(Codecision procedure: first reading)

The European Parliament,

–   having regard to the Commission proposal to the European Parliament and the Council (COM(2006)0269),

–   having regard to Article 251(2) and Article 62 (2) (b) (ii) of the EC Treaty, pursuant to which the Commission submitted the proposal to Parliament (C6-0166/2006),

–   having regard to Rule 51 of its Rules of Procedure,

–   having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A6-0459/2007),

1.  Approves the Commission proposal as amended;

2.  Calls on the Commission to refer the matter to Parliament again if it intends to amend the proposal substantially or replace it with another text;

3.  Instructs its President to forward its position to the Council and the Commission.

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty establishing the European Community, and in particular Article 62 (2) b) ii) thereof,

Having regard to the proposal from the Commission║,

Acting in accordance with the procedure laid down in Article 251 of the Treaty(1),

Whereas:

(1)  To ensure reliable verification and identification of visa applicants it is necessary to process biometric data in the Visa Information System (VIS) established by Council Decision 2004/512/EC(2) and to provide for a legal framework for the capturing of these biometric identifiers. Furthermore, the implementation of the VIS requires new forms of organisation for the reception of applications for visas.

(2)  The integration of biometric identifiers in the VIS is an important step towards the use of new elements, which establish a more reliable link between the visa holder and the passport in order to avoid the use of false identities. Therefore the personal appearance of the visa applicant -at least for the first application- should be one of the basic requirements for issuing a visa with the registration of biometric identifiers in the VIS.

(3)  ▌Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)(3) provides that fingerprints and photographs of the applicant should be stored in the VIS. This Regulation defines the standards for the collection of these biometric identifiers by referring to the relevant provisions set out by the International Civil Aviation Organisation (ICAO). No further technical specifications are required in order to ensure interoperability.

(4)   The reception arrangements for applicants should be made with due respect for human dignity and integrity. The processing of visa applications should be conducted in a professional and respectful manner and be proportionate to the objectives pursued.

(5)  In order to facilitate the registration of visa applicants and to reduce the costs for Member States new organisational possibilities need to be envisaged in addition to the existing framework of "representation". Firstly a specific type of representation limited to the reception of visa applications and enrolment of biometric identifiers should be added to the Common Consular Instructions.

(6)  Other options such as co-location, common application centres and outsourcing should be introduced. An appropriate legal framework for these options should be established, taking into account in particular data protection issues. In order to ensure the integrity of the visa issuing process, any activity related to the issuing of visas, including the collection of biometric data, should take place on the premises of a Member State which enjoy diplomatic or consular protection under international law or on European Commission premises recognised by the host State as inviolable. Under the legal framework established, Member States should be free in accordance with the conditions laid down in this Regulation to determine which type of organisational structure they will use in each third country. Details of those structures should be published by the Commission on a common Schengen visa internet site.

(7)  When organising co-operation, Member States should ensure that the applicant is directed to the Member State responsible for the processing of his/her application.

(8)  Since the issuing of visas is by its very nature a public task, any decision taken by the central authorities of a Member State to outsource part of the visa handling process to an external service provider should be taken only if no other possibility exists and if it is duly justified. Such arrangements should be established in strict compliance with the general principles for issuing visas, respecting the data protection requirements set out in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(4).

(9)  Any contract that a Member State concludes with an external service provider should contain provisions on: the provider's exact responsibilities; direct and total access to its premises; information for applicants; confidentiality; compliance with data protection rules; and circumstances, conditions and procedures for suspending or terminating the contract. Member States should take appropriate measures to ensure that their contracts with external service providers are enforceable.

(10)   Member States should aim to organise the receipt of visa applications, the enrolment of biometric identifiers and the interview in such a way that the visa applicant is required to appear only once in person (one-stop-shop principle) in order to obtain a visa.

(11)  The European Data Protection Supervisor has issued an opinion in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data(5) and the Article 29 Working Party in accordance with Article 30(1)(c) of Directive 95/46/EC.

(12)   Directive 95/46/EC applies to the processing of personal data in application of this Regulation. However, certain points should be clarified, in particular in respect of the responsibility for the processing of data, of safeguarding the rights of the data subjects and of the supervision of data protection.

(13)  Member States should be able to allow certain categories of applicants or all applicants direct access to their consular offices or diplomatic missions for humanitarian or other reasons.

(14)  In order to facilitate the procedure of any subsequent application, it should be possible to copy biometric data from the first application within a period of 59 months from the start of the retention period provided for in Article 23 of the VIS Regulation. Once this period of time has elapsed, the biometric identifiers should be captured again.

(15)  Owing to the requirement to capture biometric identifiers, commercial intermediaries such as travel agencies should no longer be used for the first application but only for the subsequent ones.

(16)  The Common Consular Instructions on visas for diplomatic missions and consular posts should therefore be amended accordingly.

(17)  The Commission should present a report on the implementation of this Regulation three years after the VIS is brought into operation and every four years thereafter, covering the implementation of the enrolment of biometric identifiers, the appropriateness of the ICAO standard chosen, compliance with data protection rules, experience with external service providers with specific reference to the collection of biometric data, the principle of the "first application" and the organisation of the reception and the processing of visa applications. The report should also include, on the basis of Article 17 (12), (13) and (14) and Article 50(4) of the VIS Regulation, the cases in which fingerprints could factually not be provided or were not required to be provided for legal reasons compared with the cases in which fingerprints are taken. The report should include information on cases in which a person who could factually not provide fingerprints was refused a visa. The report should be accompanied, where necessary, by appropriate proposals to amend this Regulation. The Commission should transmit the report to the European Parliament and the Council.

(18)  Since the objective of this Regulation, namely the organisation of the receipt and processing of visa applications in respect of the insertion of biometric data in the VIS, cannot be sufficiently achieved by the Member States and can therefore be better achieved at Community level, the Community may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

▌

(19)   This Regulation respects fundamental rights and observes the principles recognised in particular by the European Convention for the Protection of Human Rights and Fundamental Freedoms, by the Charter of Fundamental Rights of the European Union and by the United Nations Convention on the Rights of the Child.

(20)  In accordance with Articles 1 and 2 of the Protocol on the position of Denmark annexed to the Treaty on European Union and to the Treaty establishing the European Community, Denmark is not taking part in the adoption of this Regulation, and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis under the provisions of Title IV of Part Three of the Treaty establishing the European Community, Denmark shall, in accordance with Article 5 of the said Protocol, decide within a period of six months after the Council has adopted this Regulation, whether it will implement it in its national law.

(21)  As regards Iceland and Norway, this Regulation constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis which fall within the area referred to in Article 1, point B of Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of that Agreement(6).

(22)  This Regulation constitutes a development of provisions of the Schengen acquis in which the United Kingdom does not take part, in accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis(7). The United Kingdom is therefore not taking part in its adoption and is not bound by it or subject to its application.

(23)  This Regulation constitutes a development of provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis(8). Ireland is therefore not taking part in its adoption and is not bound by it or subject to its application.

(24)  As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the Swiss Confederation's association with the implementation, application and development of the Schengen acquis which fall within the area referred to in Article 4 (1) of Council Decision 2004/860/EC of 25 October 2004 on the signing, on behalf of the European Community, and on the provisional application of certain provisions of that Agreement(9).

(25)  This Regulation constitutes an act building on the Schengen acquis or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession,

HAVE ADOPTED THIS REGULATION:

Article 1

The Common Consular Instructions on visas for diplomatic missions and consular posts are hereby amended as follows:

(1)  In Point II, point 1.2 shall be amended as follows:

(a)  In point (b) the following paragraph shall be added:"

A Member State may also represent one or more other Member States solely for the reception of applications and the enrolment of biometric identifiers. The relevant provisions of points 1.2 (c) and (e) shall apply. Where it receives an application, the representing Member State shall create the application file in the VIS and insert the data referred to in Article 9 of the VIS Regulation*. It shall then inform the consular post of the represented Member State of the application and the VIS entry through the VIS communication infrastructure as provided for in Article 16 of the VIS Regulation. The reception and transmission of files and data to the represented consular post shall be carried out in compliance with the relevant data protection and security rules.

____________________

* Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information system (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

(b)  Point (d) shall be replaced by the following:"

When uniform visas are issued pursuant to points (a) and (b), the representation shall be reflected in the table of representation for the issuing of uniform visas set out in Annex 18.

(2)   In Point III, point -1 shall be added:"

Conduct of staff involved in visa applications

Member States shall ensure that applicants are received courteously by all staff involved in visa applications.

All staff shall, in the performance of their duties, fully respect the human dignity and integrity of the applicant. Any measures taken shall be proportionate to the objectives pursued.

While performing their tasks, staff shall not discriminate against persons on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation.

(3)  In Point III, point 1 shall be replaced by the following:"

1.  1 Visa application forms - number of application forms

Applicants shall also be required to fill in the uniform visa form. Applications for a uniform visa must be made using the harmonised form, a specimen of which is given in Annex 16.

At least one copy of the application form must be filled in so that it may be used during consultation with the central authorities. The Contracting Parties may, insofar as national administrative procedures so require, request several copies of the application.

1.2.  Biometric identifiers

a)  Member States shall collect biometric identifiers comprising the facial image and ten fingerprints from the applicant respecting the rights laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms, in the Charter of Fundamental Rights of the European Union and in the United Nations Convention on the Rights of the Child.

For any subsequent application, within 59 months from the start of the retention period provided for in Article 23 of the VIS Regulation, the biometric identifiers shall be copied from the first application. After this period a subsequent application shall be considered as a "first application

The technical requirements for the photograph and the fingerprints shall be in accordance with the international standards as set out in ICAO Document 9303, Part 1 (Passports) Sixth Edition*.

The biometric identifiers shall be taken by qualified and duly authorised staff of the diplomatic mission or consular post or, under their supervision and responsibility, of the external service provider referred to in point 1.B.

The data shall be entered in the VIS only by the duly authorised consular staff referred to in Article 4(1), in accordance with Article 5 of the VIS Regulation.

Member States shall ensure that full use is made of all search criteria under Article 13 of the VIS Regulation in order to avoid false rejections and identifications.

The collection of biometric identifiers, including their transmission from the service provider to the responsible consular post, shall be supervised in accordance with Articles 41 and 43 of the VIS Regulation and Article 28 of the Directive 95/46/EC of the European Parliament and of the Council **.

b)  Exemptions

The fact that fingerprinting is physically impossible shall not influence the grant or refusal of a visa.

A Member State may provide for exemptions from the requirement to collect biometric identifiers for holders of diplomatic passports, service/official passports and special passports.

In each of these cases an entry "not applicable" shall be introduced in the VIS.

Without prejudice to the provisions of Point III.4, for persons under the age of 12, scanned photographs shall be used which do not require them to appear in person.

The exemption from the requirement to give fingerprints for children, and in particular the age range for the taking of fingerprints, shall be reviewed three years after the start of operation of the VIS. To this end the Commission shall present a report which shall in particular cover the experience of the VIS with regard to the taking and use of fingerprints from children aged 12 and over and a detailed technical assessment of the reliability of taking and using the fingerprints of children under the age of 12 for identification and verification purposes in a large-scale database such as the VIS. The report shall incorporate an extended impact assessment of lower and higher age limits for requiring fingerprints, including social, ergonomic and financial aspects.

The report shall make a similar assessment as regards the taking of fingerprints from the elderly. Should the report show significant problems with taking fingerprints of persons over a certain age, the Commission shall make a proposal to impose an upper age limit.

The report shall be accompanied, where necessary, by suitable proposals to amend this Regulation.

____________________

* The technical requirements are the same as for the passports delivered by Member States to their nationals in accordance with Council Regulation (EC) No 2252/2004 (OJ L 385, 29.12.2004, p. 1).

** OJ L 281, 23.11.1995, p. 31.".

(4)  In Point VII, point 1 shall be replaced by the following text:"

A Organisation of the reception and processing of visa applications

Each Member State shall be responsible for organising the reception and processing of visa applications.

For each location, Member States shall either equip their consular office with the required equipment for capturing/collecting biometric identifiers or, without prejudice to the above-mentioned representation options, decide to cooperate with one or more other Member States. Any cooperation shall take the form of co-location or the establishment of a Common Application Centre or, where these are inappropriate, co-operation with external service providers.

a)  Where "co-location" is chosen, the staff of the diplomatic posts and consular missions of one or more Member States shall process the applications (including biometric identifiers) addressed to them at the diplomatic post and consular mission of another Member State and share the equipment of that Member State. The Member States concerned shall agree on the duration and conditions for the termination of the co-location as well as the proportion of the administrative fee to be received by the Member State whose diplomatic post or consular mission is being used. Applicants shall be directed to the Member State responsible for the processing of the visa application.

b)  Where "Common Application Centres" are established, the staff of the diplomatic posts and consular missions of two or more Member States shall be pooled in the building of a Member State enjoying diplomatic or consular protection under international law or in a European Commission building recognised by the host State as inviolable in order to receive the visa applications (including biometric identifiers) addressed to them. Applicants shall be directed to the Member State responsible for the processing of the visa application. Member States shall agree on the duration and conditions for the termination of such co-operation as well as the cost sharing among the participating Member States. One Member State shall be responsible for contracts in relation to logistics and diplomatic relations with the host country.

c)  Co-operation with external service providers in accordance with 1.B.

1.  B Co-operation with external service providers

If, owing to particular circumstances or reasons relating to the local situation of the consular post, it is not appropriate to equip the consular office for capturing/collecting biometric identifiers or to organise co-location or a Common Application Centre, one or several Member States jointly may co-operate with an external service provider for the reception of visa applications (including biometric identifiers). In such a case, the Member State(s) concerned shall remain responsible for the processing of the data and therefore liable for any breaches of contract, and in particular for compliance with data protection rules for the processing of visa applications. Those Member State(s) shall ensure that an external service provider under Point VII, point 1.B.1 point b, undertakes its activities on the premises of a Member State which enjoy diplomatic or consular protection under international law or on European Commission premises recognised by the host State as inviolable, and that qualified and duly authorised staff of the diplomatic mission or consular post of the Member State(s) are present to closely supervise the activities of the external service provider.

1.B.1  - Types of co-operation with external service providers

1.B.2  - Obligations of Member States

In compliance with Directive 95/46/EC, the Member State(s) concerned shall select an external service provider which is able to ensure a high quality of service and all the technical and organisational security measures necessary to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network as well as the reception and transmission of files and data to the consular post, and against all other unlawful forms of processing.

When selecting external service providers, Member States" diplomatic missions or consular posts shall scrutinise the solvency and reliability of the company (including necessary licences, commercial registration, company statutes, bank contracts and shall ensure there is no conflict of interests.

The diplomatic missions or consular posts of the Member States shall ensure that the company selected offers relevant professional expertise in information assurance and data security. Member States should follow best procurement practices in contracting external visa support services.

External service providers shall not have access to the VIS for any purpose. Access to the VIS shall be reserved exclusively to duly authorised staff of diplomatic missions or consular posts solely for the purposes laid down in the VIS Regulation.

The Member State(s) concerned shall conclude a written contract with the external service provider in accordance with Article 17 of Directive 95/46/EC. Before concluding such a contract, the diplomatic mission or consular post of the Member State concerned shall justify, with reasons in accordance with Point VII, point 1.B, the need for the contract with the diplomatic missions and consular posts of other Member States and the Commission delegation within local consular cooperation.

A model contract shall be established within local consular cooperation.

Member States shall ensure that there is the least possible service disruption for visa applicants in the event of the external service provider suddenly ceasing to provide the services required under the contract.

The fee paid by the applicant shall not exceed the fee set out in Annex 12, irrespective of whether Member States cooperate with external service providers.

Member States shall ensure that a procedure is in place allowing for the identification of the external service provider handling any visa application.

The consular staff of the Member State(s) concerned shall give training to the service provider, corresponding to the knowledge needed to offer appropriate service and sufficient information to visa applicants.

1.B.3  - Information

This information to the general public shall also be available through a common Schengen visa internet site.

That site shall be established in order to further support the application of the common visa policy and the handling of the visa procedure.

1.B.4  - Information Campaign

Shortly before the VIS is brought into operation in a third country, the diplomatic missions or consular posts of Member States together with the delegation of the Commission shall launch a campaign informing the general public about the objectives pursued, the data stored in, and the authorities having access to, the VIS, and the rights of visa applicants. Such campaigns shall be conducted regularly.

1.  C Maintenance of direct access for applicants to Member States diplomatic missions and consular posts

Irrespective of the type of cooperation chosen, Member States may decide to maintain the possibility of allowing applicants direct access to lodge an application for a visa directly at the premises of their diplomatic missions or consular posts. Member States shall ensure the continuity of reception and processing of visa applications, in the event of the sudden termination of cooperation with other Member States or any type of external service provider.

1.  D Decision and publication

Member States shall inform the Commission of how they intend to organise the reception and processing of visa applications in each consular location. The Commission shall ensure appropriate publication on the common Schengen visa internet site.

Member States shall provide the Commission with the contracts they conclude.

1.  E General responsibilities

1.E.1   Documents

Any document, data or biometric identifier received by, or on behalf of, a Member State in the course of a visa application shall be considered a 'consular document' under the Vienna Convention on Consular Relations and shall be treated in an appropriate manner.

1.E.2   Training

Before being authorised to take biometric identifiers, the staff of the diplomatic mission or consular post shall receive appropriate training so as to ensure smooth and professional enrolment.

1.E.3  Liability

Any person who, or Member State which, has suffered damage as a result of an unlawful processing operation or any act in breach of this Regulation shall be entitled to receive compensation from the Member State which is responsible for the damage suffered. That Member State shall be exempted from its liability, in whole or in part, if it proves that it is not responsible for the event giving rise to the damage.

Claims for compensation against a Member State for the damage referred to in the previous subparagraph shall be governed by the provisions of national law of the defendant Member State.

1.E.4  Penalties

Member States shall take the necessary measures to ensure that any breach of this Regulation, in particular any misuse of data submitted for a visa application is punishable by penalties, including administrative and/or criminal penalties in accordance with national law, that are effective, proportionate and dissuasive.

(5)  In point VIII, point 5.2 shall be amended as follows:

Article 2

The Commission shall present, three years after the VIS is brought into operation and every four years thereafter, a report to the European Parliament and to the Council on the implementation of this Regulation, including the implementation of the enrolment of biometric identifiers, the appropriateness of the ICAO standard chosen, compliance with data protection rules, experience with external service providers with specific reference to the collection of biometric data, the principle of the "first application" and the organisation of the reception and the processing of visa applications. The report shall also include, on the basis of Article 17 (12), (13) and (14) and of Article 50(4) of the VIS Regulation, the cases in which fingerprints could factually not be provided or were not required to be provided for legal reasons compared with the number of cases in which fingerprints were taken. The report shall include information on cases in which a person who could factually not provide fingerprints was refused a visa.

The report shall be accompanied, where necessary, by appropriate proposals to amend this Regulation.

Article 3

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at ║,

For the European Parliament For the Council

The President The President

(1) Position of the European Parliament of 10 July 2008. (2) OJ L 213, 15.6.2004, p. 5. (3) OJ L 218, 13.8.2008, p. 60. (4) OJ L 281, 23.11.1995, p. 31. (5) OJ L 8, 12.1.2001, p. 1. (6) OJ L 176, 10.7.1999, p. 31. (7) OJ L 131, 1.6.2000, p. 43. (8) OJ L 64, 7.3.2002, p. 20. (9) OJ L 370, 17.12.2004, p. 78.