Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated. that the data subject is non- identifiable, and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated. No access by eu- LISA staff shall be granted to any personal data stored in the Union information systems or in the interoperability components. The data contained in CRRS shall not allow for the identification of individuals. such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated. data anonymous and shall record such anonymous data in the CRRS. The process for rendering the data anonymous shall be automated. The data contained in CRRS shall not allow for the identification of individuals. 4. The CRRS shall be composed of: 4. The CRRS shall be composed of: 4. The CRRS shall be composed of: Provisionally agreed 4. The CRRS shall be composed of: (-a) the tools necessary for anonymising data; Provisionally agreed (-a) the tools necessary for anonymising data; (a) a central infrastructure, consisting of a data repository enabling the rendering of anonymous data; Provisionally agreed (a) a central infrastructure, consisting of a data repository enabling the rendering of Compromise text proposals (ST 10178/18) 504. 505. 506. (a) a central infrastructure, consisting of a data repository enabling the rendering of anonymous data; (a) a central infrastructure, consisting of a data repository and a mechanism that ensures for the data to be rendered enabling the rendering of 225

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) anonymous data before it is stored in CRRS; 507. (b) a secure communication infrastructure to connect the CRRS to the EES, [the ETIAS], the VIS and the SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID. The Commission shall lay 508. 5. down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). anonymous data; (b) a secure communication infrastructure to connect the CRRS to the EES, [the ETIAS], the VIS and the SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID. (b) a secure communication infrastructure to connect the CRRS to the EES, the VIS, [the ETIAS], the VIS and the SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID. Provisionally agreed (b) a secure communication infrastructure to connect the CRRS to the EES, the VIS, [the ETIAS], the VIS and the SIS, as well as the central infrastructures of the shared BMS, the CIR and the MID. 5. The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of a delegated act implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2) 63. 5. The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). Provisionally agreed - outcome of trilogue 13/12 5. The Commission shall lay down detailed rules on the operation of the CRRS, including specific safeguards for processing of personal data referred to under paragraph 2 and 3 and security rules applicable to the repository by means of a delegated act implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2) 63. 226

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) 509. CHAPTER VII Data protection CHAPTER VII Data protection CHAPTER VII Data protection CHAPTER VII Data protection 510. Article 40 Data controller Article 40 Data controller Article 40 Data controller Article 40 Data controller 511. 1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the VIS, EES, and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS. 1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the VIS, EES, and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS. In relation to information security management of the shared BMS, eu-LISA shall be considered a 1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the VIS, EES, the VIS and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS. Provisionally agreed 1. In relation to the processing of data in the shared biometric matching service (shared BMS), the Member State authorities that are controllers for the VIS, EES, the VIS and SIS respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 in relation to the biometric templates obtained from the data referred to in Article 13 that they enter into respective systems and shall have responsibility for the processing of the biometric templates in the shared BMS. NB: See also line 516 227

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) controller. 512. 2. In relation to the processing of data in the common identity repository (CIR), the Member State authorities that are controllers for the VIS, EES and [ETIAS], respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to data referred to in Article 18 that they enter into respective systems and shall have responsibility for the processing of that personal data in the CIR. In relation to the 513. 3. processing of data in the multiple-identity detector: 514. (a) the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b) of Regulation No 45/2001 in 2. In relation to the processing of data in the common identity repository (CIR), the Member State authorities that are controllers for the VIS, EES and [ETIAS], respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to data referred to in Article 18 that they enter into respective systems and shall have responsibility for the processing of that personal data in the CIR. 2. In relation to the processing of data in the common identity repository (CIR), the Member State authorities that are controllers for the VIS, EES, the VIS and [ETIAS], respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to data referred to in Article 18 that they enter into respective systems and shall have responsibility for the processing of that personal data in the CIR. Provisionally agreed 2. In relation to the processing of data in the common identity repository (CIR), the Member State authorities that are controllers for the VIS, EES, the VIS and [ETIAS], respectively, shall also be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 in relation to data referred to in Article 18 that they enter into respective systems and shall have responsibility for the processing of that personal data in the CIR. 3. In relation to the processing of data in the multiple-identity detector: 3. In relation to the processing of data in the multiple-identity detector (MID): Provisionally agreed 3. In relation to the processing of data in the multiple-identity detector (MID): (a) the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b) 2(d) of Regulation (EC) No 45/2001 (a) the European Border and Coast Guard Agency shall be considered a data controller in accordance with Article 2(b)(d) of Regulation No 45/2001 [or Provisionally agreed (a) the European Border and Coast Guard Agency shall be considered a data controller in 228

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) relation to processing of personal data by the ETIAS Central Unit; the Member State 515. (b) authorities adding or modifying the data in the identity confirmation file are also to be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 and shall have responsibility for the processing of the personal data in the multiple-identity detector; in relation to processing of personal data by the ETIAS Central Unit; Article 3(2)(b) of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC] in relation to the processing of personal data by the ETIAS Central Unit; accordance with Article 2(b)(d) of Regulation No 45/2001 [or Article 3(2)(b) of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC] in relation to the processing of personal data by the ETIAS Central Unit; (b) the Member State authorities adding or modifying the data in the identity confirmation file are also to be considered as controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 and shall have responsibility for the processing of the personal data in the multiple-identity detector; (b) the Member State authorities adding or modifying the data in the identity confirmation file are also to be considered as shall be controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 and shall have responsibility for the processing of the personal data in the Provisionally agreed (b) the Member State authorities adding or modifying the data in the identity confirmation file are also to be considered as shall be controllers in accordance with Article 4(7) of Regulation (EU) 2016/679 or Article 3(8) of Directive (EU) 2016/680 and shall have responsibility for the processing of the personal data in 229

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) multiple-identity detector MID;. Presidency compromise proposal (to be tested with MS) 4. For the purposes of data protection monitoring, including checking the admissibility of a query and the lawfulness of data processing, the data controllers shall have access to the logs referred to in Articles 10, 16, 24 and 36 for self-monitoring as referred to in Article 45. 3a. In relation to information security management of the interoperability components eu- LISA shall be considered a data controller in accordance with Regulation (EC) No 45/2001. 516. the multiple-identity detector MID; 517. Article 41 Data processor Article 41 Data processor Article 41 Data processor Article 41 Data processor 518. In relation to the processing of personal data in the CIR, eu- LISA is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001. In relation to the processing of personal data in the shared BMS, the CIR and the MID, eu-LISA is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001. In relation to the processing of personal data in the shared BMS, the CIR and the MID, eu-LISA shall is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001 [or Article 3(1)(a) of Regulation XX/2018 of the European Parliament and of the Council on the protection of Provisionally agreed In relation to the processing of personal data in the shared BMS, the CIR and the MID, eu- LISA shall is to be considered the data processor in accordance with Article 2(e) of Regulation (EC) No 45/2001 [or Article 3(1)(a) of Regulation XX/2018 of the European Parliament and 230

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC]. of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC]. Article 42 Security of processing 519. Article 42 Security of processing Article 42 Security of processing Article 42 Security of processing 520. 1. Both eu-LISA and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu- LISA, [the ETIAS Central Unit] and the Member State authorities shall cooperate on security- related tasks. 1. Both eu-LISA, and the Member State authorities and Europol shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu- LISA, shall be responsible for the [the ETIAS central Unit] infrastructure of the interoperability components and Member States shall be responsible for the parts referred to in Article 54. eu-LISA, [the European Border and Coast Guard Agency], Europol and the Member State authorities shall 1. Both eu-LISA, [the ETIAS Central Unit], Europol and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu- LISA, [the ETIAS Central Unit], Europol and the Member State authorities shall cooperate on security-related tasks. Provisionally agreed 1. Both eu-LISA, the ETIAS Central Unit, Europol and the Member State authorities shall ensure the security of the processing of personal data that takes place pursuant to the application of this Regulation. eu-LISA, [the ETIAS Central Unit], Europol and the Member State authorities shall cooperate on security-related tasks. 231

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) cooperate on security-related tasks. 521. 522. 2. Without prejudice to Article 22 of Regulation (EC) No 45/2001, eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure. 2. Without prejudice to Article 22 of Regulation (EC) No 45/2001, eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure. 2. Without prejudice to Article 22 of Regulation (EC) No 45/2001 [or Article 33 of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC], eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure. Provisionally agreed 2. Without prejudice to Article 22 of Regulation (EC) No 45/2001 [or Article 33 of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC], eu-LISA shall take the necessary measures to ensure the security of the interoperability components and their related communication infrastructure. 3. In particular, eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in 3. In particular, eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in 3. In particular, eu-LISA shall adopt the necessary security measures, including a security plan, a business continuity plan and a disaster recovery plan, in Presidency compromise proposal (to be tested by MS) 3. In particular, eu-LISA shall adopt the necessary security 232

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) 523. order to: order to: order to: measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to: NB: the chapeau of Article 59(3) ETIAS Regulation does not mention "security" measures (a) physically protect data, including by making contingency plans for the protection of critical infrastructure; (a) physically protect data, including by making contingency plans for the protection of critical infrastructure; (a) physically protect data, including by making contingency plans for the protection of critical infrastructure; Presidency compromise proposal (to be tested by MS) (a) physically protect data, including by making contingency plans for the protection of critical infrastructure; NB: Article 59(3)(a) ETIAS Regulation includes the word 'physically' 525. Outcome DS 8/1 (aa) deny unauthorised persons access to data- processing equipment and installations; NB: same text as in Article 59(3)(c) ETIAS Regulation (aa) deny unauthorised persons access to data- processing equipment and installations; 524. (b) prevent the unauthorised reading, copying, modification or (b) prevent the unauthorised reading, copying, modification or (b) prevent the unauthorised reading, copying, modification or Provisionally agreed 233

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) removal of data media; prevent the unauthorised 526. (c) input of data and the unauthorised inspection, modification or deletion of recorded personal data; 527. (d) prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data; removal of data media; (b) prevent the unauthorised reading, copying, modification or removal of data media; (c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data; (c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data; Provisionally agreed (c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of recorded personal data; (d) prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data; (d) prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data; Provisionally agreed (d) prevent the unauthorised processing of data and any unauthorised copying, modification or deletion of data; Outcome DS 8/1 (da) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment; NB: same text as in Article 59(3)(f) ETIAS Regulation (da) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment; 528. 529. removal of data media; (e) ensure that persons authorised to access the (e) ensure that persons authorised to access the (e) ensure that persons authorised to access the Provisionally agreed (e) ensure that persons 234