EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 02021R1134-20210713
Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System
Consolidated text: Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System
Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System
02021R1134 — EN — 13.07.2021 — 000.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
REGULATION (EU) 2021/1134 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 July 2021 (OJ L 248 13.7.2021, p. 11) |
Corrected by:
REGULATION (EU) 2021/1134 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 7 July 2021
amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System
Article 1
Amendments to Regulation (EC) No 767/2008
Regulation (EC) No 767/2008 is amended as follows:
the title is replaced by the following:
“ Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of information between Member States on short-stay visas, long-stay visas and residence permits (VIS Regulation) ”;
Article 1 is amended as follows:
the first paragraph is replaced by the following:
“This Regulation establishes the Visa Information System (VIS) and defines the purpose and functionalities of and the responsibilities for the system. It sets up the conditions and procedures for the exchange of data between Member States on applications for short-stay visas and on the decisions taken in relation thereto, including the decision whether to annul, revoke or extend the visa, to facilitate the examination of such applications and related decisions.”;
the following paragraph is inserted after the first paragraph:
“This Regulation also lays down procedures for the exchange of information between Member States on long-stay visas and residence permits, including on certain decisions on long-stay visas and residence permits.”;
Article 2 is replaced by the following:
“Article 2
Purpose of the VIS
The purpose of the VIS is to improve the implementation of the common visa policy for short stays, consular cooperation and consultation between visa authorities by facilitating the exchange of data between Member States on applications and on the decisions relating thereto, in order to:
facilitate the visa application procedure;
prevent the bypassing of the criteria for the determination of the Member State responsible for examining the visa application;
facilitate the fight against fraud;
facilitate checks at external border crossing points and within the territory of the Member States;
assist in the identification and return of any person who does not or no longer fulfils the conditions for entry to, stay or residence on the territory of the Member States;
assist in the identification of persons in specific circumstances as referred to in Article 22p;
contribute to the prevention, detection and investigation of terrorist offences or other serious criminal offences;
contribute to the prevention of threats to the internal security of any of the Member States;
contribute to the correct identification of persons;
support the objectives of the Schengen Information System (SIS) related to the alerts in respect of third-country nationals subject to a refusal of entry, persons wanted for arrest or for surrender or extradition purposes, missing persons or vulnerable persons, persons sought to assist with a judicial procedure and persons for discreet checks, inquiry checks or specific checks.
As regards long-stay visas and residence permits, the VIS shall have the purpose of facilitating the exchange of data between Member States on the applications and decisions related thereto, in order to:
support a high level of security in all Member States by contributing to the assessment of whether the applicant for or holder of a long-stay visa or a residence permit is considered to pose a threat to public policy, internal security or public health;
facilitate checks at external border crossing points and within the territory of the Member States;
assist in the identification and return of any person who does not or no longer fulfils the conditions for entry to, stay or residence on the territory of the Member States;
contribute to the prevention, detection and investigation of terrorist offences or other serious criminal offences;
contribute to the correct identification of persons;
assist in the identification of persons in specific circumstances as referred to in Article 22p;
facilitate the application of Regulation (EU) No 604/2013 and of Directive 2013/32/EU;
support the objectives of the SIS related to alerts in respect of third-country nationals subject to a refusal of entry, persons wanted for arrest, for surrender or extradition purposes, missing persons or vulnerable persons, persons sought to assist with a judicial procedure and persons for discreet checks, inquiry checks or specific checks.
Article 2a
Architecture
The VIS shall be based on a centralised architecture and shall consist of:
the common identity repository (CIR) established by Article 17(1) of Regulation (EU) 2019/817;
a central information system (the ‘VIS Central System’);
national uniform interfaces (NUIs) in each Member State, based on common technical specifications and identical for all Member States, enabling the VIS Central System to connect to the national infrastructures in Member States;
a communication infrastructure between the VIS Central System and the NUIs;
a secure communication channel between the VIS Central System and the Central System of the Entry/Exit System (EES);
a secure communication infrastructure between the VIS Central System and:
the central infrastructures of the European search portal (ESP) established by Article 6 of Regulation (EU) 2019/817;
the shared biometric matching service established by Article 12 of Regulation (EU) 2019/817;
the CIR; and
the multiple-identity detector established by Article 25 of Regulation (EU) 2019/817;
a mechanism for consultation with regard to applications and the exchange of information between visa authorities (VISMail);
a carrier gateway;
a secure web service enabling communication between the VIS Central System on the one hand and the carrier gateway and international systems (Interpol databases) on the other hand;
a repository of data for the purposes of reporting and statistics.
The VIS Central System, the NUIs, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of, respectively, the EES Central System, the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.
Article 3 is deleted;
Article 4 is amended as follows:
points (3), (4) and (5) are replaced by the following:
‘visa authorities’ means the authorities in each Member State which are responsible for examining and for taking decisions on visa applications or for taking decisions on whether to annul, revoke or extend visas, including the central visa authorities and the authorities responsible for issuing visas at the border;
‘designated authority’ means an authority designated by a Member State pursuant to Article 22l(1) as responsible for the prevention, detection or investigation of terrorist offences or other serious criminal offences;
‘VIS designated authority’ means an authority designated by a Member State pursuant to Article 9d(1) as responsible for the manual verification and follow-up action with regard to hits referred to in that paragraph;
‘ETIAS Central Unit’ means the unit established within the European Border and Coast Guard Agency pursuant to Article 7 of Regulation (EU) 2018/1240 of the European Parliament and of the Council ( 3 );
‘application form’ means the harmonised application form for a Schengen Visa set out in Annex I to Regulation (EC) No 810/2009;
‘applicant’ means a person who has lodged an application for a visa, long-stay visa or residence permit;
points (12), (13) and (14) are replaced by the following:
‘VIS data’ means all data stored in the VIS Central System and in the CIR in accordance with Articles 9 to 14 and 22a to 22f;
‘identity data’ means the data referred to in point (4)(a) and (aa) of Article 9 and point (d) of Article 22a(1);
‘fingerprint data’ means the VIS data relating to fingerprints;
‘facial image’ means digital image of the face;
‘hit’ means the existence of a correspondence established by an automated comparison of the personal data recorded in an application file of the VIS with the specific risk indicators referred to in Article 9j or with the personal data present in a record, file or alert registered in the VIS, in another EU information system as referred to in Article 9a or 22b (EU information systems), in Europol data or in Interpol databases queried by the VIS;
‘Europol data’ means personal data processed by Europol for the purpose referred to in point (a) of Article 18(2) of Regulation (EU) 2016/794 of the European Parliament and of the Council ( 4 );
‘residence permit’ means a residence permit issued by a Member State in accordance with the uniform format laid down by Council Regulation (EC) No 1030/2002 ( 5 ) and a document as referred to in point (16)(b) of Article 2 of Regulation (EU) 2016/399;
‘long-stay visa’ means an authorisation issued by a Member State as provided for in Article 18 of the Schengen Convention;
‘supervisory authorities’ means the supervisory authority referred to in Article 51(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council ( 6 ) and the supervisory authority referred to in Article 41 of Directive (EU) 2016/680 of the European Parliament and of the Council ( 7 );
‘law enforcement’ means the prevention, detection or investigation of terrorist offences or other serious criminal offences;
‘terrorist offence’ means any of the offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council ( 8 ) or, for the Member States which are not bound by that Directive, the offences under national law equivalent to one of those offences;
‘serious criminal offence’ means an offence which corresponds or is equivalent to one of the offences referred to in Article 2(2) of Council Framework Decision 2002/584/JHA ( 9 ), if it is punishable under national law by a custodial sentence or a detention order for a maximum period of at least three years.
Articles 5 and 6 are replaced by the following:
“Article 5
Categories of data
Only the following categories of data shall be recorded in the VIS:
alphanumeric data:
on the visa applicant and on visas requested, issued, refused, annulled, revoked or extended referred to in points (1) to (4) of Article 9 and in Articles 10 to 14;
on the applicant for a long-stay visa or a residence permit and on long-stay visas and residence permits requested, issued, refused, withdrawn, revoked, annulled, extended or renewed as referred to in Article 22a and Articles 22c to 22f;
regarding the hits referred to in Articles 9a and 22b and the reasoned opinions referred to in Articles 9e, 9g and 22b;
facial images as referred to in point (5) of Article 9 and in point (j) of Article 22a(1);
fingerprint data as referred to in point (6) of Article 9and in point (k) of Article 22a(1);
scans of the biographic data page of the travel document referred to in point (7) of Article 9 and in point (h) of Article 22a(1);
links to other applications as referred to in Article 8(3) and (4) and Article 22a(4).
Article 5a
List of recognised travel documents
Article 6
Access for entering, amending, erasing and consulting data
Such access shall be limited to the extent that the data are required for the performance of the tasks of those authorities and Union bodies in accordance with those purposes, and proportionate to the objectives pursued.
By way of derogation from the provisions on the use of data provided for in Chapters II, III and IIIa, fingerprint data and facial images of children shall only be used to search the VIS and, in the case of a hit, shall only be accessed to verify the child’s identity:
in the visa application procedure in accordance with Article 15; or
at the external borders or within the territory of the Member States in accordance with Article 18, 19 or 20 or with Article 22g, 22h or 22i.
Where the search with alphanumerical data cannot be performed due to the lack of a travel document, the fingerprint data of children may also be used to search the VIS in the asylum procedure in accordance with Article 21, 22, 22j or 22k.
The authorities entitled to consult or access the VIS for the purposes of prevention, detection and investigation of terrorist offences or other serious criminal offences shall be designated in accordance with Chapter IIIb.
in Article 7, paragraph 2 is replaced by the following:
When processing personal data within the VIS each competent authority shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life and to the protection of personal data.
Particular attention shall be paid to children, the elderly and persons with a disability.
The well-being, safety and security of the child shall be taken into consideration, especially where there is a risk that the child may be a victim of human trafficking. The views of the child shall also be taken into consideration, giving appropriate weight to the age and maturity of the child.”;
the title of Chapter II is replaced by the following:
“ENTRY AND USE OF DATA ON VISAS BY VISA AUTHORITIES”;
Article 8 is amended as follows:
paragraph 1 is replaced by the following:
paragraph 5 is replaced by the following:
Article 9 is amended as follows:
point (4) is amended as follows:
points (a) to (ca) are replaced by the following:
surname (family name); first name(s) (given name(s)); date of birth; current nationality or nationalities; sex;
surname at birth (former family name(s)); place and country of birth; nationality at birth;
the type and number of the travel document;
the date of expiry of the validity of the travel document;
the country which issued the travel document and its date of issue;”;
point (l) is replaced by the following:
current occupation (job group) and employer; for students: name of educational establishment;”;
the following point is added:
if applicable, the fact that the applicant applies as a family member of a Union citizen to whom Directive 2004/38/EC of the European Parliament and of the Council ( 11 ) applies or of a third-country national enjoying the right of free movement equivalent to that of Union citizens under an agreement between the Union and its Member States, on the one hand, and a third country, on the other;
points (5) and (6) are replaced by the following:
a facial image of the applicant, in accordance with Article 13 of Regulation (EC) No 810/2009, with an indication of whether the facial image was taken live upon submission of the application;
fingerprints of the applicant, in accordance with Article 13 of Regulation (EC) No 810/2009;
a scan of the biographic data page of the travel document.”;
the following paragraphs are added:
“The applicant shall indicate his or her current occupation (job group) on a predetermined list.
The Commission shall adopt delegated acts in accordance with Article 48a to lay down the predetermined list of occupations (job groups).”;
the following articles are inserted:
“Article 9a
Queries of other information systems and databases
For the purposes of the verifications provided for in Article 21(1), points (a), (c) and (d) of Article 21(3) and Article 21(4) of Regulation (EC) No 810/2009 and for the purposes of the objective referred to in point (k) of Article 2(1) of this Regulation, the VIS shall launch a query by using the ESP to compare the relevant data referred to in points (4), (5) and (6) of Article 9 of this Regulation with the data present in a record, file or alert registered in:
the SIS;
the EES;
the European Travel Information and Authorisation System (ETIAS), including the ETIAS watchlist referred to in Article 34 of Regulation (EU) 2018/1240 (the ETIAS watchlist);
Eurodac;
the European Criminal Records Information System for third-country nationals (ECRIS-TCN);
the Europol data;
the Interpol Stolen and Lost Travel Document database (Interpol SLTD), and
the Interpol Travel Documents Associated with Notices database (Interpol TDAWN).
The comparison shall be made with both alphanumeric and biometric data, unless the information system or database queried contains only one of those data categories.
In particular, the VIS shall verify:
as regards the SIS, whether:
the travel document used for the application corresponds to a travel document which has been lost, stolen, misappropriated or invalidated;
the applicant is subject to an alert for refusal of entry and stay;
the applicant is subject to an alert on return;
the applicant is subject to an alert on persons wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, or wanted for arrest for extradition purposes;
the applicant is subject to an alert on missing persons or vulnerable persons who need to be prevented from travelling;
the applicant is subject to an alert on persons sought to assist with a judicial procedure;
the applicant or the travel document is subject to an alert on persons or objects for discreet checks, inquiry checks or specific checks;
as regards the EES, whether:
the applicant is currently reported as an overstayer or the applicant has been reported as an overstayer in the past in the EES;
the applicant is recorded as having been refused entry in the EES;
the intended stay of the applicant will exceed the maximum duration of authorised stay in the territory of the Member States, irrespective of possible stays authorised under a national long-stay visa or a residence permit;
as regards the ETIAS, whether:
the applicant is a person for whom an issued, refused, annulled or revoked travel authorisation is recorded in the ETIAS or the applicant’s travel document corresponds to such issued, refused, annulled or revoked travel authorisation;
the data provided as part of the application correspond to data present in the ETIAS watchlist;
as regards Eurodac, whether the applicant is registered in that database;
as regards the ECRIS-TCN, whether the applicant corresponds to a person whose data have been recorded in that system during the previous 25 years as far as convictions for terrorist offences are concerned or during the previous 15 years as far as convictions for other serious criminal offences are concerned;
as regards Europol data, whether the data provided in the application correspond to data recorded in Europol data;
as regards Interpol databases, whether:
the travel document used for the application corresponds to a travel document reported lost, stolen or invalidated in Interpol SLTD;
the travel document used for the application corresponds to a travel document recorded in a file in Interpol TDAWN.
In the event of hits pursuant to point (a)(iv), points (e) and (f) and point (g)(ii) of paragraph 4, the VIS shall send an automated notification regarding such hits to the VIS designated authority of the Member State processing the application. Such automated notification shall contain the data recorded in the application file in accordance with points (4), (5) and (6) of Article 9.
In the event of hits pursuant to point (c)(ii) of paragraph 4, the VIS shall send an automated notification regarding such hits to the ETIAS National Unit of the Member State that entered the data or, if the data was entered by Europol, to the ETIAS National Unit of the Member States processing the application. That automated notification shall contain the data recorded in the application file in accordance with point (4) of Article 9.
Article 9b
Specific provisions for family members of Union citizens or of other third-country nationals enjoying the right of free movement under Union law
The VIS shall not verify:
whether the applicant is currently reported as an overstayer or whether he or she has been reported as an overstayer in the past as a result of a consultation of the EES;
whether the applicant corresponds to a person whose data is recorded in Eurodac.
Article 9c
Manual verification and follow-up action with regard to hits by competent visa authorities
The competent visa authority shall also have temporary access to data in the SIS, the EES, the ETIAS, Eurodac or Interpol SLTD that triggered the hit for the duration of the verifications referred to in this Article and the examination of the visa application and in the event of an appeal procedure. Such temporary access shall be in accordance with the legal instruments governing the SIS, the EES, the ETIAS, Eurodac and Interpol SLTD.
Article 9d
Manual verification of hits by VIS designated authorities
Where Member States choose to designate the SIRENE Bureau as the VIS designated authority, they shall allocate sufficient additional resources to enable the SIRENE Bureau to fulfil the tasks entrusted to the VIS designated authority under this Regulation.
Article 9e
Manual verification and follow-up action with regard to hits in the ETIAS watchlist
Article 9f
Follow-up action with regard to certain hits by the SIRENE Bureau
In the event of hits pursuant to point (a)(iii) of Article 9a(4), the SIRENE Bureau of the Member State processing the application shall:
where the return decision is accompanied by an entry ban, immediately inform the issuing Member State through the exchange of supplementary information, in order that the issuing Member State immediately delete the alert on return and enter an alert for refusal of entry and stay pursuant to point (b) of Article 24(1) of Regulation (EU) 2018/1861;
where the return decision is not accompanied by an entry ban, immediately inform the issuing Member State through the exchange of supplementary information, in order that the issuing Member State delete the alert on return without delay.
Article 9g
Follow-up action with regard to certain hits by VIS designated authorities
Article 9h
Implementation and manual
Article 9i
Responsibilities of Europol
Europol shall adapt its information system to ensure that automated processing of the queries pursuant to Article 9a(3) and Article 22b(2) is possible.
Article 9j
Specific risk indicators
The Commission shall adopt a delegated act in accordance with Article 48a to further define the risks related to security or illegal immigration or a high epidemic risk on the basis of:
statistics generated by the EES indicating abnormal rates of overstaying and refusals of entry for a specific group of visa holders;
statistics generated by the VIS in accordance with Article 45a indicating abnormal rates of refusals of visa applications due to a security, illegal immigration or high epidemic risk associated with a specific group of visa holders;
statistics generated by the VIS in accordance with Article 45a and the EES indicating correlations between information collected through the application form and overstaying by visa holders or refusals of entry;
information substantiated by factual and evidence-based elements provided by Member States concerning specific security risk indicators or threats identified by a Member State;
information substantiated by factual and evidence-based elements provided by Member States concerning abnormal rates of overstaying and refusals of entry for a specific group of visa holders for a Member State;
information concerning specific high epidemic risks provided by Member States as well as epidemiological surveillance information and risk assessments provided by the European Centre for Disease Prevention and Control and disease outbreaks reported by the World Health Organization.
The specific risks referred to in the first subparagraph of this paragraph shall be reviewed at least every six months and, where necessary, a new implementing act shall be adopted by the Commission in accordance with the examination procedure referred to in Article 49(2).
Based on the specific risks determined in accordance with paragraph 3, the ETIAS Central Unit shall establish a set of specific risk indicators consisting of a combination of data including one or several of the following:
age range, sex, nationality;
country and city of residence;
the Member States of destination;
the Member State of first entry;
purpose of travel;
current occupation (job group).
Article 9k
VIS Screening Board
Article 9l
VIS Fundamental Rights Guidance Board
The VIS Fundamental Rights Guidance Board shall also support the VIS Screening Board in the execution of its tasks when consulted by the latter on specific issues related to fundamental rights, in particular with regard to privacy, the protection of personal data and non-discrimination.
The VIS Fundamental Rights Guidance Board shall have access to the audits referred to in point (e) of Article 7(2) of Regulation (EU) 2018/1240.
in Article 10(1), point (f) is replaced by the following:
the territory in which the visa holder is entitled to travel, in accordance with Articles 24 and 25 of Regulation (EC) No 810/2009;”;
Article 11 is deleted;
Article 12(2) is amended as follows:
in point (a) the following point is inserted:
does not provide the justification for the purpose and conditions of the intended airport transit;”;
the following subparagraph is added:
“The numbering of refusal grounds in the VIS shall correspond to the numbering of refusal grounds in the standard refusal form set out in Annex VI to Regulation (EC) No 810/2009.”;
in Article 13, the following paragraph is added:
Article 15 is amended as follows:
paragraph 1 is replaced by the following:
The competent visa authority shall consult the VIS for the purposes of the examination of applications and the decisions relating to those applications, including the decision whether to annul, revoke or extend the visa in accordance with the relevant provisions. The competent visa authority’s consultation of the VIS shall establish:
whether the applicant has been subject to a decision to issue, refuse, annul, revoke or extend a visa; and
whether the applicant has been subject to a decision to issue, refuse, withdraw, revoke, annul, extend or renew a long-stay visa or residence permit.”;
paragraph 2 is amended, as follows:
point (c) is replaced by the following:
the type and number of the travel document, the date of expiry of the validity of the travel document, the country which issued the travel document and its date of issue;”;
point (f) is replaced by the following:
facial image;
the number of the visa sticker, long-stay visa or residence permit and the date of issue of any previous visa, long-stay visa or residence permit;”;
the following paragraph is inserted:
paragraph 3 is replaced by the following:
Article 16 is replaced by the following:
“Article 16
Use of the VIS for consultation and requests for documents
The Member State or the Member States consulted shall transmit their response to the VIS, which shall transmit by VISMail that response to the Member State which created the application.
In the case of a negative response, the response shall specify whether the applicant poses a threat to public policy, internal security, public health or international relations.
Solely for the purpose of carrying out the consultation procedure, the list of Member States requiring that their central authorities be consulted by other Member States’ central authorities during the examination of visa applications for uniform visas lodged by nationals of specific third countries or specific categories of such nationals in accordance with Article 22 of Regulation (EC) No 810/2009 shall be integrated into the VIS. The VIS shall provide the functionality for the centralised management of that list.
The transmission of information by VISMail shall also apply to:
the transmission of information on visas issued to nationals of specific third countries or to specific categories of such nationals (ex post notification) pursuant to Article 31 of Regulation (EC) No 810/2009;
the transmission of information on visas issued with limited territorial validity pursuant to Article 25(4) of Regulation (EC) No 810/2009;
the transmission of information on decisions to annul and revoke a visa and the grounds for that decision pursuant to Article 13(4);
the transmission of requests for data rectification or erasure pursuant to Article 24(2) and Article 25(2) respectively as well as contacts between Member States pursuant to Article 38(2);
all other messages related to consular cooperation that entail transmission of personal data recorded in the VIS or related to it, to the transmission of requests to the competent visa authority to forward copies of documents supporting the application and to the transmission of electronic copies of those documents.
Article 17 is deleted;
the title of Chapter III is replaced by the following:
“ACCESS TO VISA DATA BY OTHER AUTHORITIES”;
Article 17a is amended, as follows:
in paragraph 3, point (e) is replaced by the following:
verify, where the identity of a visa holder is verified using fingerprints or a facial image, the identity of a visa holder with fingerprints or, where the facial image is recorded in the VIS with the indication that it was taken live upon submission of the application, with the facial image against the VIS, in accordance with Article 23(2) and (4) of Regulation (EU) 2017/2226 and Article 18(6) of this Regulation.”;
the following paragraphs are inserted:
Article 18 is amended as follows:
in paragraph 4, point (b) is replaced by the following:
facial images;”;
in paragraph 5, point (b) is replaced by the following:
facial images;”;
paragraph 6 is amended as follows:
in point (a) of the first subparagraph, point (ii) is replaced by the following:
the identity is verified, at the border crossing point concerned, using fingerprints or the facial image taken live in accordance with Article 23(2) of Regulation (EU) 2017/2226;”;
the second subparagraph is replaced by the following:
“The competent authorities for carrying out checks at borders at which the EES is operated shall verify the fingerprints or the facial image of the visa holder against the fingerprints or the facial image taken live recorded in the VIS. For visa holders whose fingerprints or facial image cannot be used, the search referred to in paragraph 1 shall be carried out with the alphanumeric data provided for in paragraph 1.”;
paragraph 7 is replaced by the following:
Article 19 is amended as follows:
in paragraph 2, point (b) is replaced by the following:
facial images;”;
in Article 19a, paragraph 4 is replaced by the following:
Article 20 is amended, as follows:
paragraph 1 is replaced by the following:
Where the fingerprints of that person cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a), (aa), (b), (c) or (ca), or point (5) of Article 9. However, the facial image shall not be the only search criterion.”;
in paragraph 2, points (c) and (d) are replaced by the following:
facial images;
the data entered in respect of any visa issued, refused, annulled, revoked or extended referred to in Articles 10 to 14.”;
Articles 21 and 22 are replaced by the following:
“Article 21
Access to VIS data for determining the responsibility for applications for international protection
Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a), (aa), (b), (c) or (ca), or point (5) of Article 9. However, the facial image shall not be the only search criterion.
If the search with the data listed in paragraph 1 of this Article indicates that a visa issued with an expiry date of no more than six months before the date of the application for international protection, or a visa extended to an expiry date of no more than six months before the date of the application for international protection, is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file, and as regards the data listed in point (e) of this paragraph of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1 of this Article:
the application number and the authority that issued or extended the visa, and whether the authority issued it on behalf of another Member State;
the data taken from the application form referred to in point (4)(a) and (aa) of Article 9;
facial images;
the data entered in respect of any visa issued, annulled, revoked or extended referred to in Articles 10, 13 and 14;
the data referred to in point (4)(a) and (aa) of Article 9 of the linked application files relating to the spouse and children.
Article 22
Access to VIS data for examining the application for international protection
Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a), (aa), (b), (c) or (ca), or point (5) of Article 9. However, the facial image shall not be the only search criterion.
If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant for international protection is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the applicant and of any linked application files of the applicant pursuant to Article 8(3), and, as regards the data listed in point (f) of this paragraph, of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1 of this Article:
the application number;
the data taken from the application forms referred to in point (4) of Article 9;
facial images as referred to in point (5) of Article 9;
scans of the biographic data page of the travel document as referred to in point (7) of Article 9;
the data entered in respect of any visa issued, annulled, revoked or extended referred to in Articles 10, 13 and 14;
the data referred to in point (4) of Article 9 of the linked application files relating to the spouse and children.
after Article 22, the following chapters are inserted:
“CHAPTER IIIa
ENTRY AND USE OF DATA ON LONG-STAY VISAS AND RESIDENCE PERMITS
Article 22a
Procedures for entering data upon application for a long-stay visa or residence permit
Upon application for a long-stay visa or residence permit, the authority competent for collecting or examining the application shall create without delay an application file, by entering the following data in the VIS as far as those data are required to be provided by the applicant in accordance with the relevant Union or national law:
application number;
status information, indicating that a long-stay visa or residence permit has been requested;
the authority with which the application has been lodged, including its location;
surname (family name), first name(s), date of birth, current nationality or nationalities, sex, place of birth;
type and number of the travel document;
the date of expiry of the validity of the travel document;
the country which issued the travel document and its date of issue;
a scan of the biographic data page of the travel document;
in the case of minors, surname and first names of the applicant’s parental authority or legal guardian;
the facial image of the applicant, with an indication of whether the facial image was taken live upon submission of the application;
fingerprints of the applicant.
With regard to facial images and fingerprints as referred to in points (j) and (k) of paragraph 1, the data of minors shall be entered in the VIS only where all of the following conditions are met:
the staff taking the data of a minor have been trained specifically to take a minor’s biometric data in a child-friendly and child-sensitive manner and in full respect of the best interests of the child and the safeguards laid down in the United Nations Convention on the Rights of the Child;
every minor is accompanied by an adult family member or legal guardian when the data is taken;
no force is used to take the data.
Article 22b
Queries of information systems and databases
For the purpose of assessing whether the person could pose a threat to the public policy, internal security or public health of the Member States pursuant to point (e) of Article 6(1) of Regulation (EU) 2016/399 and for the purposes of the objective referred to in point (f) of Article 2(2) of this Regulation, the VIS shall launch a query by using the ESP to compare the relevant data referred to in points (d) to (g) and points (i), (j) and (k) of Article 22a(1) of this Regulation with the data present in a record, file or alert registered in:
the SIS;
the EES;
the ETIAS, including the ETIAS watchlist;
the VIS;
the ECRIS-TCN;
the Europol data;
Interpol SLTD, and
Interpol TDAWN.
The comparison shall be made with both alphanumeric and biometric data, unless the information system or database queried contains only one of those data categories.
In particular, the VIS shall verify:
as regards the SIS, whether:
the travel document used for the application corresponds to a travel document which has been lost, stolen, misappropriated or invalidated;
the applicant is subject to an alert for refusal of entry and stay;
the applicant is subject to an alert on return;
the applicant is subject to an alert on persons wanted for arrest for surrender purposes on the basis of a European Arrest Warrant, or wanted for arrest for extradition purposes;
the applicant is subject to an alert on missing persons or vulnerable persons who need to be prevented from travelling;
the applicant is subject to an alert on persons sought to assist with a judicial procedure;
the applicant or the travel document is subject to an alert on persons or objects for discreet checks, inquiry checks or specific checks;
as regards the EES, whether the applicant is recorded as having been refused entry in the EES on the basis of a reason corresponding to point (B), (D), (H) or (I) of Part B of Annex V to Regulation (EU) 2016/399;
as regards the ETIAS, whether:
the applicant is a person for whom refused, annulled or revoked travel authorisation is recorded in the ETIAS on the basis of a reason corresponding to point (a), (b), (d) or (e) of Article 37(1) or to Article 37(2) of Regulation (EU) 2018/1240, or the applicant’s travel document corresponds to such refused, annulled or revoked travel authorisation;
the data provided as part of the application correspond to data present in the ETIAS watchlist;
as regards the VIS, whether the applicant corresponds to a person:
for whom a refused, annulled or revoked visa is recorded in the VIS on the basis of a reason corresponding to point (a)(i), (v) or (vi) or point (b) of Article 12(2);
for whom a refused, withdrawn, revoked or annulled long-stay visa or residence permit is recorded in the VIS on the basis of a reason corresponding to point (a) of Article 22d(1); or
whose travel document corresponds to a refused, withdrawn, revoked or annulled visa, long-stay visa or residence permit referred to in point (i) or (ii);
as regards the ECRIS-TCN, whether the applicant corresponds to a person whose data have been recorded in that system during the previous 25 years as far as convictions for terrorist offences are concerned or during the previous 15 years as far as convictions for other serious criminal offences are concerned;
as regards Europol data, whether the data provided in the application correspond to data recorded in Europol data;
as regards Interpol databases, whether:
the travel document used for the application corresponds to a travel document reported lost, stolen or invalidated in Interpol SLTD;
the travel document used for the application corresponds to a travel document recorded in a file in Interpol TDAWN.
If the requirement provided for in this paragraph is not fulfilled, the VIS shall not query Interpol databases.
In the event of hits pursuant to point (a)(iv), points (e) and (f) and point (g)(ii) of paragraph 3, the VIS shall send an automated notification regarding such hits to the VIS designated authority of the Member State processing the application. Such automated notification shall contain the data recorded in the application file in accordance with points (d) to (g), and (i), (j) and (k) of Article 22a(1).
In the event of hits pursuant to point (c)(ii) of paragraph 3, the VIS shall send an automated notification regarding such hits to the ETIAS National Unit of the Member State that entered the data or, if the data was entered by Europol, to the ETIAS National Unit of the Member States processing the application. That automated notification shall contain the data recorded in the application file in accordance with points (d) to (g) and (i) of Article 22a(1).
For the purposes of manual verification under the first subparagraph of this paragraph, the competent authority shall have access to the application file and any linked application files, as well as to the hits triggered during the automated processing pursuant to paragraph 8.
The competent authority shall also have temporary access to data in the VIS, the SIS, the EES, the ETIAS, or Interpol SLTD that triggered the hit for the duration of the verifications referred to in this Article and the examination of the application for a long-stay visa or residence permit and in the event of an appeal procedure.
The competent authority shall verify whether the identity of the applicant recorded in the application file corresponds to the data in any of the information systems and databases queried.
Where the personal data in the application file correspond to the data stored in the relevant information system or database, the hit shall be taken into account when assessing whether the applicant for a long-stay visa or a residence permit could pose a threat to the public policy, internal security or public health of the Member States processing the application.
Where the hit concerns a person in respect of whom an alert for refusal of entry and stay or an alert on return has been entered into the SIS by another Member State, the prior consultation pursuant to Article 27 of Regulation (EU) 2018/1861 or Article 9 of Regulation (EU) 2018/1860 shall apply.
Where the personal data in the application file do not correspond to the data stored in the relevant information system or database, the competent authority shall erase the false hit from the application file.
Article 22c
Data to be added for a long-stay visa or residence permit issued
Where a competent authority decides to issue a long-stay visa or residence permit, it shall add the following data to the application file where the data is collected in accordance with the relevant Union and national law:
status information indicating that a long-stay visa or residence permit has been issued;
the authority that took the decision;
place and date of the decision to issue the long-stay visa or residence permit;
the type of document issued (long-stay visa or residence permit);
the number of the issued long-stay visa or residence permit;
the commencement and the expiry dates of the validity of the long-stay visa or residence permit;
data listed in Article 22a(1), if available and not entered in the application file upon application for a long-stay visa or residence permit.
Article 22d
Data to be added in certain cases of a long-stay visa or residence permit refused
Where a competent authority decides to refuse a long-stay visa or a residence permit because the applicant is considered to pose a threat to public policy, internal security or public health or the applicant has presented documents which were fraudulently acquired, or falsified, or tampered with, it shall add the following data to the application file where the data is collected in accordance with the relevant Union and national law:
status information indicating that the long-stay visa or residence permit has been refused because the applicant is considered to pose a threat to public policy, internal security or public health, or because the applicant presented documents which were fraudulently acquired, or falsified, or tampered with;
the authority that took the decision;
place and date of the decision.
Article 22e
Data to be added for a long-stay visa or residence permit withdrawn, revoked or annulled
Where a competent authority decides to withdraw, revoke or annul a long-stay visa or residence permit, it shall add the following data to the application file where the data is collected in accordance with the relevant Union and national law:
status information indicating that the long-stay visa or residence permit has been withdrawn, revoked or annulled;
the authority that took the decision;
place and date of the decision;
where applicable, the grounds for withdrawal, revocation or annulment of the long-stay visa or residence permit, in accordance with Article 22d.
Article 22f
Data to be added for a long-stay visa extended or residence permit renewed
Where a competent authority decides to extend a long-stay visa, it shall add the following data to the application file, where the data is collected in accordance with the relevant Union and national law:
status information indicating that the long-stay visa has been extended;
the authority that took the decision;
place and date of the decision;
the number of the visa sticker;
the commencement and the expiry dates of the validity of the long-stay visa.
Article 22g
Access to VIS data for verification of long-stay visas and residence permits at external border crossing points
For the sole purpose of verifying the identity of the holder of the long-stay visa or residence permit, or the authenticity and the validity of the long-stay visa or residence permit or whether the conditions for entry to the territory of the Member States in accordance with Article 6 of Regulation (EU) 2016/399 are fulfilled, the competent authorities for carrying out checks at external border crossing points in accordance with that Regulation shall have access to search the VIS using the following data:
surname (family name), first name or names (given names); date of birth; nationality or nationalities; sex; type and number of the travel document or documents; three letter code of the issuing country of the travel document or documents; and the date of expiry of the validity of the travel document or documents; or
the number of the long-stay visa or residence permit.
If the search with the data listed in paragraph 1 of this Article indicates that data on the holder of the long-stay visa or residence permit are recorded in the VIS, the competent border control authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:
the status information of the long-stay visa or residence permit indicating if it has been issued, withdrawn, revoked, annulled, extended or renewed;
the data referred to in points (d), (e), and (f) of Article 22c;
where applicable, the data referred to in points (d) and (e) of Article 22f(1);
facial images as referred to in point (j) of Article 22a(1).
Article 22h
Access to VIS data for verification within the territory of the Member States
Where the identity of the holder of the long-stay visa or residence permit cannot be verified with fingerprints, the competent authorities may also carry out verification by means of a facial image.
If the search with the data listed in paragraph 1 of this Article indicates that data on the holder of the long-stay visa or residence permit are recorded in the VIS, the competent authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:
the status information of the long-stay visa or residence permit indicating if it has been issued, withdrawn, revoked, annulled, extended or renewed;
the data referred to in points (d), (e) and (f) of Article 22c;
where applicable, the data referred to in points (d) and (e) of Article 22f(1);
facial images as referred to in point (j) of Article 22a(1).
Article 22i
Access to VIS data for identification
Where the fingerprints of that person cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.
If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant are recorded in the VIS, the competent authority shall have access to the VIS to consult the following data of the application file and of linked application files pursuant to Article 22a(4), solely for the purposes referred to in paragraph 1 of this Article:
the application number, the status information and the authority with which the application was lodged;
the data referred to in points (d) to (g) and (i) of Article 22a(1);
facial images as referred to in point (j) of Article 22a(1);
the data entered in respect of any long-stay visa or residence permit issued, refused, withdrawn, revoked, annulled, extended or renewed referred to in Articles 22c to 22f.
Article 22j
Access to VIS data for determining the responsibility for applications for international protection
Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.
If the search with the data listed in paragraph 1 of this Article indicates that a long-stay visa or residence permit is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file and, as regards the data listed in point (e) of this paragraph, of linked application files relating to the spouse and children pursuant to Article 22a(4), solely for the purpose referred to in paragraph 1 of this Article:
the application number and the authority that issued, revoked, annulled, extended or renewed the long-stay visa or residence permit;
the data referred to in points (d) to (g) and (i) of Article 22a(1);
the data entered in respect of any long-stay visa or residence permit issued, withdrawn, revoked, annulled, extended or renewed referred to in Articles 22c, 22e and 22f;
facial images as referred to in point (j) of Article 22a(1);
the data referred to in points (d) to (g) of Article 22a(1) of the linked application files relating to the spouse and children.
Article 22k
Access to VIS data for examining the application for international protection
Where the fingerprints of the applicant for international protection cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in points (d) to (g) or point (j) of Article 22a(1). However, the facial image shall not be the only search criterion.
If the search with the data listed in paragraph 1 of this Article indicates that data on the applicant for international protection is recorded in the VIS, the competent asylum authority shall have access to the VIS to consult the following data of the application file and, as regards the data listed in point (f) of this paragraph, of the linked application files relating to the spouse and children pursuant to Article 22a(4), solely for the purpose referred to in paragraph 1 of this Article:
the application number;
the data referred to in points (d) to (g) and (i) of Article 22a(1);
facial images as referred to in point (j) of Article 22a(1);
scans of the biographic data page of the travel document as referred to in point (h) of Article 22a(1);
the data entered in respect of any long-stay visa or residence permit issued, withdrawn, revoked, annulled, extended or renewed referred to in Articles 22c, 22e and 22f;
the data referred to in points (d) to (g) of Article 22a(1) of the linked application files relating to the spouse and children.
The consultation of the VIS pursuant to paragraphs 1 and 2 of this Article shall be carried out only by the designated national authorities referred to in Article 34(6) of Regulation (EU) No 604/2013.
CHAPTER IIIb
PROCEDURE AND CONDITIONS FOR ACCESS TO THE VIS FOR LAW ENFORCEMENT PURPOSES
Article 22l
Member States’ designated authorities
The data accessed by those authorities shall only be processed for the purposes of the specific case for which the data have been consulted.
The designated authorities and the central access point may be part of the same organisation if permitted under national law, but the central access point shall act fully independently of the designated authorities when performing its tasks under this Regulation. The central access point shall be separate from the designated authorities and shall not receive instructions from them as regards the outcome of the verification which it shall perform independently.
Member States may designate more than one central access point to reflect their organisational and administrative structure in the fulfilment of their constitutional or legal requirements.
Article 22m
Europol
The data accessed by Europol shall only be processed for the purposes of the specific case for which the data have been consulted.
The central access point shall act independently when performing its tasks under this Regulation and shall not receive instructions from the Europol designated authority as regards the outcome of the verification.
Article 22n
Procedure for access to VIS data for law enforcement purposes
Article 22o
Conditions for access to VIS data by designated authorities of Member States
Without prejudice to Article 22 of Regulation (EU) 2019/817 designated authorities shall have access to the VIS for the purposes of consultation where all of the following conditions are met:
consultation is necessary and proportionate for the purposes of the prevention, detection or investigation of a terrorist offence or other serious criminal offence;
consultation is necessary and proportionate in a specific case;
reasonable grounds exist to consider that consultation of VIS data will substantially contribute to the prevention, detection or investigation of any of the criminal offences in question, in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under a category covered by this Regulation;
a query of the CIR was launched in accordance with Article 22 of Regulation (EU) 2019/817 and the reply received as referred to in paragraph 2 of that Article indicates that data is stored in the VIS.
Consultation of the VIS shall be limited to searching with any of the following data in the application file:
surname(s) (family name(s)), first name(s) (given name(s)), date of birth, nationality or nationalities and/or sex;
type and number of travel document or documents, the country which issued the travel document and date of expiry of the validity of the travel document;
visa sticker number or number of the long-stay visa or residence permit and the date of expiry of the validity of the visa, long-stay visa or residence permit, as applicable;
fingerprints, including latent fingerprints;
facial image.
By way of derogation from paragraphs 3 and 5 the data referred to in points (d) and (e) of paragraph 3 of children below the age of 14 shall only be used to search the VIS and, in the case of a hit, shall only be accessed where:
necessary for the purposes of the prevention, detection or investigation of a serious criminal offence of which those children are the victim of and to protect missing children;
necessary in a specific case; and
the use of the data is in the best interest of the child.
Article 22p
Access to VIS data for identification of persons in specific circumstances
Article 22q
Use of VIS data for the purpose of entering in the SIS alerts on missing persons or vulnerable persons who need to be prevented from travelling and access to those data
Article 22r
Procedure and conditions for access to VIS data by Europol
Europol shall have access to the VIS for the purposes of consultation where all of the following conditions are met:
consultation is necessary and proportionate for the purpose of supporting and strengthening action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling under Europol’s mandate;
consultation is necessary and proportionate in a specific case;
reasonable grounds exist to consider that consultation of VIS data will substantially contribute to the prevention, detection or investigation of any of the criminal offences in question, in particular where there is a substantiated suspicion that the suspect, perpetrator or victim of a terrorist offence or other serious criminal offence falls under a category covered by this Regulation;
a query of the CIR was launched in accordance with Article 22 of Regulation (EU) 2019/817 and the reply received as referred to in paragraph 2 of that Article indicates that data is stored in the VIS.
Consultation of the VIS shall be limited to searching with any of the following data in the application file:
surname(s) (family name(s)), first name(s) (given name(s)), date of birth, nationality or nationalities and/or sex;
type and number of travel document or documents, the country which issued the travel document and date of expiry of the validity of the travel document;
visa sticker number or number of the long-stay visa or residence permit and the date of expiry of the validity of the visa, long-stay visa or residence permit, as applicable;
fingerprints, including latent fingerprints;
facial image.
By way of derogation from paragraphs 3 and 5 the data referred to in points (d) and (e) of paragraph 3 of children below the age of 14 shall only be used to search the VIS and, in the case of a hit, shall only be accessed where:
necessary for the purposes of the prevention, detection or investigation of a serious criminal offence of which those children are the victim of and to protect missing children;
necessary in a specific case; and
the use of the data is in the best interest of the child.
Article 22s
Keeping of logs of requests to consult VIS data for the purposes of the prevention, detection and investigation of terrorist offences or other serious criminal offences
The logs referred to in paragraph 2 shall show:
the exact purpose of the request for consultation of or access to VIS data, including the terrorist offence or other serious criminal offence concerned and, for Europol, the exact purpose of the request for consultation;
the decision taken with regard to the admissibility of the request;
the national file reference;
the date and exact time of the request for access made by the central access point to the VIS;
where applicable, the use of the urgency procedure referred to in Article 22n(2) and the outcome of the ex post verification;
which of the data or set of data referred to in Article 22o(3) have been used for consultation; and
in accordance with national rules or with Regulation (EU) 2016/794, the identifying mark of the official who carried out the search and of the official who ordered the search or transmission of data.
Article 22t
Conditions for access to VIS data by designated authorities of a Member State in respect of which this Regulation has not yet been put into effect
Access to the VIS for consultation by designated authorities of a Member State in respect of which this Regulation has not yet been put into effect shall take place where such access is:
within the scope of the powers of those designated authorities;
subject to the same conditions as referred to in Article 22o(1);
preceded by a duly reasoned written or electronic request to a designated authority of a Member State to which this Regulation applies; that authority shall then request the national central access point to consult the VIS.
Article 23 is replaced by the following:
“Article 23
Retention period for data storage
That period shall start:
on the expiry date of the visa, the long-stay visa or the residence permit, if a visa, a long-stay visa or a residence permit has been issued;
on the new expiry date of the visa, the long-stay visa or the residence permit, if a visa, a long-stay visa or a residence permit has been extended or renewed;
on the date of the creation of the application file in the VIS, if the application has been withdrawn and closed;
on the date of the decision of the responsible authority if a visa, a long-stay visa or a residence permit has been refused, withdrawn, revoked or annulled, as applicable.
For the purposes of that erasure, the EES shall automatically notify the VIS when the exit of the child is entered in the entry/exit record in accordance with Article 16(3) of Regulation (EU) 2017/2226.”;
Article 24 is replaced by the following:
“Article 24
Amendment of data
Where the inaccurate data refers to links created pursuant to Article 8(3) or (4) or Article 22a(4) or where a link is missing, the Member State responsible shall check the data concerned and provide an answer within three working days, and shall rectify the link if necessary. If no answer is provided within that timeframe, the requesting Member State shall rectify the link and notify, by VISMail, the Member State responsible of the rectification made.
Article 25 is amended as follows:
the title is replaced by the following:
“Advance erasure of data”;
paragraphs 1 and 2 are replaced by the following:
Article 26 is replaced by the following:
“Article 26
Operational management
eu-LISA shall be responsible for the following tasks relating to the communication infrastructure between the VIS Central System and the NUIs:
supervision;
security;
the coordination of relations between the Member States and the provider;
tasks relating to implementation of the budget;
acquisition and renewal;
contractual matters.
eu-LISA may use anonymised real personal data in the VIS for testing purposes in the following circumstances:
for diagnostics and repair when faults are discovered in the VIS Central System;
for testing new technologies and techniques relevant to enhance the performance of the VIS Central System or transmission of data to it.
In the cases referred to in point (b) of the first subparagraph, the security measures, access control and logging activities at the testing environment shall be equal to those for the VIS. Real personal data adopted for testing shall be rendered anonymous in such a way that the data-subject is no longer identifiable.
Article 27 is deleted;
the following article is inserted:
“Article 27a
Interoperability with other EU information systems and Europol data
Interoperability between the VIS and the SIS, the EES, the ETIAS, Eurodac, the ECRIS-TCN and Europol data shall be established to enable the automated processing of the queries of other systems pursuant to Articles 9a to 9g and Article 22b. Interoperability shall rely on the ESP.”;
Article 28 is amended as follows:
paragraphs 1 and 2 are replaced by the following:
paragraph 4 is amended, as follows:
point (a) is replaced by the following:
the development of the national system and its adaptation to the VIS;”;
point (d) is replaced by the following:
bearing the costs incurred by the national system and the costs of its connection to the NUI, including the investment and operational costs of the communication infrastructure between the NUI and the national system.”;
Article 29 is replaced by the following:
“Article 29
Responsibility for the use and quality of data
Each Member State shall ensure that the data are processed lawfully, and in particular that only duly authorised staff have access to data processed in the VIS for the performance of their tasks in accordance with this Regulation. The Member State responsible shall ensure in particular that:
the data are collected lawfully:
the data are transmitted lawfully to the VIS;
the data are accurate, up-to-date and of an adequate level of quality and completeness when they are transmitted to the VIS.
eu-LISA shall ensure that the VIS is operated in accordance with this Regulation and its implementing rules referred to in Article 45. In particular, eu-LISA shall:
take the necessary measures to ensure the security of the VIS Central System and the communication infrastructure between the VIS Central System and the NUIs, without prejudice to the responsibilities of each Member State;
ensure that only duly authorised staff have access to data processed in the VIS for the performance of the tasks of eu-LISA in accordance with this Regulation.
The Commission shall adopt implementing acts to lay down and develop the mechanism and the procedures for carrying out quality checks and appropriate requirements for data quality compliance. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).
Article 29a
Specific rules for entering data
The quality checks shall be initiated when creating or updating application files in the VIS. Where the quality checks fail to meet the established quality standards, the responsible authority or authorities shall be automatically notified by the VIS. The automated queries pursuant to Article 9a(3) and Article 22b(2) shall be triggered by the VIS only following a positive quality check.
Quality checks on facial images and fingerprints shall be performed when creating or updating application files in the VIS, to ascertain the fulfilment of minimum data quality standards allowing for biometric matching.
Quality checks on the data referred to Article 6(4) shall be performed when storing information about the national competent authorities in the VIS.
The Commission shall adopt implementing acts to lay down the specification of those quality standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).”;
Article 31 is replaced by the following:
“Article 31
Communication of data to third countries or international organisations
By way of derogation from paragraph 1 of this Article, the data referred to in points (4)(a), (b), (ca), (k) and (m) and points (6) and (7) of Article 9 or in points (d) to (i) and (k) of Article 22a(1) of this Regulation may be accessed by the competent authorities and transferred or made available to a third country or to an international organisation listed in the Annex, provided that it is necessary in individual cases in order to prove the identity of third-country nationals for the purposes of return in accordance with Directive 2008/115/EC, or, as regards transfers to an international organisation listed in the Annex to this Regulation, for the purposes of resettlement in accordance with European or national resettlement schemes, and provided that one of the following conditions is satisfied:
the Commission has adopted a decision on the adequate level of protection of personal data in that third country or international organisation in accordance with Article 45(3) of Regulation (EU) 2016/679;
appropriate safeguards have been provided as referred to in Article 46 of Regulation (EU) 2016/679, such as through a readmission agreement which is in force between the Union or a Member State and the third country in question;
point (d) of Article 49(1) of Regulation (EU) 2016/679 applies.
Moreover, the data referred to in the first subparagraph shall be transferred only where all of the following conditions are satisfied:
the transfer of the data is carried out in accordance with the relevant provisions of Union law, in particular provisions on data protection, readmission agreements, and the national law of the Member State transferring the data;
the Member State which entered the data in the VIS has given its approval;
the third country or international organisation has agreed to process the data only for the purposes for which they were provided.
Subject to the first and second subparagraphs of this paragraph, where a return decision adopted pursuant to Directive 2008/115/EC has been issued in relation to a third-country national, the data referred to in the first subparagraph shall be transferred only where the enforcement of such a return decision is not suspended and provided that no appeal has been lodged which may lead to the suspension of its enforcement.
By way of derogation from paragraph 4 of this Article, the data referred to in point (4)(a) to (ca) of Article 9 and in points (d) to (g) of Article 22a(1) may be transferred by the designated authority to a third country in individual cases, only where all of the following conditions are met:
there is an exceptional case of urgency where there is:
an imminent danger associated with a terrorist offence; or
an imminent danger to the life of a person and that danger is associated with a serious criminal offence;
the transfer of data is necessary for the prevention, detection or investigation in the territory of the Member States or in the third country concerned of a terrorist offence or other serious criminal offence;
the designated authority has access to such data in accordance with the procedure and the conditions set out in Articles 22n and 22o;
the transfer is carried out in accordance with the applicable conditions set out in Directive (EU) 2016/680, in particular Chapter V thereof;
a duly motivated written or electronic request from the third country has been submitted;
the reciprocal provision of any information in visa information systems held by the requesting country to the Member States operating the VIS is ensured.
Where a transfer is made pursuant to the first subparagraph of this paragraph, such a transfer shall be documented and the documentation shall, on request, be made available to the supervisory authority referred to in Article 41(1) of Directive (EU) 2016/680, including the date and time of the transfer, information about the receiving competent authority, the justification for the transfer and the personal data transferred.”;
Article 32 is amended, as follows:
paragraph 2 is amended as follows:
the following point is inserted:
prevent the use of automated data-processing systems by unauthorised persons using data communication equipment;”;
the following points are inserted:
ensure that, in the event of an interruption, installed systems can be restored to normal operation;
ensure reliability by making sure that any faults in the functioning of the systems are properly reported and that the necessary technical measures are put in place to ensure that personal data can be restored in the event of corruption due to a malfunctioning of the systems;”;
paragraph 3 is replaced by the following:
the following Article is inserted:
“Article 32a
Security incidents
Articles 33 and 34 are replaced by the following:
“Article 33
Liability
Without prejudice to the liability of and the right to compensation from the controller or processor under Regulation (EU) 2016/679, Directive (EU) 2016/680 and Regulation (EU) 2018/1725:
any person or Member State that has suffered material or non-material damage as a result of an unlawful personal data processing operation or any other act incompatible with this Regulation by a Member State shall be entitled to receive compensation from that Member State;
any person or Member State that has suffered material or non-material damage as a result of an act of a Union institution, body, office or agency incompatible with this Regulation shall be entitled to receive compensation from that Union institution, body, office or agency.
The Member State or Union institution, body, office or agency shall be exempt from its liability under the first subparagraph, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.
Article 34
Keeping of logs
Each Member State, the European Border and Coast Guard Agency and eu-LISA shall keep logs of all their data processing operations within the VIS. Those logs shall show:
the purpose of access;
the date and time;
the type of data entered;
the type of data used for search; and
the name of the authority entering or retrieving the data.
In addition, each Member State shall keep logs of the staff duly authorised to enter data in or retrieve data from the VIS.
Article 36 is replaced by the following:
“Article 36
Penalties
Without prejudice to Regulation (EU) 2016/679 and Directive (EU) 2016/680, Member States shall lay down the rules on penalties applicable to infringements of this Regulation, including for processing of personal data carried out in breach of this Regulation, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.”;
in Chapter VI, the following Article is inserted:
“Article 36a
Data protection
Article 37 is amended as follows:
paragraph 1 is amended as follows:
the introductory sentence is replaced by the following:
point (a) is replaced by the following:
the identity of the controller referred to in Article 29(4), including the controller’s contact details;”;
point (c) is replaced by the following:
the categories of recipients of the data, including the authorities referred to in Article 22l and Europol;
the fact that the VIS may be accessed by the Member States and Europol for law enforcement purposes;”;
the following point is inserted:
the fact that personal data stored in the VIS may be transferred to a third country or an international organisation in accordance with Article 31 of this Regulation and to Member States in accordance with Council Decision (EU) 2017/1908 ( 14 );
point (f) is replaced by the following:
the existence of the right to request access to data relating to them, the right to request that inaccurate data relating to them be rectified, that incomplete personal data relating to them be completed, that unlawfully processed personal data concerning them be erased or that the processing thereof be restricted, as well as the right to receive information on the procedures for exercising those rights, including the contact details of the supervisory authorities, or of the European Data Protection Supervisor if applicable, which shall hear complaints concerning the protection of personal data;”;
paragraph 2 is replaced by the following:
in paragraph 3, the second subparagraph is replaced by the following:
“In the absence of such a form signed by those persons this information shall be provided in accordance with Article 14 of Regulation (EU) 2016/679.”;
Articles 38 to 43 are replaced by the following:
“Article 38
Right of access to, rectification, completion, erasure of personal data and restriction of processing
Where the request is addressed to the Member State responsible and where it is found that VIS data are factually inaccurate or have been recorded unlawfully, the Member State responsible shall, in accordance with Article 24(3), rectify or erase those data in the VIS without delay and at the latest within one month of receipt of the request. The Member State responsible shall confirm in writing to the person concerned without delay that it has taken action to rectify or erase data relating to him or her.
Where the request is addressed to a Member State other than the Member State responsible, the authorities of the Member State to which the request was addressed shall contact the authorities of the Member State responsible within a period of seven days. The Member State responsible shall proceed in accordance with the second subparagraph of this paragraph. The Member State which contacted the authority of the Member State responsible shall inform the person concerned that his or her request was forwarded, to which Member State and about the further procedure.
By way of derogation from paragraphs 1 to 6 of this Article, and only as regards data contained in the reasoned opinions that are recorded in the VIS in accordance with Article 9e(6), Article 9g(6) and Article 22b(14) and (16) as a result of the queries pursuant to Articles 9a and 22b, a Member State shall take a decision not to provide information to the person concerned, in whole or in part, in accordance with national or Union law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, in order to:
avoid obstructing official or legal inquiries, investigations or procedures;
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
protect public security;
protect national security; or
protect the rights and freedoms of others.
In the cases referred to in the first subparagraph, the Member State shall inform the person concerned in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the person concerned of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.
The Member State shall document the factual or legal reasons on which the decision not to provide information to the person concerned is based. That information shall be made available to the supervisory authorities.
For such cases, the person concerned shall also be able to exercise his or her rights through the competent supervisory authorities.
Article 39
Cooperation to ensure the rights on data protection
In order to achieve the aims referred to in the first subparagraph, the supervisory authority of the Member State responsible and the supervisory authority of the Member State to which the request has been made shall cooperate with each other.
Article 40
Remedies
Article 41
Supervision by the supervisory authorities
Article 42
Supervision by the European Data Protection Supervisor
Article 43
Cooperation between supervisory authorities and the European Data Protection Supervisor
Article 44 is deleted;
Article 45 is replaced by the following:
“Article 45
Implementation by the Commission
The Commission shall adopt implementing acts to lay down the measures necessary for the development of the VIS Central System, the NUIs in each Member State and the communication infrastructure between the VIS Central System and the NUIs concerning the following:
the design of the physical architecture of the VIS Central System including its communication network;
technical aspects which have a bearing on the protection of personal data;
technical aspects which have serious financial implications for the budgets of the Member States or which have serious technical implications for the national systems;
the development of security requirements, including biometric aspects.
The Commission shall adopt implementing acts to lay down measures necessary for the technical implementation of the functionalities of the VIS Central System, in particular:
for entering the data and linking applications in accordance with Article 8, Articles 10 to 14, Article 22a and Articles 22c to 22f;
for accessing the data in accordance with Article 15, Articles 18 to 22, Articles 22g to 22k, Articles 22n to 22r and Articles 45e and 45f;
for rectification, erasure and advance erasure of data in accordance with Articles 23, 24 and 25;
for keeping and accessing the logs in accordance with Article 34;
for the consultation mechanism and the procedures referred to in Article 16;
for accessing the data for the purposes of reporting and statistics in accordance with Article 45a.
Article 45a
Use of VIS data for reporting and statistics
The duly authorised staff of the competent authorities of Member States, the Commission, eu-LISA, the European Asylum Support Office and the European Border and Coast Guard Agency, including the ETIAS Central Unit in accordance with Article 9j, shall have access to the VIS to consult the following data, solely for the purposes of reporting and statistics without allowing for individual identification and in accordance with the safeguards related to non-discrimination referred to in Article 7(2):
status information;
the authority with which the application has been lodged, including its location;
sex, age and nationality or nationalities of the applicant;
country and city of residence of the applicant, only as regards visas;
current occupation (job group) of the applicant, only as regards visas;
the Member States of first entry and destination, only as regards visas;
date and place of the application and the decision concerning the application (issued, withdrawn, refused, annulled, revoked, renewed or extended);
the type of document applied for or issued, i.e. whether airport transit visa, uniform or limited territorial validity visa, long-stay visa or residence permit;
the type of the travel document and the country which issued the travel document, only as regards visas;
the decision concerning the application and, in the case of refusal, withdrawal, annulment or revocation, the grounds indicated for that decision;
hits resulting from queries of EU information systems, Europol data or Interpol databases pursuant to Article 9a or 22b, differentiated by system or database, or hits against the specific risk indicators pursuant to Article 9j, and hits where, after manual verification pursuant to Article 9c, 9d, 9e or 22b the applicant’s personal data was confirmed as corresponding to the data present in one of the information systems or databases queried;
decisions to refuse a visa, long-stay visa or residence permit which are correlated to a manually verified and confirmed hit in one of the information systems or databases queried or to a hit against the specific risk indicators;
the competent authority, including its location, which decided on the application and the date of the decision, only as regards visas;
the cases in which the same applicant applied for a visa from more than one visa authority, indicating those visa authorities, their location and the dates of the decisions;
the main purposes of the journey, only as regards visas;
visa applications processed in representation pursuant to Article 8 of Regulation (EC) No 810/2009;
the data entered in respect of any document withdrawn, annulled, revoked, renewed or extended, as applicable;
the expiry date of the long-stay visa or residence permit;
the number of persons exempt from the requirement to give fingerprints pursuant to Article 13(7) of Regulation (EC) No 810/2009;
the cases in which the data referred to in point (6) of Article 9 could not be provided, in accordance with Article 8(5);
the cases in which the data referred to in point (6) of Article 9 was not required to be provided for legal reasons, in accordance with Article 8(5);
the cases in which a person who could not provide the data referred to in point (6) of Article 9 was refused a visa, in accordance with Article 8(5);
links to the previous application file on that applicant as well as links of the application files of the persons travelling together, only as regards visas.
The duly authorised staff of the European Border and Coast Guard Agency shall have access to the VIS to consult the data referred to in the first subparagraph of this paragraph for the purpose of carrying out risk analyses and vulnerability assessments as referred to in Articles 29 and 32 of Regulation (EU) 2019/1896.
Every quarter, eu-LISA shall compile statistics based on the VIS data on visas showing, for each location where a visa application was lodged and for each Member State, in particular:
the number of airport transit (A) visas applied for; the number of A visas issued, disaggregated by single airport transit and multiple airport transits; the number of A visas refused;
the number of short-stay (C) visas applied for (and disaggregated by the main purposes of the journey); the number of C visas issued, disaggregated by issued for single entry, two entries or multiple entry and the latter divided by length of validity (six months or below, one year, two years, three years, four years, five years); the number of visas with limited territorial validity issued (LTV); the number of C visas refused.
The daily statistics shall be stored in the central repository for reporting and statistics in accordance with Article 39 of Regulation (EU) 2019/817.
Every quarter, eu-LISA shall compile statistics based on the VIS data on long-stay visas and residence permits showing, for each location, in particular:
total of long-stay visas applied for, issued, refused, withdrawn, revoked, annulled and extended;
total of residence permits applied for, issued, refused, withdrawn, revoked, annulled and renewed.
Article 45b
Notifications
Three months after the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134 of the European Parliament and of the Council ( 16 ) eu-LISA shall publish a consolidated list of the authorities notified pursuant to the first subparagraph of this paragraph in the Official Journal of the European Union.
Member States shall notify the Commission and eu-LISA of any changes to the authorities notified without delay. In the event of such changes, eu-LISA shall publish once a year an updated consolidated list in the Official Journal of the European Union. eu-LISA shall maintain a continuously updated public website containing that information.
Article 45c
Access to data for verification by carriers
For this purpose, as regards visas, the carrier shall provide the data referred to in point (4)(a), (b) and (c) of Article 9 and as regards long-stay visas and residence permits, the carrier shall provide the data referred to in points (d), (e) and (f) of Article 22a(1), as contained in the travel document. The carrier shall also indicate the Member State of entry or, in the case of airport transit, the Member State of transit.
By way of derogation from the second subparagraph of this paragraph, in the case of airport transit, the carrier shall not be obliged to send a query to the VIS, except where the third-country national is required to hold an airport transit visa in accordance with Article 3 of Regulation (EC) No 810/2009.
If a visa with limited territorial validity has been issued in accordance with Article 25 of Regulation (EC) No 810/2009, the answer provided by the VIS shall take into account the Member States for which the visa is valid as well as the Member State of entry indicated by the carrier.
Carriers may store the information sent and the answer received in accordance with the applicable law. The OK/NOT OK answer shall not be regarded as a decision to authorise or refuse entry in accordance with Regulation (EU) 2016/399.
The Commission shall adopt implementing acts to lay down detailed rules concerning the conditions for the operation of the carrier gateway and the data protection and security rules applicable. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).
The Commission shall adopt implementing acts to lay down the authentication scheme for carriers. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).
eu-LISA shall store the logs for a period of two years. eu-LISA shall ensure that logs are protected by appropriate measures against unauthorised access.
Article 45d
Fall-back procedures in the case of technical impossibility to access data by carriers
Article 45e
Access to VIS data by European Border and Coast Guard teams
Article 45f
Conditions and procedure for access to VIS data by European Border and Coast Guard teams
For the access to be granted, the following conditions shall apply:
the host Member State authorises the members of the European Border and Coast Guard team to consult the VIS in order to fulfil the operational aims specified in the operational plan on border checks, border surveillance and return; and
consultation of the VIS is necessary for performing the specific tasks entrusted to the team by the host Member State.
Consultation of VIS data by members of the teams shall take place as follows:
when exercising tasks related to border checks pursuant to Regulation (EU) 2016/399, the members of the European Border and Coast Guard teams shall have access to VIS data for verification at external border crossing points in accordance with Article 18 or 22g of this Regulation respectively;
when verifying whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, the members of the teams shall have access to the VIS data for verification within the territory of third-country nationals in accordance with Article 19 or 22h of this Regulation respectively;
when identifying any person that does not or no longer fulfils the conditions for the entry to, stay or residence on the territory of the Member States, the members of the teams shall have access to VIS data for identification in accordance with Articles 20 and 22i of this Regulation.
Articles 46, 47 and 48 are deleted;
the following Article is inserted:
“Article 48a
Exercise of delegation
Articles 49 and 50 are replaced by the following:
“Article 49
Committee procedure
Article 49a
Advisory group
An Advisory Group shall be established by eu-LISA and provide it with the expertise related to the VIS in particular in the context of the preparation of its annual work programme and its annual activity report.
Article 50
Monitoring and evaluation
While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare annual reports on the effectiveness of access to VIS data for law enforcement purposes containing information and statistics on:
the exact purpose of the consultation including the type of terrorist offence or other serious criminal offence;
reasonable grounds given for the substantiated suspicion that the suspect, perpetrator or victim is covered by this Regulation;
the number of requests to access the VIS for law enforcement purposes and to access the data on children below 14 years of age;
the number and type of cases in which the urgency procedures referred to in Article 22n(2) were used, including those cases where the urgency was not accepted by the ex post verification carried out by the central access point;
the number and type of cases, which have ended in successful identifications.
Member States’ and Europol’s annual reports shall be transmitted to the Commission by 30 June of the subsequent year.
A technical solution shall be made available to Member States in order to facilitate the collection of those data pursuant to Chapter IIIb for the purpose of generating statistics referred to in this paragraph. The Commission shall, by means of implementing acts, adopt the specifications of the technical solution. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).
Article 2
Amendments to Regulation (EC) No 810/2009
Regulation (EC) No 810/2009 is amended as follows:
Article 10 is amended as follows:
paragraph 1 is replaced by the following:
paragraph 3 is amended as follows:
point (c) is replaced by the following:
allow his or her facial image to be taken live in accordance with Article 13 or, where the exemptions referred to in Article 13(7a) apply, present a photograph in accordance with the standards set out in Regulation (EC) No 1683/95;”;
the following subparagraph is added:
“Without prejudice to point (c) of this paragraph, Member States may require the applicant to present a photograph in accordance with the standards set out in Regulation (EC) No 1683/95 at every application.”;
Article 13 is amended as follows:
paragraphs 1 to 4 are replaced by the following:
At the time of submission of the first application and subsequently at least every 59 months thereafter, the applicant shall be required to appear in person. At that time, the following biometric identifiers of the applicant shall be collected:
a facial image taken live at the time of the application;
10 fingerprints taken flat and collected digitally.
However, where there is reasonable doubt regarding the identity of the applicant, the consulate shall collect the fingerprints and facial image of that applicant within the period specified in the first subparagraph.
Furthermore, if at the time when the application is lodged, it cannot be immediately confirmed that the fingerprints were collected within the period specified in the first subparagraph, the applicant may request that they be collected.
the following paragraph is inserted:
When collecting biometric identifiers of minors all of the following conditions shall be met:
the staff taking the biometric identifiers of a minor have been trained specifically to take a minor’s biometric data in a child-friendly and child-sensitive manner and in full respect of the best interests of the child and the safeguards laid down in the United Nations Convention on the Rights of the Child;
every minor is accompanied by an adult family member or legal guardian when the biometric identifiers are taken;
no force is used to take the biometric identifiers.”;
paragraph 7 is amended as follows:
point (a) is replaced by the following:
children below the age of six and persons over the age of 75;”;
the following point is added:
persons who are required to appear as witness before international courts and tribunals in the territory of the Member States and their appearance in person to lodge an application would put them in serious danger.”;
the following paragraphs are inserted:
paragraph 8 is deleted;
Article 21 is amended as follows:
the following paragraphs are inserted:
By way of derogation from Article 4(1), in the case of applications where a reasoned opinion was provided by the VIS designated authority or the ETIAS National Unit, the central authorities shall either be empowered to decide on the application themselves or shall, after assessing the reasoned opinion, inform the consulate processing the application that they object to the issuance of the visa.
paragraph 4 is replaced by the following:
the following paragraph is inserted:
in point (a) of Article 25(1), the following point is added:
to issue a visa for reasons of urgency, although the verifications of hits in accordance with Articles 9a to 9g of the VIS Regulation have not been completed;”;
in Article 35, the following paragraph is inserted:
However, a visa with limited territorial validity for the territory of the issuing Member State may be issued at the external border for such persons in exceptional cases, in accordance with point (a) of Article 25(1).”;
in Article 36, paragraph 3 is replaced by the following:
in Article 39, paragraphs 2 and 3 are replaced by the following:
Article 46 is deleted;
Article 57 is amended as follows:
paragraph 1 is replaced by the following:
paragraphs 3 and 4 are deleted;
in point C(b) of Annex X, the second indent is replaced by the following:
respect the human dignity and integrity of applicants, do not discriminate against persons on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation,
respect the provisions regarding the taking of biometrics identifiers laid down in Article 13, and”;
Annex XII is deleted.
Article 3
Amendments to Regulation (EU) 2016/399
Regulation (EU) 2016/399 is amended as follows:
in Article 8, paragraph 3 is amended as follows:
the following point is inserted:
if the third-country national holds a long-stay visa or a residence permit, the thorough checks on entry shall comprise verification of the identity of the holder of the long-stay visa or residence permit and the authenticity and validity of the long-stay visa or residence permit by consulting the VIS in accordance with Article 22g of Regulation (EC) No 767/2008.
In circumstances where verification of the identity of the holder of the long-stay visa or residence permit or of the authenticity and validity of the long-stay visa or residence permit, fails or where there are doubts as to the identity of the holder, the authenticity of the long-stay visa or residence permit or the travel document, the duly authorised staff of those competent authorities shall proceed to a verification of the document chip;”;
points (c) to (f) are deleted;
in Annex VII, point 6, is replaced by the following:
“6. Minors
6.1. Border guards shall pay particular attention to minors, whether travelling accompanied or unaccompanied. Minors crossing an external border shall be subject to the same checks on entry and exit as adults, as provided for in this Regulation.
6.2. In the case of accompanied minors, the border guard shall check that the persons accompanying minors have parental care or legal guardianship over them, especially where minors are accompanied by only one adult and there are serious grounds for suspecting that they may have been unlawfully removed from the custody of the persons legally exercising parental care or legal guardianship over them. In the latter case, the border guard shall carry out a further investigation in order to detect any inconsistencies or contradictions in the information given.
6.3. In the case of minors travelling unaccompanied, border guards shall ensure, by means of thorough checks on travel documents and supporting documents, that the minors do not leave the territory against the wishes of the persons having parental care or legal guardianship over them.
6.4. Member States shall nominate national contact points for consultation on minors and inform the Commission thereof. A list of those national contact points shall be made available to the Member States by the Commission.
6.5. Where there is doubt as to any of the circumstances set out in points 6.1, 6.2 and 6.3, border guards shall make use of the list of national contact points for consultation on minors.
6.6. Member States shall ensure that border guards verifying biometrics of children or using them to identify a child are specifically trained to do so in a child-friendly and child-sensitive manner and in full respect of the best interests of the child and the safeguards laid down in the United Nations Convention on the Rights of the Child. When accompanied by a parent or a legal guardian that person shall accompany the child when the biometrics are verified or used for identification. No force shall be used. Member States shall ensure, where necessary, that the infrastructure at border crossing points is adapted for the use of biometrics of children.”.
Article 4
Amendments to Regulation (EU) 2017/2226
Regulation (EU) 2017/2226 is amended as follows:
Article 8 is amended as follows:
in paragraph 2, point (e) is replaced by the following:
where the identity of a visa holder is verified using fingerprints or facial image, verify at the borders at which the EES is operated the identity of a visa holder by comparing the fingerprints or facial image of the visa holder with the fingerprints or the facial image taken live that are recorded in the VIS, in accordance with Article 23(2) and (4) of this Regulation and Article 18(6) of Regulation (EC) No 767/2008. Only facial images recorded in the VIS with an indication that the facial image was taken live upon submission of the visa application shall be used for that comparison.”;
the following paragraphs are inserted:
the following paragraph is added:
in Article 9(2), the following subparagraph is added:
“The EES shall provide the functionality for the centralised management of that list. The detailed rules on managing that functionality shall be laid down in implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 68(2).”;
in Article 13, paragraph 3 is replaced by the following:
Carriers shall provide the data listed under points (a), (b) and (c) of Article 16(1) of this Regulation. On that basis, the web service shall provide carriers with an OK/NOT OK answer. Carriers may store the information sent and the answer received in accordance with the applicable law. Carriers shall establish an authentication scheme to ensure that only authorised staff may access the web service. It shall not be possible to regard the OK/NOT OK answer as a decision to authorise or refuse entry in accordance with Regulation (EU) 2016/399.
Where third-country nationals are refused boarding due to the answer of the web service, carriers shall inform them that this refusal is due to information stored in the EES and shall provide them with information on their rights with regard to access to and rectification or erasure of personal data recorded in the EES.”;
Article 15 is amended as follows:
paragraph 1 is replaced by the following:
paragraph 5 is deleted;
Article 16 is amended as follows:
in paragraph 1, point (d) is replaced by the following:
the facial image as referred to in Article 15, unless a facial image is recorded in the VIS with an indication that it was taken live upon submission of the application.”;
the following paragraph is inserted:
in Article 18(2), the following subparagraph is added:
“By way of derogation from Article 15(1) and point (d) of Article 16(1) of this Regulation, where the third-country national is refused entry on the basis of a reason corresponding to point (B) or (D) of Part B of Annex V to Regulation (EU) 2016/399 and where there are doubts regarding the authenticity of the facial image recorded in the VIS, the facial image referred to in point (a) of this paragraph shall be taken live and entered in the individual file irrespective of any facial image recorded in the VIS.”;
Article 23 is amended as follows:
in paragraph 2, the third subparagraph is replaced by the following:
“If the search in the EES with the data set out in the first subparagraph of this paragraph indicates that data on the third-country national are recorded in the EES, the border authorities shall:
for third-country nationals who are not subject to a visa requirement, compare the live facial image with the facial image referred to in point (b) of Article 17(1) or proceed to a verification of fingerprints against the EES, and
for third-country nationals subject to a visa requirement:
compare the live facial image with the facial image recorded in the EES referred to in point (d) of Article 16(1) of this Regulation or with the facial image taken live recorded in the VIS in accordance with point (5) of Article 9 of Regulation (EC) No 767/2008, or
proceed to a verification of fingerprints directly against the VIS in accordance with Article 18 of Regulation (EC) No 767/2008.
For the verification of fingerprints or the facial image taken live against the VIS for visa holders, the border authorities may launch the search in the VIS directly from the EES as provided in Article 18(6) of Regulation (EC) No 767/2008.”;
in the second subparagraph of paragraph 4, point (a) is replaced by the following:
for third-country nationals who are subject to a visa requirement, if the search in the VIS with the data referred to in Article 18(1) of Regulation (EC) No 767/2008 indicates that data on the third-country national are recorded in the VIS, a verification of fingerprints or the facial image taken live against the VIS shall be carried out in accordance with Article 18(6) of that Regulation. For that purpose, the border authority may launch a search from the EES to the VIS as provided for in Article 18(7) of Regulation (EC) No 767/2008. Where a verification of a third-country national pursuant to paragraph 2 of this Article failed, the border authorities shall access the VIS data for identification in accordance with Article 20 of Regulation (EC) No 767/2008.”;
in Article 24 the following paragraph is added:
in Article 35, paragraph 4 is replaced by the following:
Article 5
Amendments to Regulation (EU) 2018/1240
Regulation (EU) 2018/1240 is amended as follows:
in Article 4, the following point is inserted:
support the objectives of the VIS of facilitating the visa application procedure and contribute to the prevention of threats to the internal security of the Member States, by allowing queries in ETIAS, including the ETIAS watchlist referred to in Article 34;”;
Article 7 is amended as follows:
paragraph 2 is amended as follows:
the following point is inserted:
defining, establishing, assessing ex ante, implementing, evaluating ex post, revising and deleting the specific risk indicators referred to in Article 9j of Regulation (EC) No 767/2008 after consulting the VIS Screening Board;”;
point (e) is replaced by the following:
carrying out regular audits of the processing of applications and of the implementation of Article 33 of this Regulation and Article 9j of Regulation (EC) No 767/2008, including by regularly assessing their impact on fundamental rights, in particular with regard to privacy and personal data protection;”;
point (h) is replaced by the following:
notifying carriers in cases of a failure of the ETIAS Information System as referred to in Article 46(1) of this Regulation or of the VIS as referred to in Article 45d(1) of Regulation (EC) No 767/2008;”;
in paragraph 3, the following point is inserted:
information on the functioning of the specific risk indicators for the VIS.”;
in Article 8(2) the following point is added:
manually verifying the hits in the ETIAS watchlist referred to in Article 34 of this Regulation triggered by the automated queries carried out by the VIS pursuant to Articles 9a and 22b of Regulation (EC) No 767/2008 and following up those hits, in accordance with Article 9e of that Regulation.”;
the following article is inserted:
“Article 11a
Interoperability with the VIS
From the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134 of the European Parliament and of the Council ( 23 ) the ETIAS Central System and the CIR shall be connected to the ESP to enable the automated processing pursuant to Articles 9a and 22b of Regulation (EC) No 767/2008.
in Article 13, the following paragraph is inserted:
the following chapter is inserted:
“CHAPTER IXa
USE OF ETIAS BY VISA AUTHORITIES AND AUTHORITIES COMPETENT TO DECIDE ON AN APPLICATION FOR A LONG-STAY VISA OR RESIDENCE PERMIT
Article 49a
Access to data by visa authorities and authorities competent to decide on an application for a long-stay visa or residence permit
For the purpose of carrying out the verifications laid down in Articles 9c and 22b of Regulation (EC) No 767/2008, the competent visa authorities and authorities competent to decide on an application for a long-stay visa or residence permit shall have the right to access relevant data in the ETIAS Central System and the CIR.”;
in Article 69(1), the following point is added:
the hits triggered by the automated queries carried out by the VIS pursuant to Articles 9a and 22b of Regulation (EC) No 767/2008, the data processed by the competent visa authorities and authorities competent to decide on an application for a long-stay visa or residence permit for the purpose of manually verifying the hits in accordance with Articles 9c and 22b of that Regulation, and the data processed by the ETIAS National Units in accordance with Article 9e of that Regulation.”;
in Article 75(1), the following point is added:
the specific risk indicators referred to in Article 9j of Regulation (EC) No 767/2008.”.
Article 6
Amendments to Regulation (EU) 2018/1860
In Regulation (EU) 2018/1860, Article 19 is replaced by the following:
“Article 19
Applicability of the provisions of Regulation (EU) 2018/1861
Insofar as not established in this Regulation, the entry, processing and updating of alerts, the provisions on responsibilities of the Member States and eu-LISA, the conditions concerning access and the review period for alerts, data processing, data protection, liability and monitoring and statistics, as laid down in Articles 6 to 19, Article 20(3) and (4), Articles 21, 23, 32 and 33, Article 34(5), Article 36a and Articles 38 to 60 of Regulation (EU) 2018/1861, shall apply to data entered and processed in SIS in accordance with this Regulation.”.
Article 7
Amendments to Regulation (EU) 2018/1861
Regulation (EU) 2018/1861 is amended as follows:
the following article is inserted:
“Article 18a
Keeping of logs for the purposes of interoperability with VIS
Logs of each data processing operation carried out within SIS and VIS pursuant to Article 36c of this Regulation shall be kept in accordance with Article 18 of this Regulation and Article 34 of Regulation (EC) No 767/2008.”;
the following article is inserted:
“Article 36a
Interoperability with VIS
From the date of the start of operations of the VIS pursuant to Article 11 of Regulation (EU) 2021/1134 of the European Parliament and of the Council ( 24 ) the Central SIS shall be connected to the ESP to enable the automated processing pursuant to Articles 9a and 22b of Regulation (EC) No 767/2008.
Article 8
Amendments to Regulation (EU) 2019/817
Regulation (EU) 2019/817 is amended as follows:
in Article 4, point 20 is replaced by the following:
‘designated authorities’ means the Member State designated authorities as defined in point (26) of Article 3(1) of Regulation (EU) 2017/2226, point (3a) of Article 4 of Regulation (EC) No 767/2008, and point (21) of Article 3(1) of Regulation (EU) 2018/1240;”;
in Article 13(1), point (b) is replaced by the following:
the data referred to in points (5) and (6) of Article 9 and points (k) and (j) of Article 22a(1) of Regulation (EC) No 767/2008, provided, as regards the facial image, that it was recorded in VIS with an indication that it was taken live upon submission of the application;”;
in Article 18(1), point (b) is replaced by the following:
the data referred to in points (4)(a) to (ca) and points (5) and (6) of Article 9 and in points (d) to (g), (j) and (k) of Article 22a(1) of Regulation (EC) No 767/2008;”;
in Article 26(1), point (b) is replaced by the following:
the visa authorities and the authorities competent to decide on an application for a long-stay visa or residence permit as referred to in Article 6(1) of Regulation (EC) No 767/2008 when creating or updating an application file in VIS in accordance with that Regulation;
the VIS designated authorities referred to in Articles 9d and 22b of Regulation (EC) No 767/2008 when manually verifying hits triggered by automated queries from VIS to ECRIS-TCN in accordance with that Regulation;”;
in Article 27(3), point (b) is replaced by the following:
surname (family name); first name(s) (given name(s)); date of birth; place of birth; sex, and nationality or nationalities as referred to in points (4)(a) and (aa) of Article 9 and in point (d) of Article 22a(1) of Regulation (EC) No 767/2008;”;
in Article 29(1), point (b) is replaced by the following:
the visa authorities and the authorities competent to decide on an application for a long-stay visa or residence permit as referred to in Article 6(1) of Regulation (EC) No 767/2008 for matches that occurred when creating or updating an application file in VIS in accordance with that Regulation, with the exception of the cases referred to in point (ba) of this paragraph;
the VIS designated authorities referred to in Articles 9d and 22b of Regulation (EC) No 767/2008 only for yellow links created between data in VIS and ECRIS-TCN when creating or updating an application file in VIS in accordance with that Regulation;”;
in Article 39, paragraph 2 is replaced by the following:
in Article 72, the following paragraph is inserted:
Article 9
Amendments to Regulation (EU) 2019/1896
In Article 10(1) of Regulation (EU) 2019/1896, the following point is inserted:
fulfil the tasks and obligations entrusted to the Agency under Regulation (EC) No 767/2008;”.
Article 10
Repeal
Decisions 2004/512/EC and 2008/633/JHA are repealed. References to those Decisions shall be construed as references to Regulation (EC) No 767/2008 and shall be read in accordance with the correlation tables in Annexes I and II to this Regulation, respectively.
Article 11
Start of operations
No later than 31 December 2023, the Commission shall adopt a decision by means of an implementing act setting the date on which VIS operations start pursuant to this Regulation. The Commission shall adopt that decision once the following conditions are met:
the measures referred to in Article 5a(3), Article 6(5), the third paragraph of Article 9, Article 9h(2), Article 9j(2) and (3), Article 22b(18), the second subparagraph of Article 29(2a), the second subparagraph of Article 29a(3), Article 45, the fourth subparagraph of Article 45c(3), the second subparagraph of Article 45c(5), Article 45d(3), and third subparagraph of Article 50(4) of Regulation (EC) No 767/2008 have been adopted;
eu-LISA has notified the Commission of the successful completion of all testing activities;
Member States have notified the Commission that they have made the necessary technical and legal arrangements to process data pursuant to this Regulation and have notified to the Commission and eu-LISA the information referred to in Article 45b of Regulation (EC) No 767/2008;
In the event of delays in the full implementation of this Regulation, the Commission shall inform the European Parliament and the Council as soon as possible about the reasons for the delays and their impact in terms of time and costs.
Article 12
Entry into force and application
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall apply from the date set by the Commission in accordance with Article 11, with the exception of:
the following provisions which shall apply from 2 August 2021:
point (6) of Article 1 of this Regulation as regards Article 5a(3) and Article 6(5) of Regulation (EC) No 767/2008;
point (10)(c) of Article 1 of this Regulation as regards the third paragraph of Article 9 of Regulation (EC) No 767/2008;
point (11) of Article 1 of this Regulation as regards Article 9h(2) and Article 9j(2) and (3) of Regulation (EC) No 767/2008;
point (26) of Article 1 of this Regulation as regards Article 22b(18) of Regulation (EC) No 767/2008;
point (34) of Article 1 of this Regulation as regards the second subparagraph of Article 29(2a) and the second subparagraph of Article 29a(3) of Regulation (EC) No 767/2008;
point (44) of Article 1 of this Regulation as regards Article 45, the fourth subparagraph of Article 45c(3), the second subparagraph of Article 45c(5) and Article 45d(3) of Regulation (EC) No 767/2008;
point (46) of Article 1;
point (47) of Article 1 of this Regulation as regards Article 49 and the third subparagraph of Article 50(4) of Regulation (EC) No 767/2008; and
point (2) of Article 4 of this Regulation as regards Article 9(2) of Regulation (EU) 2017/2226;
points (40) to (43) of Article 1, which shall apply from 3 August 2022;
point (44) of Article 1 of this Regulation as regards Articles 45e and 45f of Regulation (EC) No 767/2008, which shall apply from 3 August 2023.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
ANNEX I
CORRELATION TABLE FOR DECISION 2004/512/EC
Council Decision 2004/512/EC |
Regulation (EC) No 767/2008 |
Article 1(1) |
Article 1 |
Article 1(2) |
Article 2a |
Article 2 |
- |
Article 3 and 4 |
Article 45 |
Article 5 |
Article 49 |
Article 6 |
- |
ANNEX II
CORRELATION TABLE FOR DECISION 2008/633/JHA
Council Decision 2008/633/JHA |
Regulation (EC) No 767/2008 |
Article 1 |
Article 1 |
Article 2 |
Article 4 |
Article 3 |
Articles 22l and 22m, Article 45b |
Article 4 |
Article 22n |
Article 5 |
Article 22o |
Article 6 |
Article 22t |
Article 7 |
Article 22m Article 22r |
Article 8 |
Article 28(5), Article 31(4) and (5), and Chapter VI |
Article 9 |
Article 32 |
Article 10 |
Article 33 |
Article 11 |
Article 35 |
Article 12 |
Article 36 |
Article 13 |
Article 30 |
Article 14 |
Article 38 |
Article 15 |
- |
Article 16 |
Article 22s |
Article 17 |
Article 50 |
( 1 ) Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (OJ L 180, 29.6.2013, p. 31).
( 2 ) Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60).”;
( 3 ) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).”;
( 4 ) Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
( 5 ) Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ L 157, 15.6.2002, p. 1).
( 6 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
( 7 ) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
( 8 ) Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
( 9 ) Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p.1).”;
( 10 ) Decision No 1105/2011/EU of the European Parliament and of the Council of 25 October 2011 on the list of travel documents which entitle the holder to cross the external borders and which may be endorsed with a visa and on setting up a mechanism for establishing this list (OJ L 287, 4.11.2011, p. 9).”;
( 11 ) Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).”;
( 12 ) Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23).”;
( 13 ) OJ L 56, 4.3.1968, p. 1.”;
( 14 ) Council Decision (EU) 2017/1908 of 12 October 2017 on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania (OJ L 269, 19.10.2017, p. 39).”;
( 15 ) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).”;
( 16 ) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).
( 17 ) Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (OJ L 295, 14.11.2019, p. 1).”;
( 18 ) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).”.
( 19 ) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).
( 20 ) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).”;
( 21 ) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).”;
( 22 ) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).”;
( 23 ) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).”;
( 24 ) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).”.
( 25 ) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11).”.