For the purposes of this Part, the following definitions apply:
(a) "third country" means a country other than a Member State or the United Kingdom;
(b) "special categories of personal data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical belief", or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
(c) "genetic data" means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question;
(d) "biometric data" means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(e) "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(f) "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(g) "filing system" means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
(h) "Specialised Committee on Law Enforcement and Judicial Cooperation" means the Committee by that name established by Article 8.
Article 524. Protection of Human Rights and Fundamental Freedoms
1. The cooperation provided for in this Parts based on the Parties' and Member States' long-standing respect for democracy, the rule of law and the protection of fundamental rights and freedoms of individuals, including as set out in the Universal Declaration of Human Rights and in the European Convention on Human Rights, and on the importance of giving effect to the rights and freedoms in that Convention domestically.
2. Nothing in this Part modifies the obligation to respect fundamental rights and legal principles as reflected, in particular, in the European Convention on Human Rights and, in the case of the Union and its Member States, in the Charter of Fundamental Rights of the European Union.
Article 525. Protection of Personal Data
1. The cooperation provided for in this Part is based on the Parties' long-standing commitment to ensuring a high level of protection of personal data.
2. To reflect that high level of protection, the Parties shall ensure that personal data processed under this Part is subject to effective safeguards in the Parties' respective data protection regimes, including that:
(a) personal data is processed lawfully and fairly, in compliance with the principles of data minimisation, purpose limitation, accuracy and storage limitation;
(b) processing of special categories of personal data is only permitted to the extent necessary and subject to appropriate safeguards adapted to the specific risks of the processing;
(c) a level of security appropriate to the risk of the processing is ensured through relevant technical and organisational measures, in particular as regards the processing of special categories of personal data;
(d) data subjects are granted enforceable rights of access, rectification and erasure, subject to possible restrictions provided for by law which constitute necessary and proportionate measures in a democratic society to protect important objectives of public interest;
(e) in the event of a data breach creating a risk to the rights and freedoms of natural persons, the competent supervisory authority is notified without undue delay of the breach; where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subjects are also notified, subject to possible restrictions provided for by law which constitute necessary and proportionate measures in a democratic society to protect important objectives of public interest;
(f) onward transfers to a third country are allowed only subject to conditions and safeguards appropriate to the transfer ensuring that the level of protection is not undermined;
(g) the supervsion of compliance with data protection safeguards and the enforcement of data protection safeguards are ensured by independent authorities; and
(h) data subjects are granted enforceable rights to effective administrative and judicial redress n the event that data protection safeguards have been violated.
3. The United Kingdom, on the one side, and the Union, also on behalf of any of its Member States, on the other side, shall notify the Specialised Committee on Law Enforcement and Judicial Cooperation of the supervisory authorities responsible for overseeing the implementation of, and ensuring compliance with, data protection mules applicable to cooperation under this Part. The supervisory authorities shall cooperate to ensure compliance with this Part.
4. The provisions on the protection of personal data set out in this Part apply to the processing of personal data wholly or partly by automated means, and to the processing other than by autonuted means of personal data which form part of a filing system or are intended to form part of a filing system.
5. This Article is without prejudice to the application of any specific provisions in this Part relating to the processing of personal data.
Article 526. Scope of Cooperation Where a Member State No Longer Participates In Analogous Measures Under Union Law
1. This Article applies if a Member State ceases to participate in, or enjoy rights under, provisions of Union law relating to law enforcement and judicial cooperation in criminal matters analogous to any of the relevant provisions of this Part.
2. The United Kingdom may notify the Union in writing of its intention to cease to operate the relevant provisions of this Part in relation to that Member State.
3. Anotification given under paragraph 2 takes effect on the date specified there, which shall be no earlier than the date on which the Member State ceases to participate in, or to enjoy rights under, the provisions of Union law referred to in paragraph 1.
4. If the United Kingdom gives notification under this Article of its intention to cease to apply the relevant provisions of this Part, the Specialised Committee on Law Enforcement and Judicial Cooperation shall meet to decide what measures are needed to ensure that any cooperation initiated under this Part that is affected by the cessation is concluded in an appropriate manner. In any event, with regard to all personal data obtained through cooperation under the relevant provisions of this Part before they cease to be applied, the Parties shall ensure that the level of protection under which the personal data were transferred is maintained after the cessation takes effect.
5. The Union shall notify the United Kingdom in writing, through diplomatic channels, of the date on which the Member State is to resume its participation m, or the enjoyment of rights under, the provisions of Union law in question. The application of the relevant provisions of this Part shall be reinstated on that date or, if later, on the first day of the month following the day on which that notification has been given.
6. To facilitate the application of this Article, the Union shall inform the United Kingdom when a Member State ceases to participate in, or enjoy rights under, provisions of Union law relating to law enforcement and judicial cooperation in criminal matters analogous to the relevant provisions of this Part.
Title II. EXCHANGES OF DNA, FINGERPRINTS AND VEHICLE REGISTRATION DATA
Article 527. Objective
The objective of this Title is to establish reciprocal cooperation between the competent law enforcement authorities of the United Kingdom, on the one side, and the Member States, on the other side, on the automated transfer of DNA profiles, dactyloscopic data and certain domestic vehicle registration data.
Article 528. Definitions
For the purposes of this Title, the following definitions apply:
(a) "competent law enforcement authority" means a domestic police, customs or other authority that is authorised by domestic law to detect, prevent and investigate offences or criminal activities and to exercise authority and take coercive measures in the context of such activities; agencies, bodies or other units dealing especially with national security issues are not competent law enforcement authorities for the purposes of this Title;
(b) "search" and "comparison", as referred to in Articles 530, 531, 534 and 539 mean the procedures by which it is established whether there is a match between, respectively, DNA data or dactyloscopic data which have been communicated by one State and DNA data or dactyloscopic data stored in the databases of one, several, or all of the other States;
(c) "automated searching", as referred to in Article 537, means an online access procedure for consulting the databases of one, several, or all of the other States;
(d) "non-coding part of DNA" means chromosome regions not genetically expressed, ie. not known to provide for any functional properties of an organism;
(e) "DNA profile" means a letter or numeric code which represents a set of identification characteristics of the non-coding part of an analysed human DNA sampk, ie. the particular molecular structure at the various DNA beations (hci);
(f) "DNA reference data" means DNA profile and reference number, DNA reference data shall only include DNA profiles established from the non-coding part of DNA and a reference number; DNA reference data shall not contain any data from which the data subject can be directly identified; DNA reference data which is not attributed to any natural person (unidentified DNA profiles) shall be recognisable as such;
(g) "reference DNA profile" means the DNA profile ofan identified person;
(h) "unidentified DNA profile" means the DNA profile obtained from traces collected during the investigation of criminal offences and belonging to a person not yet identified;
(i) "note" means a State's marking on a DNA profile in its domestic database indicating that there has already been a match for that DNA profile on another State's search or comparison;
(j) "dactyloscopic data" means fingerprint images, images of fingerprint latents, palm prints, palm print latents and templates of such images (coded minutiae), when they are stored and dealt with in an automated database;
(k) "dactyloscopic reference data" means dactyloscopic data and reference number; dactyloscopic reference data shall not contain any data from which the data subject can be directly identified; dactyloscopic reference data which is not attributed to any natural person (unidentified dactyloscopic data) shall be recognisable as such;
(l) "vehicle registration data" means the data-set as specified in Chapter 3 of Annex 39;
(m) "individual case", as referred to in Article 530(1), second sentence, Article 534(1), second sentence and Article 537(1), means a single investigation or prosecution file; if such a file contains more than one DNA profile, or one piece of dactyloscopic data or vehick registration data, they may be transmitted together as one request;
(n) "laboratory activity" means any measure taken in a laboratory when locating and recovering traces on items, as well as developing, analysing and interpreting forensic evidence regarding DNA profiles and dactyloscopic data, with a view to providing expert opinions or exchanging forensic evidence;
(o) "results of laboratory activities" means any analytical outputs and directly associated interpretation;
(p) "forensic service provider" means any organisation, public or private, that carries out laboratory activities at the request of competent law enforcement or judicial authorities;
(q) "domestic accreditation body" means the sole body in a State that performs accreditation with authority derived from the State.
Article 529. Establishment of Domestic DNA Analysis Files
1. The States shall open and keep domestic DNA analysis files for the investigation of criminal offences.
2. For the purpose of implementing this Title, the States shall ensure the availability of DNA reference data from their domestic DNA analysis files as referred to in paragraph 1.
3. The States shall declare the domestic DNA analysis files to which Articles 529 to 532 and Articles 535, 536 and 539 apply and the conditions for automated searching as referred to in Article 530(1).
Article 530. Automated Searching of DNA Profiles
1. For the investigation of criminal offences, States shall allow other States' national contact points as referred to in Article 535 access to the DNA reference data in their DNA analysis files, with the power to conduct automated searches by comparing DNA profiles. Searches may be conducted only in individual cases and in compliance with the requesting State's domestic law.
2. If an automated search shows that a DNA profile supplied matches DNA profiles entered in the requested State's searched file, the requested State shall send to the national contact point of the requesting State in an automated way the DNA reference data with which a match has been found. If no match can be found, this shall be notified automutically.
Article 531. Automated Comparison of DNA Profiles
1. For the investigation of criminal offences, the States, via their national contact points, shall compare the DNA profiles of their unidentified DNA profiles with all DNA profiles from other domestic DNA analysis files' reference data in accordance with mutually accepted practical arrangements between the States concerned. DNA profiles shall be supplied and compared in automated form. Unidentified DNA profiles shall be supplied for comparison only where provided for under the requesting State's domestic law.
2. Ifa State, as a result of the comparison referred to in paragraph 1, finds that any DNA profiles supplied by another State match any of those in its DNA analysis files, it shall supply that other State's national contact point with the DNA reference data with which a match has been found without delay.
Article 532. Collection of Cellular Material and Supply of DNA Profiles
Where, in ongoing investigations or criminal proceedings, there is no DNA profile available for a particular individual present within a requested State's territory, the requested State shall provide legal assistance by collecting and examining cellular material from that individual and by supplying the DNA profile obtained to the requesting State, if
(a) the requesting State specifies the purpose for which it is required;
(b) the requesting State produces an investigation warrant or statement issued by the competent authority, as required under that State's domestic law, showing that the requirements for collecting and examining cellular material would be fulfilled if the individual concerned were present within the requesting State's territory; and
(c) under the requested State's law, the requirements for collecting and examining cellular material and for supplying the DNA profile obtained are fulfilled.
Article 533. Dactylscopic Data
For the purpose of implementing this Title, the States shall ensure the availability of dactylscopic reference data from the file for the domestic automated fingerprint identification systems established for the prevention and investigation of criminal offences.
Article 534. Automated Searching of Dactyloscopic Data
1, For the prevention and investigation of criminal offences, States shall allow other States' national contact points, as referred to in Article 535, access to the reference data in the automated fingerprint identification systems which they have established for that purpose, with the power to conduct automated searches by comparing dactyloscopic data, Searches may be conducted only in individual cases and in compliance with the requesting State's domestic law.
2. The confirmation of a match of dactyloscopic data with reference data held by the requested State shall be carried out by the national contact point of the requesting State by means of the automated supply of the reference data required for a clear match.
Article 535. National Contact Points
1, For the purposes of the supply of data as referred to in Articles 530, 531 and 534, the States shall designate national contact points.
2. Inrespect of the Member States, national contact points designated for an analogous exchange of data within the Union shall be considered as national contact points for the purpose of this Title.
3. The powers of the national contact points shall be governed by the applicable domestic law.
Article 536. Supply of Further Personal Data and other Information
If the procedure referred to in Articles 530, 531 and 534 show a match between DNA profiles or dactyloscopic data, the supply of further available personal data and other information relating to the reference data shall be governed by the domestic law, including the legal assistance rules, of the requested State, without prejudice to Article 539(1).
Article 537. Autonmmted Searching of Vehicle Registration Data
1, For the prevention and investigation of criminal offences and in dealing with other offences within the jurisdiction of the courts or a public prosecutor in the requesting State, as well as in maintaining public security, States shall allow other States' national contact points, as referred to in paragraph 2, access to the following domestic vehicle registration data, with the power to conduct automated searches in individual cases:
(a) data relating to owners or operators; and
(b) data relating to vehicles.
2. Searches may be conducted under paragraph 1 only with a fill chassis number or a full registration number and in compliance with the requesting State's domestic law.
3. For the purposes of the supply of data as referred to in paragraph 1, the States shall designate a national contact point for incoming requests from other States. The powers of the national contact points shall be governed by the applicable domestic law.
Article 538. Accreditation of Forensic Service Providers Carrying Out Laboratory Activities
1, The States shall ensure that their forensic service providers carrying out laboratory activities are accredited by a domestic accreditation body as complying with EN ISOAEC 17025.
2. Each State shall ensure that the results of accredited forensic service providers carrying out laboratory activities in other States are recognised by its authorities responsible for the prevention, detection, and investigation of criminal offences as being equally reliable as the results of domestic forensic service providers carrying out laboratory activities accredited to EN ISO/IEC 17025.
3. The competent law enforcement authorities of the United Kingdom shall not carry out searches and automated comparison in accordance with Articles 530, 531 and 534 before the United Kingdom has implemented and applied the measures referred to in paragraph 1 of this Article.
4. Paragraphs 1 and 2 do not affect domestic rules on the judicial assessment of evidence. 5. The United Kingdom shall communicate to the Specialised Committee on Law Enforcement and Judicial Cooperation the text of the main provisions adopted to implement and apply the provisions of this Article.
Article 539. Implementing Measures
1. For the purposes of this Title, States shall make all categories of data available for searching and comparison to the competent law enforcement authorities of other States under conditions equal to those under which they are available for searching and comparison by domestic competent law enforcement authorities, States shall supply further available personal data and other information relating to the reference data as referred to in Article 536 to the competent law enforcement authorities of other States for the purposes of this Title under conditions equal to those under which they would be supplied to domestic authorities.
2. For the purpose of implementing the procedures referred to in Articles 530, 531, 534 and 537, technical and procedural specifications are laid down in Annex 39.
3. The declarations made by Member States in accordance with Council Decisions 2008/615/JHA (1) and 2008/616/JHA (2) shall also apply in their relations with the United Kingdom.
Article 540. Ex Ante Evaluation
1. In order to verify whether the United Kingdom has fulfilled the conditions set out in Article 539 and Annex 39, an evaluation visit and a pilot run, to the extent required by Annex 39, shall be carried out in respect of, and under conditions and arrangements acceptable to, the United Kingdom. In any event, a pilot run shall be carried out in relation to the searching of data under Article 537.
2. On the basis ofan overall evaluation report on the evaluation visit and, where applicable, the pilot run, as referred to in paragraph 1, the Union shall determine the date or dates from which personal data may be supplied by Member States to the United Kingdom pursuant to this Title.
3. Pending the outcome of the evaluation referred to in paragraph 1, from the date of the entry into force of this Agreement, Member States may supply to the United Kingdom personal data as referred to in Articles 530, 531, 534 and 536 until the date or dates determined by the Union in accordance with paragraph 2 of this Article, but not longer than nine months after the entry into force of this Agreement. The Specialised Committee on Law Enforcement and Judicial Cooperation may extend this period once by a maximum of nine months.
Article 541. Suspension and Disapplication
1. Inthe event that the Union considers it necessary to amend this Title because Union hw relating to the subject matter governed by this Title is amended substantially, or is in the process of being amended substantially, it may notify the United Kingdom accordingly with a view to agreeing ona formal amendment of this Agreement in relation to this Title. Following such notification, the Parties shall engage in consultations.
2. Where within nine months of that notification the Parties have not reached an agreement amending this Title, the Union may decide to suspend the application of this Title or any provisions of this Title for a period of up to nine months. Before the end of that period, the Parties may agree on an extension of the suspension for an additional period of up to nine months. If by the end of the suspension period the Parties have not reached an agreement amending this Title, the suspended provisions shall cease to apply on the first day of the month following the expiry of the suspension period, unless the Union informs the United Kingdom that it no longer seeks any amendment to this Title. In that case, the suspended provisions of this Title shall be reinstated.
3. If any of the provisions of this Title are suspended under this Article, the Specialised Committee on Law Enforcement and Judicial Cooperation shall meet to decide what steps are needed to ensure that any cooperation initiated under this Title and affected by the suspension is concluded in an appropriate manner. In any event, with regard to all personal data obtained through cooperation under this Title before the provisions concerned by the suspension provisionally cease to apply, the Parties shall ensure that the level of protection under which the personal data were transferred is maintained after the suspension takes effect.
Title II. TRANSFER AND PROCESSING OF PASSENGER NAME RECORD DATA
Article 542. Scope
1. This Title lays down rules under which passenger name record data nay be transferred to, processed and used by the United Kingdom competent authority for flights between the Union and the United Kingdom, and establishes specific safeguards in that regard.
2. This Title applies to air carriers operating passenger flights between the Union and the United Kingdom.
3. This Title ako applies to air carriers incorporated, or storing data, in the Union and operating passenger flights to or from the United Kingdom.
4. This Title abo provides for police and judicial cooperation in criminal mutters between the United Kingdom and the Union in respect of PNR data.
Article 543. Definitions
For the purposes of this Title, the following definitions apply:
(a) "air carrier" means an air transport undertaking with a valid operating licence or equivalent permitting it to carry out carriage of passengers by air between the United Kingdom and the Union;
(b) "passenger name record" ("PNR") means a record of each passenger's travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, departure control systems used to check passengers into flights, or equivalent systems providing the same functionalities; specifically, as used in this Title, PNR data consists of the elements set out in Annex 40;
(c) "United Kingdom competent authority" means the United Kingdom authority responsible for receiving and processing PNR data under this Agreement; if the United Kingdom has more than one competent authority it shall provide a passenger data single window facility that allows air carriers to transfer PNR data to a single data transmission entry point and shall designate a single point of contact for the purpose of receiving and making requests under Article 546;
(d) "Passenger Information Units" ("PIUs") means the Units established or designated by Member States that are responsible for receiving and processing PNR data;
(e) "terrorism" means any offence listed in Annex 45;
(f) "serious crime" means any offence punishable by a custodial sentence or detention order for a maximum period of at least three years under the domestic law of the United Kingdom.
Article 544. Purposes of the Use of PNR Data
The United Kingdom shall ensure that PNR data received pursuant to this Title is processed strictly for the purposes of preventing, detecting, investigating or prosecuting terrorism or serious crime and for the purposes of overseeing the processing of PNR data within the terms set out in this Agreement,
2. In exceptional cases, the United Kingdom competent authority may process PNR data where necessary to protect the vital interests of any natural person, such as:
(a) a risk of death or serious injury, or
(b) asignificant public health risk, in particular as identified under internationally recognised standards.
3. The United Kingdom competent authority may abo process PNR data on a case-by-case basis where the disclosure of relevant PNR data is compelled by a United Kingdom court or administrative tribunal in a proceeding directly related to any of the purposes referred to in paragraph 1.
Article 545. Ensuring PNR Data Is Provided
1. The Union shall ensure that air carriers are not prevented from transferring PNR data to the United Kingdom competent authority pursuant to this Title.
2. The Union shall ensure that air carriers may transfer PNR data to the United Kingdom competent authority through authorised agents, who act on behalf of and under the responsibility of an air carrier, pursuant to this Title.
3. The United Kingdom shall not require an air carrier to provide elements of PNR data which are not already collected or held by the air carrier for reservation purposes.
4. The United Kingdom shall delete any data transferred to it by an air carrier pursuant to this Tifle upon receipt of that data, if that data element is not listed in Annex 40.
Article 546. Police and Judicial Cooperation
1, The United Kingdom competent authority shall share with Europol or Eurojust, within the scope of their respective mandates, or with the PIUs of the Member States all relevant and appropriate analytical information containing PNR data as soon as possible in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
2. At the request of Europol or Eurojust, within the scope of their respective mandates, or of the PIU of a Member State, the United Kingdom competent authority shall share PNR data, the results of processing those data, or analytical information containing PNR data, in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
3. The PIUs of the Member States shall share with the United Kingdom competent authority all relevant and appropriate analytical information containing PNR data as soon as possible in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
4. At the request of the United Kingdom competent authority, the PIUs of the Member States shall share PNR data, the results of processing those data, or analytical information containing PNR data, in specific cases where necessary to prevent, detect, investigate, or prosecute terrorism or serious crime.
5. The Parties shall ensure that the information referred to in paragraphs 1 to 4 is shared in accordance with agreements and arrangements on law enforcement or information sharing between the United Kingdom and Europol, Eurojust, or the relevant Member State. In particular, the exchange of information with Europol under this Article shall take place through the secure communication line established for the exchange of information through Europol.
6. The United Kingdom competent authority and the PIUs of the Member States shall ensure that only the minimum amount of PNR data necessary is shared under paragraphs 1 to 4.
Article 547. Non- Discrimination
The United Kingdom shall ensure that the safeguards applicable to the processing of PNR data apply to all natural persons on an equal basis without unlawful discrimination.
Article 548. Use of Special Categories of Personal Data
Any processing of special categories of personal data shall be prohibited under this Title. To the extent that any PNR data which is transferred to the United Kingdom competent authority includes special categories of personal data, the United Kingdom competent authority shall delete such data.
Article 549. Data Security and Integrity
1. The United Kingdom shall implement regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss.
2. The United Kingdom shall ensure compliance verification and the protection, security, confidentiality, and integrity of the data. In that regard, the United Kingdom shall:
(a) apply encryption, authorisation, and documentation procedures to the PNR data;
(b) limit access to PNR data to authorised officials;
(c) hold PNR data in a secure physical environment that is protected with access controls; and
(d) establish a mechanism that ensures that PNR data queries are conducted in a manner consistent with Article 544,
3. If a natural person's PNR data is accessed or disclosed without authorisation, the United Kingdom shall take measures to notify that natural person, to mitigate the risk of harm, and to take remedial action.