall exchange supplementary information if a person complains that he is not the person wanted by an alert. If the outcome of the check is that there are in fact two different persons the complainant shall be informed of the provisions of Article 51.

6.Where a person is already the subject of an alert in SIS II, a Member State which enters a further alert shall reach agreement on the entry of the alert with the Member State which entered the first alert. The agreement shall be reached on the basis of the exchange of supplementary information.

Article 50Distinguishing between persons with similar characteristics

Where it becomes apparent, when a new alert is entered, that there is already a person in SIS II with the same identity description element, the following procedure shall be followed:

Article 51Additional data for the purpose of dealing with misused identities

1.Where confusion may arise between the person actually intended as the subject of an alert and a person whose identity has been misused, the Member State which entered the alert shall, subject to that person's explicit consent, add data relating to the latter to the alert in order to avoid the negative consequences of misidentification.

2.Data relating to a person whose identity has been misused shall be used only for the following purposes:

(a)to allow the competent authority to distinguish the person whose identity has been misused from the person actually intended as the subject of the alert;

(b)to allow the person whose identity has been misused to prove his identity and to establish that his identity has been misused.

3.For the purpose of this Article, no more than the following personal data may be entered and further processed in SIS II:

(a)surname(s) and forename(s), name(s) at birth and previously used names and any aliases possibly entered separately;

(b)any specific objective and physical characteristic not subject to change;

(c)place and date of birth;

(d)sex;

(e)photographs;

(f)fingerprints;

(g)nationality(ies);

(h)number(s) of identity paper(s) and date of issue.

4.The technical rules necessary for entering and further processing the data referred to in paragraph 3 shall be established in accordance with the procedure referred to in Article 67, without prejudice to the provisions of the instrument setting up the Management Authority.

5.The data referred to in paragraph 3 shall be erased at the same time as the corresponding alert or earlier if the person so requests.

6.Only the authorities having a right of access to the corresponding alert may access the data referred to in paragraph 3. They may do so for the sole purpose of avoiding misidentification.

Article 52Links between alerts

1.A Member State may create a link between alerts it enters in SIS II. The effect of such a link shall be to establish a relationship between two or more alerts.

2.The creation of a link shall not affect the specific action to be taken on the basis of each linked alert or the retention period of each of the linked alerts.

3.The creation of a link shall not affect the rights of access provided for in this Decision. Authorities with no right of access to certain categories of alerts shall not be able to see the link to an alert to which they do not have access.

4.A Member State shall create a link between alerts only when there is a clear operational need.

5.Links may be created by a Member State in accordance with its national legislation provided that the principles outlined in the present Article are respected.

6.Where a Member State considers that the creation by another Member State of a link between alerts is incompatible with its national law or international obligations, it may take the necessary measures to ensure that there can be no access to the link from its national territory or by its authorities located outside its territory.

7.The technical rules for linking alerts shall be adopted in accordance with the procedure defined in Article 67, without prejudice to the provisions of the instrument setting up the Management Authority.

Article 53Purpose and retention period of supplementary information

1.Member States shall keep a reference to the decisions giving rise to an alert at the SIRENE Bureau to support the exchange of supplementary information.

2.Personal data held in files by the SIRENE Bureau as a result of information exchanged shall be kept only for such time as may be required to achieve the purposes for which they were supplied. They shall in any event be deleted at the latest one year after the related alert has been deleted from SIS II.

3.Paragraph 2 shall not prejudice the right of a Member State to keep in national files data relating to a particular alert which that Member State has issued or to an alert in connection with which action has been taken on its territory. The period for which such data may be held in such files shall be governed by national law.

Article 54Transfer of personal data to third parties

Data processed in SIS II pursuant to this Decision shall not be transferred or made available to third countries or to international organisations.

Article 55Exchange of data on stolen, misappropriated, lost or invalidated passports with Interpol

1.By way of derogation from Article 54, the passport number, country of issuance and the document type of stolen, misappropriated, lost or invalidated passports entered in SIS II may be exchanged with members of Interpol by establishing a connection between SIS II and the Interpol database on stolen or missing travel documents, subject to the conclusion of an Agreement between Interpol and the European Union. The Agreement shall provide that the transmission of data entered by a Member State shall be subject to the consent of that Member State.

2.The Agreement referred to in paragraph 1 shall foresee that the data shared shall only be accessible to members of Interpol from countries that ensure an adequate level of protection of personal data. Before concluding this Agreement, the Council shall seek the opinion of the Commission on the adequacy of the level of protection of personal data and respect of fundamental rights and liberties regarding the automatic processing of personal data by Interpol and by countries which have delegated members to Interpol.

3.The Agreement referred to in paragraph 1 may also provide for access through SIS II for the Member States to data from the Interpol database on stolen or missing travel documents, in accordance with the relevant provisions of this Decision governing alerts on stolen, misappropriated, lost and invalidated passports entered in SIS II.