Regulation (EC) No 390/2009 of the European Parliament and of the Council of 23 April 2009 amending the Common Consular Instructions on visas for diplomatic missions and consular posts in relation to the introduction of biometrics including provisions on the organisation of the reception and processing of visa applications
390/2009 • 32009R0390
Legal Acts - Regulations
- 2 Inbound citations:
- •
- 0 Cited paragraphs:
- •
- 7 Outbound citations:
28.5.2009
EN
Official Journal of the European Union
L 131/1
REGULATION (EC) No 390/2009 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 23 April 2009
amending the Common Consular Instructions on visas for diplomatic missions and consular posts in relation to the introduction of biometrics including provisions on the organisation of the reception and processing of visa applications
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty establishing the European Community, and in particular Article 62(2)(b)(ii) thereof,
Having regard to the proposal from the Commission,
Having regard to the opinion of the European Data Protection Supervisor (1),
Acting in accordance with the procedure laid down in Article 251 of the Treaty (2),
Whereas:
(1)
To ensure the reliable verification and identification of applicants, it is necessary to process biometric data in the Visa Information System (VIS) established by Council Decision 2004/512/EC (3) and to provide for a legal framework for the collection of these biometric identifiers. Furthermore, the implementation of the VIS requires new forms of organisation for the reception of visa applications.
(2)
The integration of biometric identifiers in the VIS is an important step towards the use of new elements, which establish a more reliable link between the visa holder and the passport in order to avoid the use of false identities. Therefore, the personal appearance of the applicant — at least for the first application — should be one of the basic requirements for issuing a visa with the registration of biometric identifiers in the VIS.
(3)
The choice of the biometric identifiers is made in Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (4).
(4)
This Regulation defines the standards for the collection of these biometric identifiers by referring to the relevant provisions set out by the International Civil Aviation Organisation (ICAO). No further technical specifications are required in order to ensure interoperability.
(5)
Any document, data or biometric identifier received by a Member State in the course of a visa application shall be considered a consular document under the Vienna Convention on Consular Relations of 24 April 1963 and shall be treated in an appropriate manner.
(6)
In order to facilitate the registration of applicants and to reduce the costs for Member States, new organisational possibilities need to be envisaged in addition to the existing framework of representation. Firstly, a specific type of representation limited to the collection of applications and enrolment of biometric identifiers should be added to the Common Consular Instructions on visas for the diplomatic missions and consular posts (5).
(7)
Other options such as co-location, common application centres, honorary consuls and cooperation with external service providers should be introduced. An appropriate legal framework for these options should be established, taking into account, in particular, data protection issues. Member States should, in accordance with the conditions laid down in this legal framework, determine the type of organisational structure which they will use in each third country. Details of those structures should be published by the Commission.
(8)
When organising cooperation, Member States should ensure that applicants are directed to the Member State responsible for the processing of their applications.
(9)
It is necessary to make provision for situations in which Member States decide, in order to facilitate the procedure, to cooperate with an external service provider for the collection of applications. Such a decision may be taken if, in particular circumstances or for reasons relating to the local situation, cooperation with other Member States in the form of limited representation, co-location or a Common Application Centre proves not to be appropriate for the Member State concerned. Such arrangements should be established in compliance with the general principles for issuing visas, respecting the data protection requirements set out in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (6). In addition, the need to avoid visa-shopping should be taken into consideration when establishing and implementing such arrangements.
(10)
Member States should cooperate with external service providers on the basis of a legal instrument which should contain provisions on their exact responsibilities, on direct and total access to their premises, information for applicants, confidentiality and on the circumstances, conditions and procedures for suspending or terminating the cooperation.
(11)
This Regulation, by allowing Member States to cooperate with an external service provider for the collection of applications while establishing the ‘one stop’ principle for the presentation of applications, creates a derogation from the general rule of the personal appearance, as provided for in Part III, point 4, of the Common Consular Instructions. This is without prejudice to the possibility of calling the applicant for a personal interview and is also without prejudice to future legal instruments regulating these issues.
(12)
To ensure compliance with data protection requirements, the Working Party set up by Article 29 of Directive 95/46/EC has been consulted.
(13)
Directive 95/46/EC applies to the Member States with regard to the processing of personal data pursuant to this Regulation.
(14)
Member States should maintain the possibility for all applicants to lodge applications directly at their diplomatic missions or consular posts.
(15)
In order to facilitate the procedure of any subsequent application, it should be possible to copy fingerprints from the first entry into the VIS within a period of 59 months. Once this period of time has elapsed, the fingerprints should be collected again.
(16)
Due to the requirement to collect biometric identifiers, commercial intermediaries such as travel agencies should no longer be used for the first application but only for subsequent ones.
(17)
The Common Consular Instructions should therefore be amended accordingly.
(18)
The Commission should present a report on the implementation of this Regulation three years after the VIS is brought into operation and every four years thereafter.
(19)
Since the objectives of this Regulation, namely the organisation of the reception and the processing of applications in respect of the entry of biometric data into the VIS and the introduction of common standards and interoperable biometric identifiers and of common rules for all Member States participating in the Community’s common policy on visas, cannot be sufficiently achieved by the Member States and can therefore be better achieved at Community level, the Community may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(20)
In accordance with Articles 1 and 2 of the Protocol on the position of Denmark, annexed to the Treaty on European Union and to the Treaty establishing the European Community, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis under the provisions of Title IV of Part Three of the Treaty establishing the European Community, Denmark shall, in accordance with Article 5 of that Protocol, decide within a period of six months after the date of adoption of this Regulation, whether it will implement it in its national law.
(21)
As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latter’s association with the implementation, application and development of the Schengen acquis (7) which fall within the area referred to in Article 1, point B, of Council Decision 1999/437/EC (8) on certain arrangements for the application of that Agreement.
(22)
This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis (9). The United Kingdom is therefore not taking part in its adoption and is not bound by it or subject to its application.
(23)
This Regulation constitutes a development of provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (10). Ireland is therefore not taking part in its adoption and is not bound by it or subject to its application.
(24)
As regards Switzerland, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (11), which fall within the area referred to in Article 1, point B, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (12).
(25)
As regards Liechtenstein, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Protocol signed between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement concluded between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, which fall within the area referred to in Article 1, point B, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/261/EC (13).
(26)
As regards Cyprus, this Regulation constitutes an act building upon the Schengen acquis or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession.
(27)
This Regulation constitutes an act building upon the Schengen acquis or otherwise related to it within the meaning of Article 4(2) of the 2005 Act of Accession,
HAVE ADOPTED THIS REGULATION:
Article 1
Amendments to the Common Consular Instructions
The Common Consular Instructions on visas for diplomatic missions and consular posts are hereby amended as follows:
1.
Part II shall be amended as follows:
(a)
In point 1.2(b) the following paragraphs shall be added:
‘A Member State may also represent one or more other Member States in a limited manner solely for the collection of applications and the enrolment of biometric identifiers. The relevant provisions of 1.2(c) and (e) shall apply. The collection and transmission of files and data to the represented Member State shall be carried out respecting the relevant data protection and security rules.
The represented Member State(s) shall ensure that the data are fully encrypted, whether electronically transferred or physically transferred on an electronic storage medium from the authorities of the representing Member State to the authorities of the represented Member State.
In third countries which prohibit encryption of data to be electronically transferred from the authorities of the representing Member State to the authorities of the represented Member State(s), the represented Members State(s) shall not allow the representing Member State to transfer data electronically.
In this case, the represented Member State(s) concerned shall ensure that the electronic data are transferred physically in fully encrypted form on an electronic storage medium from the authorities of the representing Member State to the authorities of the represented Member State(s) by a consular officer of a Member State or, where such a transfer would require disproportionate or unreasonable measures to be taken, in another safe and secure way, for example by using established operators experienced in transporting sensitive documents and data in the third country concerned.
In all cases the level of security for the transfer shall be adapted to the sensitive nature of the data.
The Member States or the Community shall endeavour to reach an agreement with the third countries concerned with the aim of lifting the prohibition against encryption of data to be electronically transferred between the authorities of the Member States concerned.’.
(b)
Point (d) shall be replaced by the following:
‘(d)
When uniform visas are issued pursuant to (a) and (b), the representation and limited representation shall be reflected in the table of representation for the issuing of uniform visas set out in Annex 18.’.
2.
Part III shall be amended as follows:
(a)
Point 1 shall be replaced by the following:
‘1. Visa applications
1.1. Visa application forms — number of application forms
Applicants shall also be required to fill in the uniform visa application form. Applications for a uniform visa must be made using the harmonised form, a specimen of which is given in Annex 16.
At least one copy of the application form shall be filled in so that it may be used during consultation with the central authorities. Member States may, in so far as national administrative procedures so require, request several copies of the application.
1.2. Biometric identifiers
(a) Member States shall collect biometric identifiers comprising the facial image and 10 fingerprints from the applicant in accordance with the safeguards laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms, in the Charter of Fundamental Rights of the European Union and in the United Nations Convention on the Rights of the Child.
At the moment of submission of the first application, the applicant shall be required to appear in person. At that time, the following biometric identifiers shall be collected:
—
a photograph, scanned or taken at the time of application, and
—
10 fingerprints taken flat and digitally collected.
Where fingerprints collected from the applicant regarding an earlier application were entered for the first time in the Visa Information System (VIS) less than 59 months before the date of the new application, they shall be copied to the subsequent application.
However, in case of reasonable doubt regarding the identity of the applicant, the diplomatic mission or consular post shall collect fingerprints within the period specified above.
Furthermore, if at the time when the application is lodged, it cannot be immediately confirmed that the fingerprints were collected within the period specified above, the applicant may request that they be collected.
In accordance with Article 9(5) of the VIS Regulation, the photograph attached to each application shall be entered in the VIS. The applicant shall not be required to appear in person for this purpose.
The technical requirements for the photograph shall be in accordance with the international standards as set out in ICAO Doc 9303 part 1, 6th edition.
Fingerprints shall be taken in accordance with ICAO standards and Commission Decision 2006/648/EC of 22 September 2006 laying down the technical specifications on the standards for biometric features related to the development of the Visa Information System (14).
The biometric identifiers shall be collected by qualified and duly authorised staff of the diplomatic mission or consular post and the authorities responsible for issuing visas at the borders. Under the supervision of the diplomatic missions or consular posts, the biometric identifiers may also be collected by qualified and duly authorised staff of an honorary consul or of an external service provider referred to in Part VII, points 1.3 and 1.4.
The data shall be entered in the VIS only by duly authorised consular staff in accordance with Articles 6(1), 7, 9(5) and 9(6) of the VIS Regulation.
Member States shall ensure that full use is made of all search criteria under Article 15 of the VIS Regulation in order to avoid false rejections and identifications.
(b) Exceptions
The following applicants shall be exempt from the requirement to give fingerprints:
—
children under the age of 12,
—
persons for whom fingerprinting is physically impossible. If the fingerprinting of less than 10 fingers is possible, the respective number of fingerprints shall be taken. However, should the impossibility be temporary, the applicant shall be required to give the fingerprints at the following application. Diplomatic missions or consular posts and authorities responsible for issuing visas at the borders shall be entitled to ask for further clarification on the grounds of the temporary impossibility. Member States shall ensure that appropriate procedures guaranteeing the dignity of the applicant are in place in the event of there being difficulties in enrolling. The fact that fingerprinting is physically impossible shall not influence the grant or refusal of a visa,
—
heads of State or government and members of the national government with accompanying spouses, and the members of their official delegation when they are invited by Member States’ governments or by international organisations for an official purpose,
—
sovereigns and other senior members of a royal family, when they are invited by Member States’ governments or by international organisations for an official purpose.
In each of these cases, the entry “not applicable” shall be introduced in the VIS.
(b)
The following point shall be added:
‘5. Conduct of staff
Member States’ diplomatic missions or consular posts shall ensure that applicants are received courteously.
Consular staff shall, in the performance of their duties, fully respect human dignity. Any measures taken shall be proportionate to the objectives pursued by such measures.
While performing their tasks, consular staff shall not discriminate against persons on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.’.
3.
Point 1 of Part VII shall be amended as follows:
‘1. Organisation of visa sections
1.1. Organisation of the reception and processing of visa applications
Each Member State shall be responsible for organising the reception and processing of applications. In principle, applications shall be lodged at a diplomatic mission or consular post of a Member State.
Member States shall:
—
equip their diplomatic missions or consular posts and authorities responsible for issuing visas at the borders with the required material for the collection of biometric identifiers, as well as the offices of their honorary consuls, whenever they make use of them, to collect biometric identifiers in accordance with point 1.3, and/or
—
cooperate with one or more other Member States, within the framework of local consular cooperation or by other appropriate contacts, in the form of limited representation, co-location, or a Common Application Centre, in accordance with point 1.2.
In particular circumstances or for reasons relating to the local situation, such as where:
—
the high number of applicants does not allow the collection of applications and of data to be organised in a timely manner and in decent conditions, or
—
it is not possible to ensure a good territorial coverage of the third country concerned in any other way,
and where the abovementioned forms of cooperation prove not to be appropriate for the Member State concerned, a Member State may, as a last resort, cooperate with an external service provider in accordance with point 1.4.
Without prejudice to the right to call the applicant for a personal interview, as provided for in Part III, point 4, the selection of a form of organisation shall not result in requiring the applicant to make personal appearances at more than one location in order to lodge an application.
1.2. Forms of cooperation between Member States
(a)
Where “co-location” is chosen, staff of the diplomatic missions or consular posts of one or more Member States shall process the applications (including biometric identifiers) addressed to them at the diplomatic mission or consular post of another Member State and share the equipment of that Member State. The Member States concerned shall agree on the duration of and conditions for the termination of the co-location as well as the proportion of the visa fee to be received by the Member State whose diplomatic mission or consular post is being used.
(b)
Where “Common Application Centres” are established, staff of the diplomatic missions or consular posts of two or more Member States shall be pooled in one building in order to receive the applications (including biometric identifiers) addressed to them. Applicants shall be directed to the Member State responsible for the processing of the application. Member States shall agree on the duration of and conditions for the termination of this cooperation as well as the cost-sharing among the participating Member States. One Member State shall be responsible for contracts in relation to logistics and diplomatic relations with the host country.
1.3. Recourse to honorary consuls
Honorary consuls may also be authorised to perform some or all of the tasks referred to in point 1.5. Adequate measures shall be taken to guarantee security and data protection.
Where the honorary consul is not a civil servant of a Member State, the performance of those tasks shall comply with the requirements set out in Annex 19 except for the provisions in point C(c) of that Annex.
Where the honorary consul is a civil servant of a Member State, the Member State concerned shall ensure that requirements comparable to those which would apply if the tasks were performed by its diplomatic mission or consular post are applied.
1.4. Cooperation with external service providers
Member States shall endeavour to cooperate with an external service provider together with one or more Member States, without prejudice to public procurement and competition rules.
Cooperation with an external service provider shall be based on a legal instrument that shall comply with the requirements set out in Annex 19.
Member States shall, within the framework of local consular cooperation, exchange information about the selection of external service providers and the establishment of the terms and conditions of their respective legal instruments.
1.5. Types of cooperation with external service providers
An external service provider may be entrusted with the performance of one or more of the following tasks:
(a)
providing general information on visa requirements and application forms;
(b)
informing the applicant of the required supporting documents, on the basis of a checklist;
(c)
collecting data and applications (including collection of biometric identifiers) and transmitting the application to the diplomatic mission or consular post;
(d)
collecting the fee to be charged;
(e)
managing the appointments for personal appearance at the diplomatic mission or consular post or at the external service provider;
(f)
collecting the travel documents (including a refusal notification if applicable) from the diplomatic mission or consular post and returning them to the applicant.
1.6. Obligations of Member States
When selecting an external service provider, the Member State(s) concerned shall scrutinise the solvency and reliability of the company (including the necessary licences, commercial registration, company statutes, bank contracts) and ensure that there is no conflict of interests.
The Member State(s) concerned shall ensure that the external service provider selected complies with the terms and conditions assigned to it in the legal instrument referred to in point 1.4.
The Member State(s) concerned shall remain responsible for compliance with data protection rules for the processing of data and shall be supervised in accordance with Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (15).
Cooperation with an external service provider shall not limit or exclude any liability arising under the national law of the Member State(s) concerned for breaches of obligations with regard to the personal data of applicants and the processing of visas. This provision is without prejudice to any action which may be taken directly against the external service provider under the national law of the third country concerned.
The Member State(s) concerned shall ensure that the data are fully encrypted, whether electronically transferred or physically transferred on an electronic storage medium from the external service provider to the authorities of the Member State(s) concerned.
In third countries which prohibit encryption of data to be electronically transferred from the external service provider to the authorities of the Member State(s) concerned, the Members State(s) concerned shall not allow the external service provider to transfer data electronically.
In this case, the Member State(s) concerned shall ensure that the electronic data are transferred physically in fully encrypted form on an electronic storage medium from the external service provider to the authorities of the Member State(s) concerned by a consular officer of a Member State or, where such a transfer would require disproportionate or unreasonable measures to be taken, in another safe and secure way, for example by using established operators experienced in transporting sensitive documents and data in the third country concerned.
In all cases the level of security for the transfer shall be adapted to the sensitive nature of the data.
The Member States or the Community shall endeavour to reach an agreement with the third countries concerned with the aim of lifting the prohibition against encryption of data to be electronically transferred from the external service provider to the authorities of the Member State(s) concerned.
The Member State(s) concerned shall provide training to the external service provider, corresponding to the knowledge needed to offer appropriate service and sufficient information to applicants.
The Member State(s) concerned shall, in case of doubt, provide for the possibility of verifying at the diplomatic mission or consular post fingerprints which have been taken by the external service provider.
The examination of applications, interviews, where appropriate, the authorisation process and the printing and affixing of visa stickers shall be carried out only by the diplomatic mission or consular post.
External service providers shall not have access to the VIS under any circumstances. Access to the VIS shall be reserved exclusively to duly authorised staff of diplomatic missions or consular posts.
The Member State(s) concerned shall closely monitor the implementation of the legal instrument referred to in point 1.4, including:
(a)
the general information on visa requirements and application forms provided by the external service provider to applicants;
(b)
all the technical and organisational security measures required to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the cooperation involves the transmission of files and data to the diplomatic mission or consular post of the Member State(s) concerned, and all other unlawful forms of processing the personal data;
(c)
the collection and transmission of biometric identifiers;
(d)
the measures taken to ensure compliance with data protection provisions.
To this end, the diplomatic mission or consular post of the Member State(s) concerned shall, on a regular basis, carry out unannounced checks on the premises of the external service provider.
1.7. Service fee
External service providers may charge a service fee in addition to the fee to be charged as set out in Annex 12. The service fee shall be proportionate to the costs incurred by the external service provider while performing one or more of the tasks referred to in point 1.5.
This service fee shall be specified in the legal instrument referred to in point 1.4.
In the framework of local consular cooperation, Member States shall ensure that the service fee charged to an applicant duly reflects the services offered by the external service provider and is adapted to local circumstances. Furthermore, they shall aim to harmonise the service fee applied.
The service fee shall not exceed half of the amount of the visa fee set out in Annex 12, irrespective of the possible exemptions from the visa fee as provided for by Annex 12.
The Member State(s) concerned shall maintain the possibility for all applicants to lodge applications directly at its diplomatic missions or consular posts.
1.8. Information
Precise information on the means of obtaining an appointment and submitting an application shall be displayed by Member States’ diplomatic missions and consular posts for the general public.
1.9. Continuity of service
In the event of termination of cooperation with other Member States or with any type of external service provider, Member States shall assure the continuity of full service.
1.10. Decision and publication
Member States shall inform the Commission of how they intend to organise the reception and processing of applications in each consular location. The Commission shall ensure appropriate publication.
Member States shall provide the Commission with a copy of the legal instrument referred to in point 1.4.
4.
Point 5.2 of Part VIII shall be amended as follows:
(a)
the title shall be replaced by the following:
(b)
the following sentence shall be inserted between the title and point 5.2(a):
‘For subsequent applications under Part III, point 1.2, Member States may allow their diplomatic missions or consular posts to cooperate with commercial intermediaries (i.e. private administrative agencies and transport or travel agencies, such as tour operators and retailers).’.
5.
The following Annex shall be added:
‘ANNEX 19
List of minimum requirements to be included in the legal instrument in the case of cooperation with external service providers
A.
In relation to the performance of its activities, the external service provider shall, with regard to data protection:
(a)
prevent at all times any unauthorised reading, copying, modification or deletion of data, in particular during their transmission to the diplomatic mission or consular post of the Member State(s) responsible for processing an application;
(b)
in accordance with the instructions given by the Member State(s) concerned, transmit the data:
—
electronically, in encrypted form, or
—
physically, in a secured way;
(c)
transmit the data as soon as possible:
—
in the case of physically transferred data, at least once a week,
—
in the case of electronically transferred encrypted data, at the latest at the end of the day of their collection;
(d)
delete the data immediately after their transmission and ensure that the only data that might be retained shall be the name and contact details of the applicant for the purposes of the appointment arrangements, as well as the passport number, until the return of the passport to the applicant, where applicable;
(e)
ensure all the technical and organisational security measures required to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the cooperation involves the transmission of files and data to the diplomatic mission or consular post of the Member State(s) concerned and all other unlawful forms of processing the personal data;
(f)
process the data only for the purposes of processing the personal data of applicants on behalf of the Member State(s) concerned;
(g)
apply data protection standards at least equivalent to those set out in Directive 95/46/EC;
(h)
provide applicants with the information required under Article 37 of the VIS Regulation.
B.
In relation to the performance of its activities, the external service provider shall, with regard to the conduct of staff:
(a)
ensure that its staff are appropriately trained;
(b)
ensure that its staff in the performance of their duties:
—
receive applicants courteously,
—
respect the human dignity and integrity of applicants,
—
do not discriminate against persons on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation, and
—
respect the rules of confidentiality which shall also apply once members of staff have left their job or after suspension or termination of the legal instrument;
(c)
provide identification of the staff working in the company at all times;
(d)
prove that its staff do not have criminal records and have the requisite expertise.
C.
In relation to the verification of the performance of its activities, the external service provider shall:
(a)
provide for access by staff entitled by the Member State(s) concerned to its premises at all times without prior notice, in particular for inspection purposes;
(b)
ensure the possibility of remote access to its appointment system for inspection purposes;
(c)
ensure the use of relevant monitoring methods (e.g. test applicants; webcam);
(d)
ensure access to proof of data protection compliance, including reporting obligations, external audits and regular spot checks;
(e)
report to the Member State(s) concerned without delay any security breaches or any complaints from applicants on data misuse or unauthorised access, and coordinate with the Member State(s) concerned in order to find a solution and give explanatory responses promptly to the complaining applicants.
D.
In relation to general requirements, the external service provider shall:
(a)
act under the instructions of the Member State(s) responsible for processing the application;
(b)
adopt appropriate anti-corruption measures (e.g. provisions on staff remuneration; cooperation in the selection of staff members employed on the task; two-man rule; rotation principle);
(c)
respect fully the provisions of the legal instrument, which shall contain a suspension or termination clause, in particular in the event of breach of the rules established, as well as a revision clause with a view to ensuring that the legal instrument reflects best practices.’.
Article 2
Reporting
The Commission shall present, three years after the VIS is brought into operation and every four years thereafter, a report to the European Parliament and to the Council on the implementation of this Regulation, including the implementation of the collection and use of biometric identifiers, the suitability of the ICAO standard chosen, compliance with data protection rules, experience with external service providers with specific reference to the collection of biometric data, the implementation of the 59-month rule for the copying of fingerprints and the organisation of the reception and processing of applications. The report shall also include, on the basis of Article 17(12), (13) and (14) and of Article 50(4) of the VIS Regulation, the cases in which fingerprints could factually not be provided or were not required to be provided for legal reasons, compared with the number of cases in which fingerprints were taken. The report shall include information on cases in which a person who could factually not provide fingerprints was refused a visa. The report shall be accompanied, where necessary, by appropriate proposals to amend this Regulation.
The first report shall also address the issue of the sufficient reliability for identification and verification purposes of fingerprints of children under the age of 12 and, in particular, how fingerprints evolve with age, based on the results of a study carried out under the responsibility of the Commission.
Article 3
Entry into force
This Regulation shall enter into force on the day following its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States in accordance with the Treaty establishing the European Community.
Done at Strasbourg, 23 April 2009.
For the European Parliament
The President
H.-G. PÖTTERING
For the Council
The President
P. NEČAS
(1) OJ C 321, 29.12.2006, p. 38.
(2) Opinion of the European Parliament of 10 July 2008 (not yet published in the Official Journal), Council Common Position of 5 March 2009 (not yet published in the Official Journal) and Position of the European Parliament of 25 March 2009 (not yet published in the Official Journal).
(3) OJ L 213, 15.6.2004, p. 5.
(4) OJ L 218, 13.8.2008, p. 60.
(5) OJ C 326, 22.12.2005, p. 1.
(6) OJ L 281, 23.11.1995, p. 31.
(7) OJ L 176, 10.7.1999, p. 36.
(8) OJ L 176, 10.7.1999, p. 31.
(9) OJ L 131, 1.6.2000, p. 43.
(10) OJ L 64, 7.3.2002, p. 20.
(11) OJ L 53, 27.2.2008, p. 52.
(12) OJ L 53, 27.2.2008, p. 1.
(13) OJ L 83, 26.3.2008, p. 3.
(14) OJ L 267, 27.9.2006, p. 41.’.
(15) OJ L 281, 23.11.1995, p. 31.’.