13.6.2019

Official Journal of the European Union

L 156/10

COMMISSION DELEGATED DECISION (EU) 2019/969

of 22 February 2019

on the tool enabling applicants to give or withdraw their consent for an additional retention period of their application file pursuant to Article 54(2) of Regulation (EU) 2018/1240 of the European Parliament and of the Council

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular the fifth subparagraph of Article 54(2) thereof,

Whereas:

(1) Regulation (EU) 2018/1240 established a European Travel Information and Authorisation System (ETIAS) as a system for third-country nationals exempt from the requirement to be in possession of a visa when crossing the external borders. It laid down the conditions and procedures to issue or refuse a travel authorisation.

(2) Each application file is to be erased after the period of validity of the travel authorisation. To facilitate a new application after that period expired, applicants may consent to prolong the period for storing the application file by three years. This Decision should set out conditions on how the applicants can give and withdraw their consent using a dedicated tool.

(3) The consent tool should be accessible through the dedicated public website, the app for mobile devices and through a secure link after the ETIAS authorisation is granted.

(4) The consent tool should enable confirming the identity of the applicant. It is therefore necessary to set out the authentication requirements for accessing the consent tool and to ensure secure access, including through providing applicants with a unique code. The consent tool should also enable applicants to consult data retained prior to providing or withdrawing their consent as well as set out how consent should be provided or withdrawn.

(5) The communication channels of the consent tool with the ETIAS Central System should be set out. Furthermore, the message format, standards and protocols as well as the security requirements should be established.

(6) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2017/2226 of the European Parliament and of the Council (2) and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen

acquis

, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law.

(7) This Decision constitutes a development of the provisions of the Schengen

acquis

in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC (3); the United Kingdom is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.

(8) This Decision constitutes a development of the provisions of the Schengen

acquis

in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (4); Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.

(9) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latter's association with the implementation, application and development of the Schengen

acquis

(5), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (6).

(10) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen

acquis

(7), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (8).

(11) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen

acquis

within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen

acquis

(9) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (10).

(12) The European Data Protection Supervisor was consulted on 28 January 2019 and delivered an opinion on 8 February 2019,

HAS ADOPTED THIS DECISION:

Article 1

Access to the consent tool

The consent tool shall be accessible via:

(a) the dedicated public website referred to in Article 16 of Regulation (EU) 2018/1240;

(b) the app for mobile devices referred to in Article 16 of Regulation (EU) 2018/1240;

(c) a link provided through the ETIAS email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.

Article 2

Two-factor authentication for access to the consent tool

1. In order to connect to the consent tool, two-factor authentication shall be used.

2. The first authentication shall consist of entering the following data:

(a) application number;

(b) travel document number.

3. Where the applicant does not provide his or her application number, the first authentication shall consist of entering following data:

(a) travel document number;

(b) country of issue of the travel document to be selected from a predetermined list;

(d) first names of both parents.

4. The application number shall be the same as the one provided to applicants via the ETIAS email service on submission of their application. The other data, referred to in paragraph 2 or paragraph 3, submitted by the applicant shall be the same as those provided by them in their application form.

5. The second authentication shall consist of a unique code to be entered into the consent tool.

6. Upon submission of the information in paragraph 2 or paragraph 3, the unique code referred to in paragraph 4 shall be automatically generated and sent to the applicant through the email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.

7. The unique code shall expire after a short period of time. Sending a new unique code shall invalidate unique codes previously sent to the same applicant.

8. The unique code shall be sent to the same email address provided in the submitted application.

9. The unique code shall be usable only once.

Article 3

Consultation of the data via the tool

1. For the purposes of giving or withdrawing consent to prolong the storing of the application file, the tool shall inform the applicant on the data that would be retained or erased.

2. Prior to giving the consent, the applicant shall have access to:

(a) a read-only version of the application form and the personal data submitted;

(b) a read-only version of additional submitted documentation or information;

(c) a read-only version of data added to the application file under Article 39(1), points (a) and (c) to (d) of Regulation (EU) 2018/1240, following the decision to issue the travel authorisation.

3. Prior to giving the consent, the applicant shall be informed:

(a) about the fact if consent is provided, the application file is retained for an additional period of three years from the end of the validity period of the travel authorisation;

(b) about the fact that consent may be withdrawn at any time until the end of the additional retention period;

(d) about the fact that the data may be used in accordance with Article 71(o) of Regulation (EU) 2018/1240;

(e) about the procedures for exercising the rights under Articles 17 to 24 of Regulation (EU) 2018/1725; the contact details of the data protection officer of the European Border and Coast Guard Agency, of the European Data Protection Supervisor and of the national supervisory authority of the Member State of first intended stay where the travel authorisation has been issued by the ETIAS Central System, or of the Member State responsible where the travel authorisation has been issued by an ETIAS National Unit.

Article 4

Provision of consent

1. The consent shall be given by means of an electronically signed declaration through the ticking of an appropriate box in the consent tool.

2. Following the provision of consent the applicant shall receive an email containing:

(a) confirmation that the applicant's application file is retained for an additional period of three years from the end of the validity of the travel authorisation;

(b) a link to the consent tool;

(c) notification that the data is retained for the purpose of facilitating a new application and that those data may be used for the purposes referred to in Article 71(o) of Regulation (EU) 2018/1240;

(d) notification that consent may be withdrawn at any time until the end of the additional retention period;

(e) notification that the applicant is advised to retain their current application number to reuse the retained application file for the purpose of submitting a new application.

Article 5

Withdrawal of consent

1. The withdrawal of the consent for the retention of the application file shall be indicated by ticking an appropriate box in consent tool.

2. Where consent is withdrawn during the validity period of the current travel authorisation, an email shall be sent to the applicant confirming that the application file will be erased after the validity period of their current travel authorisation.

3. Where consent is withdrawn during the additional period, an email shall be sent to the applicant confirming that the application file will be erased.

Article 6

Communication of the tool with the Central System

1. Following a provision of consent for the retention of an application file in accordance with Article 54 of Regulation (EU) 2018/1240:

(a) the consent tool shall inform the ETIAS Central System of such consent via the secure web service, referred to in point (l) of Article 6(2) of Regulation (EU) 2018/1240;

(b) the ETIAS Central System shall retain the application file for a period of three years from the end of the validity period of the current travel authorisation.

2. Following a withdrawal of consent for the retention of an application file in accordance with Article 54 of Regulation (EU) 2018/1240:

(a) the consent tool shall inform the ETIAS Central System of such withdrawal;

(b) the ETIAS Central System shall automatically erase the application file after the validity period of their current travel authorisation or during the additional retention period of three years, if the consent is withdrawn during that period.

3. Upon expiry of its retention period, the application file shall automatically be erased from the ETIAS Central System as referred to in Article 54(3) of Regulation (EU) 2018/1240.

Article 7

Message format, standards and protocols

The message format and the protocols to be implemented shall be included in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 8

Specific security considerations

1. The consent tool shall be designed and implemented to ensure the confidentiality, integrity and availability of processed data and to ensure non-repudiation of transactions. The technical and organisational implementation of it shall meet the requirements of the ETIAS security plan referred in Article 59(3) of Regulation (EU) 2018/1240 and of the rules on data protection and security applicable to the public website and the app for mobile devices referred to in Article 16(10) of Regulation (EU) 2018/1240.

2. The consent tool shall be designed and implemented in a way that precludes unlawful access to it. For this purpose, the consent tool shall limit the number of attempts to access the tool with the same travel document number, the same application number or the same unique code. The tool shall also include measures to protect against non-human behaviour.

3. The consent tool shall include time-out measures after some minutes of inactivity.

4. Additional details concerning the confidentiality, integrity and availability of processed data shall be subject of the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.

Article 9

Logs

1. The consent tool shall keep activity logs, containing:

(a) authentication data, including whether the authentication was successful or not;

(b) date and time of access;

2. Activity logs of the tool shall be copied to the Central System. They shall be stored for no longer than one year after the end of the extended retention period of the application file, unless they are required for monitoring procedures which have already begun. After that period, they shall be automatically erased.

Such logs can only be used for the purpose of Article 69(4) of Regulation (EU) 2018/1240.

Article 10

This Decision shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

Done at Brussels, 22 February 2019.

For the Commission

The President

Jean-Claude JUNCKER

(1)

OJ L 236, 19.9.2018, p. 1

(2) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (

OJ L 327, 9.12.2017, p. 20

(3) Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen

acquis

(

OJ L 131, 1.6.2000, p. 43

(4) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen

acquis

(

OJ L 64, 7.3.2002, p. 20

(5)

OJ L 176, 10.7.1999, p. 36

(6) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen

acquis

(

OJ L 176, 10.7.1999, p. 31

(7)

OJ L 53, 27.2.2008, p. 52

(8) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen

acquis

(

OJ L 53, 27.2.2008, p. 1

(9)

OJ L 160, 18.6.2011, p. 21

(10) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen

acquis

, relating to the abolition of checks at internal borders and movement of persons (

OJ L 160, 18.6.2011, p. 19