COMMISSION IMPLEMENTING DECISION (EU) 2023/1802
of 20 September 2023
laying down the technical arrangements for data retention
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular Article 11(10) thereof,
Whereas:
(1) Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (‘ETIAS’) applicable to visa-exempt third-country nationals seeking to enter the territory of the Member States.
(2) The purpose of this Decision is to lay down the technical specifications for the implementation of the conditions of data retention provided for in Article 24(6), point (c)(ii) and Article 54(1), point (b), of Regulation (EU) 2018/1240, to enable automated verifications relying on the European Search Portal (‘ESP’).
(3) Pursuant to Articles 24(6) and 54(1) of Regulation (EU) 2018/1240, the ETIAS Central System should periodically and automatically verify that the conditions for the retention of application files are fulfilled.
(4) In order to fulfil this obligation, the ETIAS Central System should adhere to the retention period of the application file, this being five years from the last decision to refuse, annul or revoke the travel authorisation.
(5) In the case all the data giving rise to the decision to refuse, annul or revoke a travel authorisation is deleted prior to the expiry of the five-year retention period, the ETIAS Central System should automatically delete the application file within three days. For this reason, and in order to limit the amount of processing, the system should verify daily the compliance with data retention rules. In addition, in the case where a record should be deleted, it should be done within three days.
(6) Given that Regulation (EU) 2018/1240 builds upon the Schengen
acquis
, in accordance with Article 4 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2018/1240 in its national law. Denmark is therefore bound by this Decision.
(7) This Decision constitutes a development of the provisions of the Schengen
acquis
in which Ireland does not take part. This Decision falls outside the scope of the measures provided for in Council Decision 2002/192/EC (2). Ireland is therefore not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(8) As regards Iceland and Norway, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(3), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (4).
(9) As regards Switzerland, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(5), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (6).
(10) As regards Liechtenstein, this Decision constitutes a development of the provisions of the Schengen
acquis
within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(7) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (8).
(11) As regards Cyprus, Bulgaria and Romania, this Decision constitutes an act building upon, or otherwise relating to, the Schengen
acquis
within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession and Article 4(1) of the 2005 Act of Accession
(12) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9) and delivered an opinion on 9 September 2022.
(13) The measures provided for in this Decision are in accordance with the opinion of the Smart Borders Committee,
HAS ADOPTED THIS DECISION:
Article 1
Subject matter
This Decision establishes the technical arrangements for the implementation of the period of data retention and erasure of application files pursuant to Article 24(6), point (c)(ii), and Article 54(1), point (b), of Regulation (EU) 2018/1240.
Article 2
Data retention mechanisms and procedures
1. For the purposes of Article 24(6), point (c)(ii), and Article 54(1), point (b), of Regulation (EU) 2018/1240, the ETIAS Central System shall automatically verify the conditions of data retention referred to in those Articles daily.
2. In order to do so, the ETIAS Central System shall verify with the systems referred to in Article 24(6), point (c)(ii), and Article 54(1), point (b), of Regulation (EU) 2018/1240 by means of the unique reference number, referred to in Article 11(8) of that Regulation, whether the data that gave rise to the decision to refuse, annul or revoke the travel authorisation are still present in the respective system.
3. Where the ETIAS Central System determines that the conditions for retention have elapsed, the ETIAS Central System shall automatically delete the relevant application file:
(a) immediately, where the five-year retention period from the last decision to refuse, annul or revoke the travel authorisation has elapsed;
(b) where the five-year retention period referred to in point (a) has not elapsed, within three days from the automatic verification referred to in paragraph (1) indicating that data in a record, file or alert registered in one of the systems referred to in Article 24(6), point (c)(ii), and Article 54(1), point (b), giving rise to the decision to refuse, annul or revoke the travel authorisation have been deleted.
Article 3
Entry into force
This Decision shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
Done at Brussels, 20 September 2023.
For the Commission
The President
Ursula VON DER LEYEN
(1)
OJ L 236 19.9.2018, p. 1
.
(2) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(3)
OJ L 176, 10.7.1999, p. 36
.
(4) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(5)
OJ L 53, 27.2.2008, p. 52
.
(6) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
(
OJ L 53, 27.2.2008, p. 1
).
(7)
OJ L 160, 18.6.2011, p. 21
.
(8) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
(9) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
Feedback