Regulation (EU) No 603/2013 of the European Parliament and of the CouncilShow full title

CHAPTER VIIU.K. DATA PROCESSING, DATA PROTECTION AND LIABILITY

Article 23U.K.Responsibility for data processing

1.The Member State of origin shall be responsible for ensuring that:

(a)fingerprints are taken lawfully;

(b)fingerprint data and the other data referred to in Article 11, Article 14(2) and Article 17(2) are lawfully transmitted to the Central System;

(c)data are accurate and up-to-date when they are transmitted to the Central System;

(d)without prejudice to the responsibilities of the Agency, data in the Central System are lawfully recorded, stored, corrected and erased;

(e)the results of fingerprint data comparisons transmitted by the Central System are lawfully processed.

2.In accordance with Article 34, the Member State of origin shall ensure the security of the data referred to in paragraph 1 before and during transmission to the Central System as well as the security of the data it receives from the Central System.

3.The Member State of origin shall be responsible for the final identification of the data pursuant to Article 25(4).

4.The Agency shall ensure that the Central System is operated in accordance with the provisions of this Regulation. In particular, the Agency shall:

(a)adopt measures ensuring that persons working with the Central System process the data recorded therein only in accordance with the purposes of Eurodac as laid down in Article 1;

(b)take the necessary measures to ensure the security of the Central System in accordance with Article 34;

(c)ensure that only persons authorised to work with the Central System have access thereto, without prejudice to the competences of the European Data Protection Supervisor.

The Agency shall inform the European Parliament and the Council as well as the European Data Protection Supervisor of the measures it takes pursuant to the first subparagraph.

Article 24U.K.Transmission

1.Fingerprints shall be digitally processed and transmitted in the data format referred to in Annex I. As far as necessary for the efficient operation of the Central System, the Agency shall establish the technical requirements for transmission of the data format by Member States to the Central System and vice versa. The Agency shall ensure that the fingerprint data transmitted by the Member States can be compared by the computerised fingerprint recognition system.

2.Member States shall transmit the data referred to in Article 11, Article 14(2) and Article 17(2) electronically. The data referred to in Article 11 and Article 14(2) shall be automatically recorded in the Central System. As far as necessary for the efficient operation of the Central System, the Agency shall establish the technical requirements to ensure that data can be properly electronically transmitted from the Member States to the Central System and vice versa.

3.The reference number referred to in Articles 11(d), 14(2)(d), 17(1) and 19(1) shall make it possible to relate data unambiguously to one particular person and to the Member State which is transmitting the data. In addition, it shall make it possible to tell whether such data relate to a person referred to in Article 9(1), 14(1) or 17(1).

4.The reference number shall begin with the identification letter or letters by which, in accordance with the norm referred to in Annex I, the Member State transmitting the data is identified. The identification letter or letters shall be followed by the identification of the category of person or request. "1" refers to data relating to persons referred to in Article 9(1), "2" to persons referred to in Article 14(1), "3" to persons referred to in Article 17(1), "4" to requests referred to in Article 20, "5" to requests referred to in Article 21 and "9" to requests referred to in Article 29.

5.The Agency shall establish the technical procedures necessary for Member States to ensure receipt of unambiguous data by the Central System.

6The Central System shall confirm receipt of the transmitted data as soon as possible. To that end, the Agency shall establish the necessary technical requirements to ensure that Member States receive the confirmation receipt if requested.

Article 25U.K.Carrying out comparisons and transmitting results

1.Member States shall ensure the transmission of fingerprint data of an appropriate quality for the purpose of comparison by means of the computerised fingerprint recognition system. As far as necessary to ensure that the results of the comparison by the Central System reach a very high level of accuracy, the Agency shall define the appropriate quality of transmitted fingerprint data. The Central System shall, as soon as possible, check the quality of the fingerprint data transmitted. If fingerprint data do not lend themselves to comparison using the computerised fingerprint recognition system, the Central System shall inform the Member State concerned. That Member State shall then transmit fingerprint data of the appropriate quality using the same reference number as the previous set of fingerprint data.

2.The Central System shall carry out comparisons in the order of arrival of requests. Each request shall be dealt with within 24 hours. A Member State may for reasons connected with national law require particularly urgent comparisons to be carried out within one hour. Where such time-limits cannot be respected owing to circumstances which are outside the Agency's responsibility, the Central System shall process the request as a matter of priority as soon as those circumstances no longer prevail. In such cases, as far as is necessary for the efficient operation of the Central System, the Agency shall establish criteria to ensure the priority handling of requests.

3.As far as necessary for the efficient operation of the Central System, the Agency shall establish the operational procedures for the processing of the data received and for transmitting the result of the comparison.

4.The result of the comparison shall be immediately checked in the receiving Member State by a fingerprint expert as defined in accordance with its national rules, specifically trained in the types of fingerprint comparisons provided for in this Regulation. For the purposes laid down in Article 1(1) of this Regulation, final identification shall be made by the Member State of origin in cooperation with the other Member States concerned, pursuant to Article 34 of Regulation (EU) No 604/2013.

Information received from the Central System relating to other data found to be unreliable shall be erased as soon as the unreliability of the data is established.

5.Where final identification in accordance with paragraph 4 reveals that the result of the comparison received from the Central System does not correspond to the fingerprint data sent for comparison, Member States shall immediately erase the result of the comparison and communicate this fact as soon as possible and no later than after three working days to the Commission and to the Agency.

Article 26U.K.Communication between Member States and the Central System

Data transmitted from the Member States to the Central System and vice versa shall use the Communication Infrastructure. As far as is necessary for the efficient operation of the Central System, the Agency shall establish the technical procedures necessary for the use of the Communication Infrastructure.

Article 27U.K.Access to, and correction or erasure of, data recorded in Eurodac

1.The Member State of origin shall have access to data which it has transmitted and which are recorded in the Central System in accordance with this Regulation.

No Member State may conduct searches of the data transmitted by another Member State, nor may it receive such data apart from data resulting from the comparison referred to in Article 9(5).

2.The authorities of Member States which, pursuant to paragraph 1 of this Article, have access to data recorded in the Central System shall be those designated by each Member State for the purposes laid down in Article 1(1). That designation shall specify the exact unit responsible for carrying out tasks related to the application of this Regulation. Each Member State shall without delay communicate to the Commission and the Agency a list of those units and any amendments thereto. The Agency shall publish the consolidated list in the Official Journal of the European Union. Where there are amendments thereto, the Agency shall publish once a year an updated consolidated list online.

3.Only the Member State of origin shall have the right to amend the data which it has transmitted to the Central System by correcting or supplementing such data, or to erase them, without prejudice to erasure carried out in pursuance of Article 12(2) or 16(1).

4.If a Member State or the Agency has evidence to suggest that data recorded in the Central System are factually inaccurate, it shall advise the Member State of origin as soon as possible.

If a Member State has evidence to suggest that data were recorded in the Central System in breach of this Regulation, it shall advise the Agency, the Commission and the Member State of origin as soon as possible. The Member State of origin shall check the data concerned and, if necessary, amend or erase them without delay.

5.The Agency shall not transfer or make available to the authorities of any third country data recorded in the Central System. This prohibition shall not apply to transfers of such data to third countries to which Regulation (EU) No 604/2013 applies.

Article 28U.K.Keeping of records

1.The Agency shall keep records of all data processing operations within the Central System. These records shall show the purpose, date and time of access, the data transmitted, the data used for interrogation and the name of both the unit entering or retrieving the data and the persons responsible.

2.The records referred to in paragraph 1 of this Article may be used only for the data protection monitoring of the admissibility of data processing as well as to ensure data security pursuant to Article 34. The records must be protected by appropriate measures against unauthorised access and erased after a period of one year after the storage period referred to in Article 12(1) and in Article 16(1) has expired, unless they are required for monitoring procedures which have already begun.

3.For the purposes laid down in Article 1(1), each Member State shall take the necessary measures in order to achieve the objectives set out in paragraphs 1 and 2 of this Article in relation to its national system. In addition, each Member State shall keep records of the staff duly authorised to enter or retrieve the data.

Article 29U.K.Rights of the data subject

1.A person covered by Article 9(1), Article 14(1) or Article 17(1) shall be informed by the Member State of origin in writing, and where necessary, orally, in a language that he or she understands or is reasonably supposed to understand, of the following:

(a)the identity of the controller within the meaning of Article 2(d) of Directive 95/46/EC and of his or her representative, if any;

(b)the purpose for which his or her data will be processed in Eurodac, including a description of the aims of Regulation (EU) No 604/2013, in accordance with Article 4 thereof and an explanation in intelligible form, using clear and plain language, of the fact that Eurodac may be accessed by the Member States and Europol for law enforcement purposes;

(c)the recipients of the data;

(d)in relation to a person covered by Article 9(1) or 14(1), the obligation to have his or her fingerprints taken;

(e)the right of access to data relating to him or her, and the right to request that inaccurate data relating to him or her be corrected or that unlawfully processed data relating to him or her be erased, as well as the right to receive information on the procedures for exercising those rights including the contact details of the controller and the national supervisory authorities referred to in Article 30(1).

2.In relation to a person covered by Article 9(1) or 14(1), the information referred to in paragraph 1 of this Article shall be provided at the time when his or her fingerprints are taken.

In relation to a person covered by Article 17(1), the information referred to in paragraph 1 of this Article shall be provided no later than at the time when the data relating to that person are transmitted to the Central System. That obligation shall not apply where the provision of such information proves impossible or would involve a disproportionate effort.

Where a person covered by Article 9(1), Article 14(1) and Article 17(1) is a minor, Member States shall provide the information in an age-appropriate manner.

3.A common leaflet, containing at least the information referred to in paragraph 1 of this Article and the information referred to in Article 4(1) of Regulation (EU) No 604/2013 shall be drawn up in accordance with the procedure referred to in Article 44(2) of that Regulation.

The leaflet shall be clear and simple, drafted in a language that the person concerned understands or is reasonably supposed to understand.

The leaflet shall be established in such a manner as to enable Member States to complete it with additional Member State-specific information. This Member State-specific information shall include at least the rights of the data subject, the possibility of assistance by the national supervisory authorities, as well as the contact details of the office of the controller and the national supervisory authorities.

4.For the purposes laid down in Article 1(1) of this Regulation, in each Member State any data subject may, in accordance with the laws, regulations and procedures of that State, exercise the rights provided for in Article 12 of Directive 95/46/EC.

Without prejudice to the obligation to provide other information in accordance with Article 12(a) of Directive 95/46/EC, the data subject shall have the right to obtain communication of the data relating to him or her recorded in the Central System and of the Member State which transmitted them to the Central System. Such access to data may be granted only by a Member State.

5.For the purposes laid down in Article 1(1), in each Member State, any person may request that data which are factually inaccurate be corrected or that data recorded unlawfully be erased. The correction and erasure shall be carried out without excessive delay by the Member State which transmitted the data, in accordance with its laws, regulations and procedures.

6.For the purposes laid down in Article 1(1), if the rights of correction and erasure are exercised in a Member State other than that, or those, which transmitted the data, the authorities of that Member State shall contact the authorities of the Member State or States which transmitted the data so that the latter may check the accuracy of the data and the lawfulness of their transmission and recording in the Central System.

7.For the purposes laid down in Article 1(1), if it emerges that data recorded in the Central System are factually inaccurate or have been recorded unlawfully, the Member State which transmitted them shall correct or erase the data in accordance with Article 27(3). That Member State shall confirm in writing to the data subject without excessive delay that it has taken action to correct or erase data relating to him or her.

8.For the purposes laid down in Article 1(1), if the Member State which transmitted the data does not agree that data recorded in the Central System are factually inaccurate or have been recorded unlawfully, it shall explain in writing to the data subject without excessive delay why it is not prepared to correct or erase the data.

That Member State shall also provide the data subject with information explaining the steps which he or she can take if he or she does not accept the explanation provided. This shall include information on how to bring an action or, if appropriate, a complaint before the competent authorities or courts of that Member State and any financial or other assistance that is available in accordance with the laws, regulations and procedures of that Member State.

9.Any request under paragraphs 4 and 5 shall contain all the necessary particulars to identify the data subject, including fingerprints. Such data shall be used exclusively to permit the exercise of the rights referred to in paragraphs 4 and 5 and shall be erased immediately afterwards.

10.The competent authorities of the Member States shall cooperate actively to enforce promptly the rights laid down in paragraphs 5, 6 and 7.

11.Whenever a person requests data relating to him or her in accordance with paragraph 4, the competent authority shall keep a record in the form of a written document that such a request was made and how it was addressed, and shall make that document available to the national supervisory authorities without delay.

12.For the purposes laid down in Article 1(1) of this Regulation, in each Member State, the national supervisory authority shall, on the basis of his or her request, assist the data subject in accordance with Article 28(4) of Directive 95/46/EC in exercising his or her rights.

13.For the purposes laid down in Article 1(1) of this Regulation, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State in which the data subject is present shall assist and, where requested, advise him or her in exercising his or her right to correct or erase data. Both national supervisory authorities shall cooperate to this end. Requests for such assistance may be made to the national supervisory authority of the Member State in which the data subject is present, which shall transmit the requests to the authority of the Member State which transmitted the data.

14.In each Member State any person may, in accordance with the laws, regulations and procedures of that State, bring an action or, if appropriate, a complaint before the competent authorities or courts of the State if he or she is refused the right of access provided for in paragraph 4.

15.Any person may, in accordance with the laws, regulations and procedures of the Member State which transmitted the data, bring an action or, if appropriate, a complaint before the competent authorities or courts of that State concerning the data relating to him or her recorded in the Central System, in order to exercise his or her rights under paragraph 5. The obligation of the national supervisory authorities to assist and, where requested, advise the data subject in accordance with paragraph 13 shall subsist throughout the proceedings.

Article 30U.K.Supervision by the national supervisory authorities

1.For the purposes laid down in Article 1(1) of this Regulation, each Member State shall provide that the national supervisory authority or authorities designated pursuant to Article 28(1) of Directive 95/46/EC shall monitor independently, in accordance with its respective national law, the lawfulness of the processing, in accordance with this Regulation, of personal data by the Member State in question, including their transmission to the Central System.

2.Each Member State shall ensure that its national supervisory authority has access to advice from persons with sufficient knowledge of fingerprint data.

Article 31U.K.Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall ensure that all the personal data processing activities concerning Eurodac, in particular by the Agency, are carried out in accordance with Regulation (EC) No 45/2001 and with this Regulation.

2.The European Data Protection Supervisor shall ensure that an audit of the Agency's personal data processing activities is carried out in accordance with international auditing standards at least every three years. A report of such audit shall be sent to the European Parliament, the Council, the Commission, the Agency, and the national supervisory authorities. The Agency shall be given an opportunity to make comments before the report is adopted.

Article 32U.K.Cooperation between national supervisory authorities and the European Data Protection Supervisor

1.The national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively in the framework of their responsibilities and shall ensure coordinated supervision of Eurodac.

2.Member States shall ensure that every year an audit of the processing of personal data for the purposes laid down in Article 1(2) is carried out by an independent body, in accordance with Article 33(2), including an analysis of a sample of reasoned electronic requests.

The audit shall be attached to the annual report of the Member States referred to in Article 40(7).

3.The national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties of interpretation or application of this Regulation, study problems with the exercise of independent supervision or in the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

4.For the purpose laid down in paragraph 3, the national supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year. The costs and servicing of these meetings shall be for the account of the European Data Protection Supervisor. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary. A joint report of activities shall be sent to the European Parliament, the Council, the Commission and the Agency every two years.

Article 33U.K.Protection of personal data for law enforcement purposes

1.Each Member State shall provide that the provisions adopted under national law implementing Framework Decision 2008/977/JHA are also applicable to the processing of personal data by its national authorities for the purposes laid down in Article 1(2) of this Regulation.

2.The monitoring of the lawfulness of the processing of personal data under this Regulation by the Member States for the purposes laid down in Article 1(2) of this Regulation, including their transmission to and from Eurodac, shall be carried out by the national supervisory authorities designated pursuant to Framework Decision 2008/977/JHA.

3.The processing of personal data by Europol pursuant to this Regulation shall be in accordance with Decision 2009/371/JHA and shall be supervised by an independent external data protection supervisor. Articles 30, 31 and 32 of that Decision shall be applicable to the processing of personal data by Europol pursuant to this Regulation. The independent external data protection supervisor shall ensure that the rights of the individual are not violated.

4.Personal data obtained pursuant to this Regulation from Eurodac for the purposes laid down in Article 1(2) shall only be processed for the purposes of the prevention, detection or investigation of the specific case for which the data have been requested by a Member State or by Europol.

5.The Central System, the designated and verifying authorities and Europol shall keep records of the searches for the purpose of permitting the national data protection authorities and the European Data Protection Supervisor to monitor the compliance of data processing with Union data protection rules, including for the purpose of maintaining records in order to prepare the annual reports referred to in Article 40(7). Other than for such purposes, personal data, as well as the records of the searches, shall be erased in all national and Europol files after a period of one month, unless the data are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol.

Article 34U.K.Data security

1.The Member State of origin shall ensure the security of the data before and during transmission to the Central System.

2.Each Member State shall, in relation to all data processed by its competent authorities pursuant to this Regulation, adopt the necessary measures, including a security plan, in order to:

(a)physically protect the data, including by making contingency plans for the protection of critical infrastructure;

(b)deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purposes of Eurodac (checks at entrance to the installation);

(c)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d)prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data (storage control);

(e)prevent the unauthorised processing of data in Eurodac and any unauthorised modification or erasure of data processed in Eurodac (control of data entry);

(f)ensure that persons authorised to access Eurodac have access only to the data covered by their access authorisation, by means of individual and unique user IDs and confidential access modes only (data access control);

(g)ensure that all authorities with a right of access to Eurodac create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, erase and search the data, and make those profiles and any other relevant information which those authorities may require for supervisory purposes available to the national supervisory authorities referred to in Article 28 of Directive 95/46/EC and in Article 25 of Framework Decision 2008/977/JHA without delay at their request (personnel profiles);

(h)ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(i)ensure that it is possible to verify and establish what data have been processed in Eurodac, when, by whom and for what purpose (control of data recording);

(j)prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from Eurodac or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(k)monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring in order to ensure compliance with this Regulation (self-auditing) and to automatically detect within 24 hours any relevant events arising from the application of measures listed in points (b) to (j) that might indicate the occurrence of a security incident.

3.Member States shall inform the Agency of security incidents detected on their systems. The Agency shall inform the Member States, Europol and the European Data Protection Supervisor in case of security incidents. The Member States concerned, the Agency and Europol shall collaborate during a security incident.

4.The Agency shall take the necessary measures in order to achieve the objectives set out in paragraph 2 as regards the operation of Eurodac, including the adoption of a security plan.

Article 35U.K.Prohibition of transfers of data to third countries, international organisations or private entities

1.Personal data obtained by a Member State or Europol pursuant to this Regulation from the Central System shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. This prohibition shall also apply if those data are further processed at national level or between Member States within the meaning of Article 2(b) of Framework Decision 2008/977/JHA.

2.Personal data which originated in a Member State and are exchanged between Member States following a hit obtained for the purposes laid down in Article 1(2) shall not be transferred to third countries if there is a serious risk that as a result of such transfer the data subject may be subjected to torture, inhuman and degrading treatment or punishment or any other violation of his or her fundamental rights.

3.The prohibitions referred to in paragraphs 1 and 2 shall be without prejudice to the right of Member States to transfer such data to third countries to which Regulation (EU) No 604/2013 applies.

Article 36U.K.Logging and documentation

1.Each Member State and Europol shall ensure that all data processing operations resulting from requests for comparison with Eurodac data for the purposes laid down in Article 1(2) are logged or documented for the purposes of checking the admissibility of the request, monitoring the lawfulness of the data processing and data integrity and security, and self-monitoring.

2.The log or documentation shall show in all cases:

(a)the exact purpose of the request for comparison, including the concerned form of a terrorist offence or other serious criminal offence and, for Europol, the exact purpose of the request for comparison;

(b)the reasonable grounds given not to conduct comparisons with other Member States under Decision 2008/615/JHA, in accordance with Article 20(1) of this Regulation;

(c)the national file reference;

(d)the date and exact time of the request for comparison by the National Access Point to the Central System;

(e)the name of the authority having requested access for comparison, and the person responsible who made the request and processed the data;

(f)where applicable, the use of the urgent procedure referred to in Article 19(3) and the decision taken with regard to the ex-post verification;

(g)the data used for comparison;

(h)in accordance with national rules or with Decision 2009/371/JHA, the identifying mark of the official who carried out the search and of the official who ordered the search or supply.

3.Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 40. The competent national supervisory authorities responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security shall have access to these logs at their request for the purpose of fulfilling their duties.

Article 37U.K.Liability

1.Any person who, or Member State which, has suffered damage as a result of an unlawful processing operation or any act incompatible with this Regulation shall be entitled to receive compensation from the Member State responsible for the damage suffered. That State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event giving rise to the damage.

2.If the failure of a Member State to comply with its obligations under this Regulation causes damage to the Central System, that Member State shall be liable for such damage, unless and insofar as the Agency or another Member State failed to take reasonable steps to prevent the damage from occurring or to minimise its impact.

3.Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the provisions of national law of the defendant Member State.