Commission Implementing Regulation (EU) 2021/331 of 24 February 2021 on the repor... (32021R0331)
EU - Rechtsakte: 19 Area of freedom, security and justice

COMMISSION IMPLEMENTING REGULATION (EU) 2021/331

of 24 February 2021

on the reporting of abuses committed by commercial intermediaries providing application services for travel authorisation under Regulation (EU) 2018/1240 of the European Parliament and of the Council

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular Articles 15(5) and 16(10) thereof,
Whereas:
(1) Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (‘ETIAS’) for third-country nationals exempt from the requirement to be in the possession of a visa for the purposes of entering and staying in the territory of the Member States.
(2) To obtain the travel authorisation, the application is to be submitted by the applicant directly, or by a third person or a commercial intermediary authorised by the applicant to submit the application on his or her behalf.
(3) In the context of comparable travel authorisation systems, commercial intermediaries have been known to engage in abusive practices. Abuses may take many different forms including: attempting to mislead applicants into believing that their website is the dedicated official public website or application for mobile devices for submitting an application, thereby giving the false impression that the excess charged by the commercial intermediary is a mandatory part of the application process rather than consideration for the voluntary use of a commercial service; making fraudulent use of the personal or financial data provided by the applicant; charging an unreasonably high price for its service, or failing to request the application in the required time, format and quality on behalf of the applicant.
(4) In order to detect abusive practices and to prevent their recurrence, an online form for the reporting of abuse by commercial intermediaries should be made accessible via the dedicated public website and the application for mobile devices. In order to promote awareness of the possibility to report abuse and to facilitate such reporting, information regarding the process to be followed should be displayed visibly on the public website and the application for mobile devices. The form should contain standardised fields and request users to enter details of the abusive conduct.
(5) In order to ensure that applicants are adequately informed of the nature and purpose of the reporting facility, the form should clarify that the reporting system is for monitoring purposes, it shall not collect any personal data and does not constitute a channel for appealing decisions on applications, or as a substitute for the pursuit of remedies under administrative, civil or criminal law.
(6) The ETIAS Central Unit should receive and assess such reports, taking into account the similarities and recurrences of the abuses reported. The ETIAS Central Unit should regularly report to the Commission, as necessary, on the abuses reported and the assessments made. Account should be taken of these assessments in the development by the Commission of information campaigns referred to in Article 72 of Regulation (EU) 2018/1240. On the basis of the assessments, the ETIAS Central Unit should modify, as appropriate, the information to the general public referred to in Article 71 of Regulation (EU) 2018/1240, and in particular to the applicants.
(7) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (‘TEU’) and to the Treaty on the Functioning of the European Union (‘TFEU’), Denmark did not take part in the adoption of Regulation (EU) 2018/1240 and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen
acquis
, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.
(8) This Regulation constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (2); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(9) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
 (3), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (4).
(10) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (5), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (6).
(11) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
 (7) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (8).
(12) As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.
(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 4 September 2020.
(14) The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee (ETIAS),
HAS ADOPTED THIS REGULATION:

Article 1

Form for reporting abuse

1.   The reporting of abuse by a commercial intermediary shall be made using a form containing the information and fulfilling the technical requirements set out in points 1 to 7 of the Annex.
2.   It shall be possible for the form to be completed in any of the official languages of the Union.
3.   Before submitting the form, applicants shall be requested to provide confirmation of their having understood and consented to the general conditions applicable to the submission of a report on abuse, including that the applicant should not provide any personal data in his/her report, and the purposes for which the information provide shall be used, as set out in point 7 of the Annex.
4.   Once submitted, the form shall automatically be sent to the ETIAS Central Unit.

Article 2

Additional documentation

The limitations on the number and size of additional files that may be uploaded shall be set out in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 3

Notification to applicants

1.   A notification of the receipt of the report of the abuse shall automatically appear on the screen of the applicant. The applicant shall be offered the possibility to save locally or print the acknowledgment of receipt.
2.   Notifications shall at least include the following:
(a) acknowledgement of receipt of the report and confirmation of the date and time at which the form was submitted
(b) a reminder of all relevant information in relation to submitting an application for a travel authorisation as referred to in Article 71 of Regulation (EU) 2018/1240;
(c) information that the report of abuse shall be used to assist the monitoring and improving of the European Travel Information and Authorisation System. By contrast, the reporting facility is not intended to provide remedies in individual cases and is not a substitute for the pursuit of any claims in administrative, civil or criminal law that may be provided for under the applicable national law.

Article 4

Roles of the ETIAS Central Unit

1.   The ETIAS Central Unit shall:
(a) monitor, process and analyse all reports of abuses;
(b) publish on the dedicated public website and in the application for mobile devices relevant information in order to prevent abuses.
2.   Once a year, the ETIAS Central Unit shall submit a report to the Commission, which shall at least include:
(a) an anonymised description of the cases of abuse reported, including similarities between the cases, recurrences, trends and characteristics;
(b) an overview of the actions taken to adapt the information to the general public and applicants.

Article 5

Specific security measures

The form to report abuses shall be designed and implemented to ensure the confidentiality, integrity, availability, protection of personal data and non-repudiation of transactions as referred to in the Commission Decision (EU, Euratom) 2017/46 (10). Its technical and organisational implementation shall meet the requirements of the European Travel Information and Authorisation System’s security plan, referred in Article 59(3) of Regulation (EU) 2018/1240, and shall comply with the rules on data protection and security applicable to the public website and the application for mobile devices referred to in Article 16(10) of Regulation (EU) 2018/1240.

Article 6

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 24 February 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 236, 19.9.2018, p. 1
.
(2)  Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(3)  
OJ L 176, 10.7.1999, p. 36
.
(4)  Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(5)  
OJ L 53, 27.2.2008, p. 52
.
(6)  Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(7)  
OJ L 160, 18.6.2011, p. 21
.
(8)  Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
(9)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(10)  Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission;
OJ L 6, 11.1.2017, p. 40
.

ANNEX

FORM FOR REPORTING ABUSE BY COMMERCIAL INTERMEDIARIES SUBMITTING AN APPLICATION FOR A TRAVEL AUTHORISATION ON BEHALF OF AN APPLICANT

1.   

Introduction

(a) The form for reporting abuse by commercial intermediaries is to have the following title:
 
Form for reporting abuse by commercial intermediaries submitting an application for a travel authorisation on behalf of an applicant.
(b) The following introductory notice is to appear at the beginning of this form:
 
Please complete this form to report incidents of abuse you may have experienced by a commercial intermediary applying for a travel authorisation on your behalf.
 
Please note that the information you provide will be used to assist the monitoring and improving of ETIAS.
 
Please do not insert any personal data in this form, whether they are yours or those of any other person.
(c) The form must contain prompts requesting and permitting the entry of the data elements set out in the table below (though not necessarily in the order listed) in accordance with the standards, formats and requirements indicated.

2.   

Circumstances of the abuse

Circumstances of the abuse

Standard

Format

Requirement

The applicant must be offered the possibility to indicate whether his/her complaint has arisen in one or more of the following circumstances:

the applicant knowingly authorised a commercial intermediary to submit an application on his/her behalf

the applicant completed the application directly without knowing that he or she was using a non-official EU website operated by a commercial intermediary

other

N/A

Tick boxes.

Mandatory.

If the reply to the “circumstances of the abuse” is ‘other’.

N/A

Free text, including: latin-alphabet characters A-Z, spaces, diacritics, apostrophes and hyphens only.

[number of characters permitted: 255]

Mandatory.

3.   

Information about the traveller reporting the abuse

Information

Standard

Format

Requirement

Country of birth

ISO 3166-1

Selection list of all countries, including countries that no longer exist.

Mandatory.

“Unknown” as a selectable option shall be available.

Nationality

ISO 3166-1

Selection list of all countries, including countries that no longer exist.

Mandatory.

“Unknown” as a selectable option shall be available.

Age group

N/A

18-25

26-40

41-55

> 55

Optional.

Gender

 

Tick boxes: Male/Female/Other

Optional.

4.   

Details of the abuse

Details of the abuse

Standard

Format

Requirement

Date of abuse

N/A

DD

Month as word/YYYY

Optional.

Mandatory.

Description and consequences of abuse

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes and hyphens only.

[Number of characters permitted: to be defined]

Mandatory.

Travel authorisation received

N/A

Tick boxes: yes/no/I do not know.

Mandatory.

The total fee charged for travel authorisation and the provision of intermediary services

N/A

Free text (digits and currency).

Mandatory.

“not applicable” option shall be available

Payment method of fee

N/A

Free text.

Mandatory.

“not applicable” option shall be available

5.   

Information regarding the commercial intermediary

Information

Standard

Format

Requirement

Commercial name of the commercial intermediary

 

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes and hyphens. Other special characters: “!”, “@”, “#”, “$”, “&”, “*”, “?”.

Mandatory.

Main commercial activities

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes and hyphens. Other special characters: “!”, “@”, “#”, “$”, “&”, “*”, “?”.

Mandatory.

“Not applicable” option shall be available.

Internet address

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Email

N/A

Local-part@domain

Mandatory.

“Not applicable” option shall be available

Work phone number

ITU T, E.123 and E.164(country codes)

Selection list with all country codes, and free text (digits only).

Mandatory

“Not applicable” option shall be available.

Mailing address

Street name

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

Street number

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

Apartment number

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

2nd line address

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

Town/City

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, apostrophes and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

Postal Code

N/A

Free text, including: latin-alphabet characters A-Z, digits, spaces, diacritics, oblique characters and hyphens only.

Mandatory.

“Not applicable” option shall be available.

Mailing address:

Country

ISO 3166-1

Selection list of countries dependent territories and special areas of geographical interest.

Mandatory

“Not applicable” option shall be available.

6.   

Supporting documentation

Supporting documentation

Standard

Format

Requirement

The applicant must be offered the possibility to upload documents in support of the report (where available).

The applicant must acknowledge that the documents he/she will upload do not contain any personal data, or that he/she took care and redacted the personal data before he/she will upload the documents.

N/A

Uploading box

Tick box

Size and number of additional files that may be uploaded.

Accepted formats: Portable Document Format (PDF); Joint Photographic Experts Group (JPEG); Portable Network Graphics (PNG)).

7.   

Notice and consent

Notice and consent

Standard

Format

Requirement

Prior to submission, the applicant must be offered the possibility to confirm:

(i)

the applicant’s understanding that the information provided will be used to assist the monitoring and improving of ETIAS.

(ii)

the applicant’s understanding that the reporting facility does not constitute an appeal procedure against a refusal, annulment or revocation of a travel authorisation imputable to the conduct of a commercial intermediary. Neither does it provide remedies in individual cases and is not a substitute for the pursuit of any claims in civil or criminal law that may be provided for under the applicable national law.

(iii)

the applicant is informed that no personal data should be included in the report and where personal data are nonetheless provided consents that the data will be redacted.

N/A

Tick box

Mandatory.

Markierungen
Leseansicht