1.A multiple-identity detector (MID) creating and storing identity confirmation files as referred to in Article 34, containing links between data in the EU information systems included in the CIR and SIS and allowing detection of multiple identities, with the dual purpose of facilitating identity checks and combating identity fraud, is established for the purpose of supporting the functioning of the CIR and the objectives of the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.
2.The MID shall be composed of:
(a)a central infrastructure, storing links and references to EU information systems;
(b)a secure communication infrastructure to connect the MID with SIS and the central infrastructures of the ESP and the CIR.
3.eu-LISA shall develop the MID and ensure its technical management.
1.For the purposes of the manual verification of different identities referred to in Article 29, access to the data referred to in Article 34 stored in the MID shall be granted to:
(a)the SIRENE Bureau of the Member State creating or updating an alert in accordance with Regulation (EU) 2018/1862;
(b)the central authorities of the convicting Member State when recording or modifying data in ECRIS-TCN in accordance with Article 5 or 9 of Regulation (EU) 2019/816.
2.Member State authorities and Union agencies having access to at least one EU information system included in the CIR or to SIS shall have access to the data referred to in Article 34(a) and (b) regarding any red links referred to in Article 32.
3.Member State authorities and Union agencies shall have access to the white links referred to in Article 33 where they have access to the two EU information systems containing data between which the white link was created.
4.Member State authorities and Union agencies shall have access to the green links referred to in Article 31 where they have access to the two EU information systems containing data between which the green link was created and a query of those information systems has revealed a match with the two sets of linked data.
1.Multiple-identity detection in the CIR and SIS shall be launched where:
(a)an alert on a person is created or updated in SIS in accordance with Chapters VI to IX of Regulation (EU) 2018/1862;
(b)a data record is created or modified in ECRIS-TCN in accordance with Article 5 or 9 of Regulation (EU) 2019/816.
2.Where the data contained within an EU information system referred to in paragraph 1 contains biometric data, the CIR and Central SIS shall use the shared BMS in order to perform multiple-identity detection. The shared BMS shall compare the biometric templates obtained from any new biometric data to the biometric templates already contained in the shared BMS in order to verify whether data belonging to the same person are already stored in the CIR or in Central-SIS.
3.In addition to the process referred to in paragraph 2, the CIR and Central SIS shall use the ESP to search the data stored in Central-SIS and the CIR respectively using the following data:
(a)surnames, forenames, names at birth, previously used names and aliases, place of birth, date of birth, gender and any nationalities held as referred to in Article 20(3) of Regulation (EU) 2018/1862;
(b)surname (family name), first names (given names), date of birth, place of birth (town and country), nationality or nationalities and gender as referred to in Article 5(1)(a) of Regulation (EU) 2019/816.
4.In addition to the process referred to in paragraphs 2 and 3, the CIR and Central SIS shall use the ESP to search the data stored in Central SIS and the CIR respectively using travel document data.
5.The multiple-identity detection shall only be launched in order to compare data available in one EU information system with data available in other EU information systems.
1.Where the queries referred to in Article 27(2), (3) and (4) do not report any match, the procedures referred to in Article 27(1) shall continue in accordance with the legal instruments governing them.
2.Where the query laid down in Article 27(2), (3) and (4) reports one or several matches, the CIR and, where relevant, SIS shall create a link between the data used to launch the query and the data triggering the match.
Where several matches are reported, a link shall be created between all data triggering the match. Where the data were already linked, the existing link shall be extended to the data used to launch the query.
3.Where the query referred to in Article 27(2), (3) and (4) reports one or several matches and the identity data of the linked files are the same or similar, a white link shall be created in accordance with Article 33.
4.Where the query referred to in Article 27(2), (3) and (4) reports one or several match(es) and the identity data of the linked files cannot be considered to be similar, a yellow link shall be created in accordance with Article 30 and the procedure referred to in Article 29 shall apply.
5.The Commission shall adopt delegated acts in accordance with Article 69 laying down the procedures to determine the cases in which identity data can be considered to be the same or similar.
6.The links shall be stored in the identity confirmation file referred to in Article 34.
7.The Commission shall, in cooperation with eu-LISA, lay down the technical rules for creating links between data from different EU information systems, by implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 70(2).
1.Without prejudice to paragraph 2, the authority responsible for manual verification of different identities shall be:
(a)the SIRENE Bureau of the Member State for matches that occurred when creating or updating a SIS alert in accordance with Regulation (EU) 2018/1862;
(b)the central authorities of the convicting Member State for matches that occurred when recording or modifying data in ECRIS-TCN in accordance with Article 5 or 9 of Regulation (EU) 2019/816.
The MID shall indicate the authority responsible for the manual verification of different identities in the identity confirmation file.
2.The authority responsible for the manual verification of different identities in the identity confirmation file shall be the SIRENE Bureau of the Member State that created the alert where a link is created to data contained in an alert:
(a)in respect of persons wanted for arrest for surrender or extradition purposes referred to in Article 26 of Regulation (EU) 2018/1862;
(b)on missing or vulnerable persons referred to in Article 32 of Regulation (EU) 2018/1862;
(c)on persons sought to assist with a judicial procedure referred to in Article 34 of Regulation (EU) 2018/1862;
(d)on persons for discreet checks, inquiry checks or specific checks referred to in Article 36 of Regulation (EU) 2018/1862.
3.The authority responsible for the manual verification of different identities shall have access to the linked data contained in the relevant identity confirmation file and to the identity data linked in the CIR and, where relevant, in SIS. It shall assess the different identities without delay. Once such assessment is completed, it shall update the link in accordance with Articles 31, 32 and 33 and add it to the identity confirmation file without delay.
4.Where more than one link is created, the authority responsible for the manual verification of different identities shall assess each link separately.
5.Where data reporting a match were already linked, the authority responsible for the manual verification of different identities shall take into account the existing links when assessing the creation of new links.
1.Where manual verification of different identities has not yet taken place, a link between data from two or more EU information systems shall be classified as yellow in any of the following cases:
(a)the linked data share the same biometric data but have similar or different identity data;
(b)the linked data have different identity data but share the same travel document data, and at least one of the EU information systems does not contain biometric data on the person concerned;
(c)the linked data share the same identity data but have different biometric data;
(d)the linked data have similar or different identity data, and share the same travel document data, but have different biometric data.
2.Where a link is classified as yellow in accordance with paragraph 1, the procedure laid down in Article 29 applies.
1.A link between data from two or more EU information systems shall be classified as green where:
(a)the linked data have different biometric data but share the same identity data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons;
(b)the linked data have different biometric data, have similar or different identity data, share the same travel document data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons;
(c)the linked data have different identity data but share the same travel document data, at least one of the EU information systems does not contain biometric data on the person concerned and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons.
2.Where the CIR or SIS are queried and where a green link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data do not correspond to the same person.
3.If a Member State authority has evidence to suggest that a green link has been incorrectly recorded in the MID, that a green link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.
1.A link between data from two or more EU information systems shall be classified as red in any of the following cases:
(a)the linked data share the same biometric data but have similar or different identity data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to the same person in an unjustified manner;
(b)the linked data have the same, similar or different identity data and the same travel document data, but different biometric data and the authority responsible for the manual verification of different identities has concluded that the linked data refer to two different persons, at least one of whom is using the same travel document in an unjustified manner;
(c)the linked data share the same identity data, but have different biometric data and different or no travel document data and the authority responsible for the manual verification of different identities has concluded that the linked datarefer to two different persons in an unjustified manner;
(d)the linked data have different identity data, but share the same travel document data, at least one of the EU information systems does not contain biometric data on the person concerned and the authority responsible for the manual verification of different identities has concluded that the linked datarefer to the same person in an unjustified manner.
2.Where the CIR or SIS are queried and where a red link exists between data in two or more of the EU information systems, the MID shall indicate the data referred to in Article 34. Follow-up to a red link shall take place in accordance with Union and national law, with any legal consequence for the person concerned being based only on the relevant data on that person. No legal consequence for the person concerned shall derive solely from the existence of a red link.
3.Where a red link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).
4.Without prejudice to the provisions related to the handling of alerts in SIS contained in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a red link is created, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of multiple unlawful identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.
5.The information referred to in paragraph 4 shall be provided in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 70(2).
6.Where a red link is created, the MID shall notify the authorities responsible for the linked data in an automated manner.
7.If a Member State authority or Union agency having access to the CIR or SIS has evidence to suggest that a red link has been incorrectly recorded in the MID or that data were processed in the MID, the CIR or SIS in breach of this Regulation, that authority or agency shall check the relevant data stored in the CIR and SIS and shall:
(a)where the link relates to one of the SIS alerts referred to in Article 29(2), immediately inform the relevant SIRENE Bureau of the Member State that created the SIS alert;.
(b)in all other cases, either rectify or erase the link from the MID immediately.
If a SIRENE Bureau is contacted pursuant to point (a) of the first subparagraph, it shall verify the evidence provided by the Member State authority or the Union agency and where relevant rectify or erase the link from the MID immediately.
The Member State authority obtaining the evidence shall inform the Member State authority responsible for the manual verification of different identities without delay of any relevant rectification or erasure of a red link.
1.A link between data from two or more EU information systems shall be classified as white in any of the following cases:
(a)the linked data share the same biometric data and the same or similar identity data;
(b)the linked data share the same or similar identity data, the same travel document data, and at least one of the EU information systems does not have biometric data on the person concerned;
(c)the linked data shares the same biometric data, the same travel document data and similar identity data;
(d)the linked data share the same biometric data but have similar or different identity data and the authority responsible for the manual verification of different identities has concluded that linked data refer to the same person in a justified manner.
2.Where the CIR or SIS are queried and where a white link exists between data in two or more of the EU information systems, the MID shall indicate that the identity data of the linked data correspond to the same person. The queried EU information systems shall reply indicating, where relevant, all the linked data on the person, thereby triggering a match against the data that are linked by the white link, if the authority launching the query has access to the linked data under Union or national law.
3.Where a white link is created between data in the EES, VIS, ETIAS, Eurodac or ECRIS-TCN, the individual file stored in the CIR shall be updated in accordance with Article 19(2).
4.Without prejudice to the provisions related to the handling of alerts in SIS contained to in Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862, and without prejudice to limitations necessary to protect security and public order, prevent crime and guarantee that no national investigation will be jeopardised, where a white link is created following a manual verification of different identities, the authority responsible for the manual verification of different identities shall inform the person concerned of the presence of similar or different identity data and shall provide the person with the single identification number referred to in Article 34(c) of this Regulation, a reference to the authority responsible for the manual verification of different identities referred to in Article 34(d) of this Regulation and the website address of the web portal established in accordance with Article 49 of this Regulation.
5.If a Member State authority has evidence to suggest that a white link has been incorrectly recorded in the MID, that a white link is out of date or that data were processed in the MID or the EU information systems in breach of this Regulation, it shall check the relevant data stored in the CIR and SIS and shall, if necessary, rectify or erase the link from the MID without delay. That Member State authority shall inform the Member State responsible for the manual verification of different identities without delay.
6.The information referred to in paragraph 4 shall be in writing by means of a standard form by the authority responsible for the manual verification of different identities. The Commission shall determine the content and presentation of that form by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 70(2).
The identity confirmation file shall contain the following data:
the links referred to in Articles 30 to 33;
a reference to the EU information systems in which the linked data are held;
a single identification number allowing retrieval of the linked data from the corresponding EU information systems;
the authority responsible for the manual verification of different identities;
the date of creation of the link or of any update to it.
The identity confirmation files and the data in them, including the links, shall be stored in the MID only for as long as the linked data are stored in two or more EU information systems. They shall be erased from the MID in an automated manner.
1.eu-LISA shall keep logs of all data processing operations in the MID. Those logs shall include the following:
(a)the Member State launching the query;
(b)the purpose of user's access;
(c)the date and time of the query;
(d)the type of data used to launch the query;
(e)the reference to the linked data;
(f)the history of the identity confirmation file.
2.Each Member State shall keep logs of queries that its authorities and the staff of those authorities duly authorised to use the MID make. Each Union agency shall keep logs of queries that its duly authorised staff make.
3.The logs referred to in paragraphs 1 and 2 may be used only for data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, and for ensuring data security and integrity. Those logs shall be protected by appropriate measures against unauthorised access and erased one year after their creation. If, however, they are required for monitoring procedures that have already begun, they shall be erased once the monitoring procedures no longer require the logs.