COMMISSION IMPLEMENTING DECISION (EU) 2023/729
of 30 March 2023
on the establishment of the technical architecture, technical specifications for entering and storing information and the procedures for controlling and verifying information contained in the European Border and Coast Guard False and Authentic Documents Online system (‘EBCG FADO’)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2020/493 of the European Parliament and of the Council of 30 March 2020 on the False and Authentic Documents Online (FADO) system and repealing Council Joint Action 98/700/JHA (1), and in particular Article 6(1), points (a), (b) and (c), thereof,
Whereas:
(1) The European Image Archiving System on False and Authentic Documents Online (FADO system) was set up to facilitate the exchange of information on the security features and potential fraud characteristics of authentic and false documents between the Member State authorities competent in the area of document fraud. The purpose of the FADO system is also to share information with other actors, including the general public.
(2) Following the entry into force of Regulation (EU) 2020/493, the current FADO system which is currently operated by the Council will be taken over by the European Border and Coast Guard Agency (‘the Agency’), it is therefore necessary to adopt measures for the technical architecture and specifications of the FADO system.
(3) The technical architecture and specifications of the new ‘EBCG FADO’ system should enable the Agency to ensure a proper and reliable functioning system and to enter the information obtained in a timely and efficient manner, guaranteeing the uniformity and quality of that information according to high standards. Appropriate document and identity verification should be ensured at all levels, from the most sophisticated forensic examination to the simple check. The EBCG FADO system should provide a single point of access to users who want to manage information or search for FADO content. The system should provide, inter alia, for a systematic and structured transfer of knowledge between document experts and from them to non-document experts.
(4) The European Data Protection Supervisor has been consulted on this implementing decision.
(5) Given that Regulation (EU) 2020/493 builds upon the Schengen
acquis
, Denmark, in accordance with Article 4 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (TEU) and to the TFEU, notified the implementation of Regulation (EU) 2020/493 in its national law. Denmark is therefore bound by this Decision.
(6) Ireland is taking part in Regulation (EU) 2020/493, in accordance with Article 5(1) of Protocol No 19 on the Schengen
acquis
integrated into the framework of the European Union, annexed to the TEU and to the TFEU and Article 6(2) of Council Decision 2002/192/EC (2). Therefore, Ireland is bound by this Decision.
(7) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two states with the implementation, application and development of the Schengen
acquis
(3), which fall within the area referred to in Article 1, point H, of Council Decision 1999/437/EC (4).
(8) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(5), which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA (6).
(9) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(7), which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU (8),
(10) The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 6 of Council Regulation (EC) No 1683/95 (9) (Article 6 Committee) and in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (10).
HAS ADOPTED THIS DECISION:
Article 1
The technical architecture of the FADO system, the technical specifications for entering and storing information in the FADO system and the procedures for controlling and verifying the information contained in the FADO system shall be as set out in the Annex.
Article 2
This Decision shall enter into force on the day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 30 March 2023.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 107, 6.4.2020, p. 1
.
(2) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(3)
OJ L 176, 10.7.1999, p. 36
.
(4) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(5)
OJ L 53, 27.2.2008, p. 52
.
(6) Council Decision 2008/149/JHA of 28 January 2008 on the conclusion on behalf of the European Union of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 50
).
(7)
OJ L 160, 18.6.2011, p. 21
.
(8) Council Decision 2011/349/EU of 7 March 2011 on the conclusion on behalf of the European Union of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating in particular to judicial cooperation in criminal matters and police cooperation (
OJ L 160, 18.6.2011, p. 1
).
(9) Council Regulation (EC) No 1683/95 of 29 May 1995 laying down a uniform format for visas (
OJ L 164, 14.7.1995, p. 1
).
(10) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (
OJ L 55, 28.2.2011, p. 13
).
ANNEX
PART 1
1.
Objectives
This Part of the Annex provides a description of the technical architecture of the European Border and Coast Guard Agency’s (‘the Agency’) False and Authentic Documents Online system (‘EBCG FADO system’) and its components.
The technical architecture of the new ‘EBCG FADO’ system will be developed in an incremental manner, following the releases of the new system and possible future requirements.
2.
Description of the architecture of the EBCG FADO system
The technical architecture enables the Agency to determine the different levels of access to the information stored in the system. The Agency will enter the information obtained in the EBCG FADO system in a timely and efficient manner and to guarantee the uniformity and quality of that information.
The EBCG FADO system will be the overarching application for all access levels, providing a single point of access to users who want to manage information or search for EBCG FADO content.
The technical architecture of the EBCG FADO system will have the capacity to host:
(a) a public domain containing a subset of basic information about specimens of authentic documents and authentic documents;
(b) a EU sensitive non-classified domain subject to access control allowing:
— different categories of users to explore information according to the defined access rights;
— a selected number of users to provide and validate sensitive non-classified information prior to making this information available to end-users (consumers of EU sensitive-non-classified information);
— an archive to store part of the sensitive non-classified information for statistical and historical purposes once the purpose of retrieving such information no longer exists.
(c) a EU classified (Restricted) domain subject to access control for authorised users allowing:
— to explore classified information;
— a selected number of users to provide and validate classified information prior to making this information available to other end-users authorised to access the classified network (consumers of classified information).
Furthermore, the technical architecture of the system will have the capacity to:
(a) ensure a high level of cyber-security;
(b) support extensive search and reporting capabilities, and apply advanced analytical services including artificial intelligence;
(c) be integrated with external entities and their systems and provide data exchange capabilities via automated interfaces, such as Frontex INTERPOL Electronic Library Document System (FIELDS), with Document Information System Civil Status (DISCS), etc.;
(d) work on a cloud-based infrastructure for EU non-classified, sensitive and public domains, as long as it ensures compliance with personal data protection requirements;
(e) implement state-of-the-art technologies and modern technical approaches, including availability, reliability, flexibility for new functions, products and modifications as well as be able to scale up to accommodate large numbers of users;
(f) allow integration with hardware and support access to the system offline or in limited connectivity scenarios from mobile devices.
PART 2
1.
Objectives
This second part of the Annex provides a description of the technical specifications for entering and storing information in the European Border and Coast Guard Agency’s (‘the Agency’) False and Authentic Documents Online system (‘EBCG FADO system’) in accordance with high standards.
The EBCG FADO will also contribute to the fight against identity fraud by sharing information with other actors, including the general public.
Personal data processing is included in these technical specifications. Entering and storing information in the system will be done according to the purpose of the processing.
2.
Description of the process for entering and storing information in the EBCG FADO SYSTEM
Information will be provided by authorised users in a dedicated module of the EBCG FADO system for validation purposes prior to making this information available to other users.
The validation process applies to all information entered in the EBCG FADO system or created within the system.
The validation process of such information is controlled by the Agency and implemented in consultation with the provider of information. In order to ensure high standards, the Agency may decide to consult with selected document experts or with the Agency’s data protection officer.
Once validated, information will be translated and stored in the EBCG FADO system domains.
3.
Controlling and verifying information in THE EBCG FADO SYSTEM
In the EBCG FADO system, the document data (hereinafter ‘information’) will be verified and processed for administrative purposes only by electronic and material means, depending on the format in which information is supplied to the Agency. In the EBCG FADO system, there is no processing of operational personal data within the meaning of Article 3(2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (1).
Information processed undergoes the business processes designed to enter and store information in the EBCG FADO system. Only published documents formerly validated are made available to the users.
Information processing in the EBCG FADO system will be subject to continuous improvement in order to ensure a progressive revision and adaptation of the technical and organisational measures in line with the technological evolution and to eliminate flaws in the underlying business processes.
The Agency specifies:
(a) the categories of data subjects whose personal data are processed in the system;
(b) the categories of personal data processed;
(c) the controller or categories of controllers, including joint controllerships;
(d) the recipients of personal data;
(e) the safeguards to prevent abuse or unlawful access or transfer of personal data;
(f) the retention period related to personal data processing activities for the purposes of operating the EBCG FADO system and of carrying out administrative tasks;
(g) the methodology of data collection, including whether it comes from Member States and/or third countries;
(h) the dissemination and the recipients of the personal data.
4.
Personal data processing for entering and storing information in the EBCG FADO system
The Agency will implement specific organisational and technical measures during the process for entering and storing information in the EBCG FADO system by:
(a) providing guidance to the authorised users about redaction – minimisation and pseudonymisation – of personal data before delivering information to the Agency and during the validation process;
(b) implementing appropriate technical measures to ensure necessary safeguards to protect the rights of data subjects during the validation process, before making information available to end-users;
(c) restricting access to the module dedicated to the validation process to a minimum number of users;
(d) making available information stored in the sensitive-non-classified and classified domains on a need-to-know basis to a known number of users.
PART 3
1.
Objectives
The third part of the Annex provides a description of the procedures for controlling and verifying information in the European Border and Coast Guard Agency’s (‘the Agency’) False and Authentic Documents Online system (‘EBCG FADO system’).
Personal data processing will be included in the procedures for controlling and verifying information in the EBCG FADO system.
The Commission supervises, inter alia, the implementation of the measures contained in this Decision. The Commission is assisted by the committee established by Article 6 of Council Regulation (EC) No 1683/95 (2). The Agency participates without decisional power in the meetings of the Article 6 committee.
The Agency will apply quality assurance and quality control techniques for controlling and verifying information contained in the EBCG FADO system.
2.
Quality assurance and quality control
In accordance with the Annex Part 2 of this Commission Implementing Decision establishing the technical specifications for entering and storing information in the EBCG FADO system (3), the Agency will establish procedures to implement:
(a) quality assurance:
— before information is inserted in the FADO system for validation purposes;
— during the validation process;
(b) quality control:
— after publication, once information has been made available to the public and other end-users (consumers).
3.
Quality assurance
i. Access management
The purpose of access management to the FADO system is to:
(a) grant access on a need-to-know basis to the FADO system;
(b) revoke access rights;
The Agency will set up procedures for access management to the FADO system where the following minimum requirements shall be observed:
(a) users shall receive information about the processing of their personal data;
(b) users shall manage their user accounts in the FADO system;
(c) personal data shall be communicated to the Agency directly by the data subjects or by their points of contacts;
(d) a limited number of users in the Agency belonging to the FADO system organisation shall be authorised to perform access management.
ii. Validation of information inserted into the FADO system
The purpose of validation of information is to reduce the risk of flaws in the system, ensuring the uniformity and quality of information.
Only a selected number of authorised and trained document experts shall provide and validate information in the system.
Before starting to enter information in the system, these users will be:
(a) trained to enter information in the system;
(b) provided with guidance material and/or tutorials to enter information in the system;
(c) informed about the business processes set up by the Agency for validation purposes.
The Agency will implement a dedicated module of the EBCG FADO system for validation purposes prior to make this information available to other users. During the validation process, this module shall allow:
(a) a selected number of users to insert or correct information in the EBCG FADO system;
(b) a limited number of users to process validation of information in the system, including optional consultation with selected users other than those inserting or correcting information;
(c) a limited number of users to provide translation if necessary;
(d) a limited number of users to approve and publish the information.
iii. Publication of information
After the validation process, information will be published.
4.
Quality control
The Agency will establish an annual quality control plan in the EBCG FADO system.
The plan will ensure that controls on an adequate amount of information are regularly performed every year, verifying inter alia:
(a) relevance of information contained in the EBCG FADO system;
(b) quality of information contained in the EBCG FADO system;
(c) compliance of the EBCG FADO system management, including personal data protection requirements.
The results of audits will be delivered to the Commission, the Agency’s management board and the Agency’s data protection officer.
5.
User contribution to quality
Users may be involved in the process for controlling and verifying information contained in the EBCG FADO system.
(1) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(2) Council Regulation (EC) No 1683/95 of 29 May 1995 laying down a uniform format for visas (
OJ L 164 14.7.1995, p. 1
).
(3) Commission Implementing Decision establishing the technical architecture of the European Border and Coast Guard (EBCG) FADO system in accordance with Article 6(1)(a) of Regulation (EU) 2020/493.
Feedback