THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Articles 30(1)(a) and (b), 31(1)(a) and (b) and 34(2)(c) thereof,

Having regard to the proposal from the Commission,

Having regard to the opinion of the European Parliament(1),

Whereas:

(1) The Schengen information system (SIS) set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders(2) (the Schengen Convention), and its development, SIS 1+, constitute an essential tool for the application of the provisions of the Schengen acquis as integrated into the framework of the European Union.

(2) The development of the second generation of SIS (SIS II) has been entrusted to the Commission pursuant to Council Regulation (EC) No 2424/2001(3) and Council Decision 2001/886/JHA of 6 December 2001 on the development of the second generation Schengen Information System (SIS II)(4). SIS II will replace SIS as created pursuant to the Schengen Convention.

(3) This Decision constitutes the necessary legislative basis for governing SIS II in respect of matters falling within the scope of the Treaty on European Union (the EU Treaty). Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II)(5) constitutes the necessary legislative basis for governing SIS II in respect of matters falling within the scope of the Treaty establishing the European Community (the EC Treaty).

(4) The fact that the legislative basis necessary for governing SIS II consists of separate instruments does not affect the principle that SIS II constitutes one single information system that should operate as such. Certain provisions of these instruments should therefore be identical.

(5) SIS II should constitute a compensatory measure contributing to maintaining a high level of security within the area of freedom, security and justice of the European Union by supporting operational cooperation between police authorities and judicial authorities in criminal matters.

(6) It is necessary to specify the objectives of SIS II, its technical architecture and financing, to lay down rules concerning its operation and use and to define responsibilities, the categories of data to be entered into the system, the purposes for which the data are to be entered, the criteria for their entry, the authorities authorised to access the data, the interlinking of alerts and further rules on data processing and the protection of personal data.

(7) SIS II is to include a central system (Central SIS II) and national applications. The expenditure involved in the operation of Central SIS II and related communication infrastructure should be charged to the general budget of the European Union.

(8) It is necessary to establish a manual setting out the detailed rules for the exchange of certain supplementary information concerning the action called for by alerts. National authorities in each Member State should ensure the exchange of this information.

(9) For a transitional period, the Commission should be responsible for the operational management of Central SIS II and of parts of the communication infrastructure. However, in order to ensure a smooth transition to SIS II, it may delegate some or all of these responsibilities to two national public sector bodies. In the long term, and following an impact assessment, containing a substantive analysis of alternatives from financial, operational and organisational perspective, and legislative proposals from the Commission, a management authority with responsibility for these tasks should be established. The transitional period should last for no more than five years from the date from which this Decision applies.

(10) SIS II is to contain alerts on persons wanted for arrest for surrender purposes and wanted for arrest for extradition purposes. In addition to alerts, it is appropriate to provide for the exchange of supplementary information which is necessary for the surrender and extradition procedures. In particular, data referred to in Article 8 of the Council Framework Decision 2002/584/JHA of 13 June 2002 on the European Arrest Warrant and the surrender procedures between Member States(6) should be processed in SIS II.

(11) It should be possible to add to SIS II a translation of the additional data entered for the purpose of surrender under the European Arrest Warrant and for the purpose of extradition.

(12) SIS II should contain alerts on missing persons to ensure their protection or to prevent threats, on persons wanted for judicial procedure, on persons and objects for discreet checks or specific checks and on objects for seizure or use as evidence in criminal proceedings.

(13) Alerts should not be kept in SIS II longer than the time required to fulfil the purposes for which they were supplied. As a general principle, alerts on persons should be automatically erased from SIS II after a period of three years. Alerts on objects entered for discreet checks or specific checks should be automatically erased from the SIS II after a period of five years. Alerts on objects for seizure or use as evidence in criminal proceedings should be automatically erased from SIS II after a period of 10 years. Decisions to keep alerts on persons should be based on a comprehensive individual assessment. Member States should review alerts on persons within the defined period and keep statistics about the number of alerts on persons the retention period of which has been extended.

(14) SIS II should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. In the same perspective, SIS II should also allow for the processing of data concerning individuals whose identity has been misused in order to avoid inconveniences caused by their misidentification, subject to suitable safeguards, in particular the consent of the individual concerned and a strict limitation of the purposes for which such data can be lawfully processed.

(15) It should be possible for a Member State to add an indication, called a flag, to an alert, to the effect that the action to be taken on the basis of the alert will not be taken on its territory. When alerts are issued for arrest for surrender purposes, nothing in this Decision should be construed so as to derogate from or prevent the application of the provisions contained in the Framework Decision 2002/584/JHA. The decision to add a flag to an alert should be based only on the grounds for refusal contained in that Framework Decision.

(16) When a flag has been added and the whereabouts of the person wanted for arrest for surrender becomes known, the whereabouts should always be communicated to the issuing judicial authority, which may decide to transmit a European Arrest Warrant to the competent judicial authority in accordance with the provisions of the Framework Decision 2002/584/JHA.

(17) It should be possible for Member States to establish links between alerts in SIS II. The establishment by a Member State of links between two or more alerts should have no impact on the action to be taken, their retention period or the access rights to the alerts.

(18) Data processed in SIS II in application of this Decision should not be transferred or made available to third countries or to international organisations. However, it is appropriate to strengthen cooperation between the European Union and Interpol by promoting an efficient exchange of passport data. Where personal data is transferred from SIS II to Interpol, these personal data should be subject to an adequate level of protection, guaranteed by an agreement, providing strict safeguards and conditions.

(19) All Member States have ratified the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. The Convention allows exceptions and restrictions to the rights and obligations it provides, within certain limits. The personal data processed in the context of the implementation of this Decision should be protected in accordance with the principles of the Convention. The principles set out in the Convention should be supplemented or clarified in this Decision where necessary.

(20) The principles contained in Recommendation R (87) 15 of the Committee of Ministers of the Council of Europe of 17 September 1987 regulating the use of personal data in the police sector should be taken into account when personal data is processed by police authorities in application of this Decision.

(21) The Commission has submitted a proposal to the Council for a Framework Decision on the data protection of personal data processed in the framework of police and judicial cooperation in criminal matters, which should be approved by the end of 2006 and be applied to the personal data which are processed in the framework of the second generation of the Schengen Information System and the related exchange of supplementary information pursuant to this Decision.

(22) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(7) and in particular thereof concerning confidentiality and security of processing apply to the processing of personal data by the Community institutions and bodies when carrying out their responsibilities in the operational management of SIS II in the exercise of activities all or part of which fall within the scope of Community law. Part of the processing of personal data in SIS II falls within the scope of Community law. Consistent and homogeneous application of the rules regarding the protection of individuals' fundamental rights and freedoms with regard to the processing of personal data requires clarification that, when the Commission is processing personal data in application of this Decision, Regulation (EC) No 45/2001 is applicable to it. The principles set out in Regulation (EC) No 45/2001 should be supplemented or clarified in this Decision where necessary.

(23) In so far as confidentiality is concerned, the relevant provisions of the Staff Regulations of Officials of the European Communities and the conditions of employment of other servants of the European Communities should apply to officials or other servants employed and working in connection with SIS II.

(24) It is appropriate that national supervisory authorities monitor the lawfulness of the processing of personal data by the Member States, whilst the European Data Protection Supervisor, appointed pursuant to Decision 2004/55/EC of the European Parliament and of the Council of 22 December 2003 appointing the independent supervisory body provided for in Article 286 of the EC Treaty(8), should monitor the activities of the Community institutions and bodies in relation to the processing of personal data in view of the limited tasks of the Community institutions and bodies with regard to the data themselves.

(25) Both the Member States and the Commission should draw up a security plan in order to facilitate the implementation of security obligations and should cooperate with each other in order to address security issues from a common perspective.

(26) The provisions of the Convention of 26 July 1995 on the establishment of a European Police Office(9) (hereinafter referred to as the ‘Europol Convention’) concerning data protection apply to the processing of SIS II data by Europol, including the powers of the Joint Supervisory Body, set up under the Europol Convention, to monitor the activities of Europol and liability for any unlawful processing of personal data by Europol.

(27) The provisions of Decision 2002/187/JHA of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime(10) concerning data protection apply to the processing of SIS II data by Eurojust, including the powers of the Joint Supervisory Body, set up under that Decision, to monitor the activities of Eurojust and liability for any unlawful processing of personal data by Eurojust.

(28) In order to ensure transparency, a report on the technical functioning of Central SIS II and the communication infrastructure, including its security, and on the exchange of supplementary information should be produced every two years by the Commission or, when it is established, the management authority. An overall evaluation should be issued by the Commission every four years.

(29) Certain aspects of SIS II such as technical rules on entering data, including data required for entering an alert, updating, deleting and searching data, rules on compatibility and priority of alerts, the adding of flags, links between alerts and exchange of supplementary information cannot owing to their technical nature, level of detail and need for regular updating be covered exhaustively by the provisions of this Decision. Implementing powers in respect of those aspects should therefore be delegated to the Commission. Technical rules on searching alerts should take into account the smooth operation of national applications. Subject to an impact assessment by the Commission, it should be decided to what extent the implementing measures could be the responsibility of the management authority, once it is set up.

(30) This Decision should define the procedure for the adoption of the measures necessary for its implementation. The procedure for adopting implementing measures under this Decision and Regulation (EC) No 1987/2006 should be the same.

(31) It is appropriate to lay down transitional provisions in respect of alerts issued in SIS 1+ which are to be transferred to SIS II. Some provisions of the Schengen acquis should continue to apply for a limited period of time until the Member States have examined the compatibility of those alerts with the new legal framework. The compatibility of alerts on persons should be examined as a matter of priority. Furthermore, any modification, addition, correction or update of an alert transferred from SIS 1+ to SIS II, as well as any hit on such an alert, should trigger an immediate examination of its compatibility with the provisions of this Decision.

(32) It is necessary to lay down special provisions regarding the part of the budget earmarked for the operations of SIS which is not part of the general budget of the European Union.

(33) Since the objectives of the action to be taken, namely the establishment and regulation of a joint information system, cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale and effects of the action, be better achieved at the level of the European Union, the Council may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the EC Treaty and referred to in Article 2 of the EU Treaty. In accordance with the principle of proportionality, as set out in Article 5 of the EC Treaty, this Decision does not go beyond what is necessary to achieve those objectives.

(34) This Decision respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union.

(35) The United Kingdom is taking part in this Decision, in accordance with Article 5 of the Protocol integrating the Schengen acquis into the framework of the European Union annexed to the EU Treaty and to the EC Treaty, and Article 8(2) of Council Decision 2000/365/EC of 29 May 2000, concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (11).

(36) Ireland is taking part in this Decision in accordance with Article 5 of the Protocol integrating the Schengen acquis into the framework of the European Union annexed to the EU Treaty and to the EC Treaty, and Article 6(2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis (12).

(37) This Decision is without prejudice to the arrangements for the United Kingdom and Ireland's partial participation in the Schengen acquis, as defined in Decisions 2000/365/EC and 2002/192/EC, respectively.

(38) As regards Iceland and Norway, this Decision constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (13), which fall within the area referred to in Article 1, point G of Council Decision 1999/437/EC(14) on certain arrangements for the application of that Agreement.

(39) An arrangement should be made to allow representatives of Iceland and Norway to be associated with the work of committees assisting the Commission in the exercise of its implementing powers. Such an arrangement has been contemplated in the Exchanges of Letters between the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning committees which assist the European Commission in the exercise of its executive powers(15), annexed to the abovementioned Agreement.

(40) As regards Switzerland, this Decision constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement signed between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis, which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 4(1) of Council Decisions 2004/849/EC(16) and 2004/860/EC(17).

(41) An arrangement should be made to allow representatives of Switzerland to be associated with the work of committees assisting the Commission in the exercise of its implementing powers. Such an arrangement has been contemplated in the Exchange of Letters between the Community and Switzerland, annexed to the abovementioned Agreement.

(42) This Decision constitutes an act building on the Schengen acquis or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession and Article 4(2) of the 2005 Act of Accession.

(43) This Decision should apply to the United Kingdom, Ireland and Switzerland on dates determined in accordance with the procedures set out in the relevant instruments concerning the application of the Schengen acquis to those States,

HAS DECIDED AS FOLLOWS: