COMMISSION IMPLEMENTING DECISION (EU) 2021/627
of 15 April 2021
laying down rules on keeping and accessing of the logs in the European Travel Information and Authorisation System (ETIAS) pursuant to Regulation (EU) 2018/1240 of the European Parliament and of the Council
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular point (b)(iii) of the third subparagraph of Article 73(3) thereof,
Whereas:
(1) Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (‘ETIAS’) for third-country nationals exempt from the requirement to be in the possession of a visa for the purposes of entering and staying in the territory of the Member States.
(2) The operation of the European Travel Information and Authorisation System requires the development and technical implementation of the ETIAS Information System. The system is to comprise logs recording all data processing operations performed.
(3) It is necessary to lay down rules on the keeping and accessing of logs. Logs should be used solely for verifying compliance with data processing obligations and for ensuring the integrity and security of the operational personal data.
(4) As regards the keeping of logs, it is necessary to specify the location at which they are to be stored, the manner in which they are to be technically recorded, including when they derive from different components of the European Travel Information and Authorisation System, as well as the rules applicable to the deletion of the logs after their retention period ends.
(5) As regards accessing logs, it is necessary to specify the competent authorities including, where appropriate, the persons within such authorities, to which access to the logs should be granted and for the purposes for which they may be accessed. In order to ensure that the competent authorities are able to perform their duties carried out for the purpose of monitoring the admissibility of data processing and of ensuring data security and integrity, the identification of logs should be facilitated through an effective search function.
(6) Logs recording access by duly authorised staff of the national authorities of each Member State and by the duly authorised staff of the Union agencies for the purposes referred to in Article 13(4a) of Regulation (EU) 2018/1240 should be kept in accordance with the requirements laid down in Article 24(2) and (3) of Regulation (EU) 2019/817.
(7) The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-LISA’) is responsible for the design and development phase of the ETIAS Information System. The measures laid down by this Decision should enable the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice to define the design of the physical architecture of the European Travel Information and Authorisation System including its Communication Infrastructure, as well as the technical specifications of the system and to develop the European Travel Information and Authorisation System. The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice should complete those measures by the Technical Specifications and the Interface Control Document of the European Travel Information and Authorisation System.
(8) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2018/1240 and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen
acquis
, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.
(9) This Decision constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (2); Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(10) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(3), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (4).
(11) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (6).
(12) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(7) which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (8).
(13) As regards Cyprus, Bulgaria and Romania and Croatia, this Decision constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(14) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 4 September 2020.
(15) The measures provided for in this Decision are in accordance with the opinion of the Smart Borders Committee (ETIAS),
HAS ADOPTED THIS DECISION:
Article 1
Keeping of logs of data processing operations
1. The logs of all data processing operations within the ETIAS Information System to be kept in accordance with Article 69(1) of Regulation (EU) 2018/1240, which include logs involving access by carriers as provided for in Article 45(7), by border authorities and immigration authorities as provided for in Article 69(3) of Regulation (EU) 2018/1240 and by the central access points as provided for in Article 70(1) of Regulation (EU) 2018/1240, shall be recorded and stored by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice in the ETIAS Central System.
2. Each data processing operation within the ETIAS information system shall be recorded as a separate log entry.
The log entry shall have a specific field allowing for the identification of the details relating to the operation performed.
3. The log entry shall be recorded with the time and date of each data processing operation (‘timestamp’).
4. Each log entry shall store the unique ID of the authority as well as of the official or staff member accessing, amending or erasing data stored in the ETIAS Central System.
5. Log entries shall be deleted daily by the ETIAS Central System in accordance with the retention periods provided for in Article 45(7), Article 69(4) and Article 70(4) of Regulation (EU) 2018/1240.
A timestamp shall be used to identify the log entries to be deleted at the end of the relevant retention period for each type of log.
Article 2
Access to logs of data processing operations
1. Access to the logs kept by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice pursuant to Regulation (EU) 2018/1240 shall be limited to:
(a) duly authorised administrators of ETIAS of the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice and Data Protection Officer for the purposes referred to in Article 58(2) of Regulation (EU) 2018/1240 and in particular for ensuring compliance with Article 69(4) of that Regulation;
(b) duly authorised staff and Data Protection Officer of the European Border and Coast Guard Agency, for the purposes laid down in Articles 7(2)(e) and 61 of Regulation (EU) 2018/1240 and ensuring the lawfulness of data processing, data integrity and security;
(c) duly authorised staff and Data Protection Officers of the ETIAS National Units, for the purposes referred to in Article 57(2).
2. The European Data Protection Supervisor and the competent national supervisory authorities carrying out the supervisory functions referred to in Articles 66 and 67 of Regulation (EU) 2018/1240 shall have access to the logs on request to eu-LISA or to the ETIAS National Unit(s).
3. The log entries and the specific fields recorded in the ETIAS Central System, in accordance with Article 1, shall be searchable at least by reference to author, date of access or type of processing operation.
4. For the purposes of Article 45(5) and (7) of Regulation (EU) 2018/1240, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice may transmit logs to ETIAS National Units necessary for the resolution of a dispute arising from the application of that Article provided that the following conditions are met:
(a) the ETIAS National concerned has submitted an explicit reasoned request for such logs to the European Border and Coast Guard Agency as data controller within the meaning of the first sentence of Article 57(1) of that Regulation;
(b) the European Border and Coast Guard Agency has verified and approved the request.
5. Logs recording access to the logs carried out pursuant to paragraph 1 shall be traceable at least according to the author or date of access.
6. Logs recording access to the logs carried out pursuant to paragraph 1 shall be searchable at least by reference to author, date of access or type of processing operation.
Article 3
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 15 April 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 236, 19.9.2018, p. 1
.
(2) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(3)
OJ L 176, 10.7.1999, p. 36
.
(4) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(5)
OJ L 53, 27.2.2008, p. 52
.
(6) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(7)
OJ L 160, 18.6.2011, p. 21
.
(8) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
(9) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Feedback