[F1ANNEX X U.K. LIST OF MINIMUM REQUIREMENTS TO BE INCLUDED IN THE LEGAL INSTRUMENT IN THE CASE OF COOPERATION WITH EXTERNAL SERVICE PROVIDERS
Textual Amendments
The legal instrument shall:
enumerate the tasks to be carried out by the external service provider, in accordance with Article 43(6) of this Regulation;
indicate the locations where the external service provider is to operate and which consulate the individual application centre refers to;
list the services covered by the mandatory service fee;
instruct the external service provider to clearly inform the public that other charges cover optional services.
In relation to the performance of its activities, the external service provider shall, with regard to data protection:
prevent at all times any unauthorised reading, copying, modification or deletion of data, in particular during their transmission to the consulate of the Member State(s) competent for processing an application;
in accordance with the instructions given by the Member State(s) concerned, transmit the data:
electronically, in encrypted form, or
physically, in a secured way;
transmit the data as soon as possible:
in the case of physically transferred data, at least once a week,
in the case of electronically transferred encrypted data, at the latest at the end of the day of their collection,
ensure appropriate means of tracking individual application files to and from the consulate;
delete the data at the latest seven days after their transmission and ensure that only the name and contact details of the applicant for the purposes of the appointment arrangements, as well as the passport number, are kept until the return of the passport to the applicant and deleted five days thereafter;
ensure all the technical and organisational security measures required to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the cooperation involves the transmission of files and data to the consulate of the Member State(s) concerned, and all other unlawful forms of processing personal data;
process the data only for the purposes of processing the personal data of applicants on behalf of the Member State(s) concerned;
apply data protection standards at least equivalent to those set out in Regulation (EU) 2016/679;
provide applicants with the information required pursuant to Article 37 of the VIS Regulation.
In relation to the performance of its activities, the external service provider shall, with regard to the conduct of staff:
ensure that its staff are appropriately trained;
ensure that its staff in the performance of their duties:
receive applicants courteously,
respect the human dignity and integrity of applicants, do not discriminate against persons on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation, and
respect the rules of confidentiality; those rules shall also apply once members of staff have left their job or after suspension or termination of the legal instrument;
provide identification of the staff working for the external service provider at all times;
prove that its staff do not have criminal records and have the requisite expertise.
In relation to the verification of the performance of its activities, the external service provider shall:
provide for access by staff entitled by the Member State(s) concerned to its premises at all times without prior notice, in particular for inspection purposes;
ensure the possibility of remote access to its appointment system for inspection purposes;
ensure the use of relevant monitoring methods (e.g. test applicants; webcam);
ensure access, by the Member State's national data protection supervisory authority, to proof of data protection compliance, including reporting obligations, external audits and regular spot checks;
report in writing to the Member State(s) concerned without delay any security breaches or any complaints from applicants on data misuse or unauthorised access, and coordinate with the Member State(s) concerned in order to find a solution and give explanatory responses promptly to the complaining applicants.
In relation to general requirements, the external service provider shall:
act under the instructions of the Member State(s) competent for processing the application;
adopt appropriate anti-corruption measures (e.g. adequate staff remuneration; cooperation in the selection of staff members employed on the task; two-man-rule; rotation principle);
respect fully the provisions of the legal instrument, which shall contain a suspension or termination clause, in particular in the event of breach of the rules established, as well as a revision clause with a view to ensuring that the legal instrument reflects best practice.]