FantasticSearch

1. Air carriers shall create logs of all processing operations related to API data under this Regulation undertaken using the automated means referred to in Article 4(7). Those logs shall cover the date, time, and place of transfer of the API data. Those logs shall not contain any personal data, other than the information necessary to identify the relevant member of the staff of the air carrier.

2. eu-LISA shall keep logs of all processing operations relating to the transfer and transmission of API data and other PNR data through the router under this Regulation. Those logs shall cover the following:

(a) the air carrier that transferred the API data and other PNR data to the router;

(b) the air carrier that transferred other PNR data to the router;

(c) the PIUs to which the API data were transmitted through the router;

(d) the PIUs to which other PNR data were transmitted through the router;

(e) the date and time of the transfer or transmission referred to in points (a) to (d), and the place of that transfer or transmission;

(f) any access by the staff of eu-LISA necessary for the maintenance of the router, as referred to in Article 26(3);

(g) any other information relating to those processing operations necessary to monitor the security and integrity of the API data and other PNR data and the lawfulness of those processing operations. Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (f) of the first subparagraph.

3. The logs referred to in paragraphs 1 and 2 of this Article shall be used only for ensuring the security and integrity of the API data and other PNR data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation, including proceedings for penalties for infringements of those requirements in accordance with Articles 37 and 38.

4. Air carriers and eu-LISA shall take appropriate measures to protect the logs that they created pursuant to paragraphs 1 and 2, respectively, against unauthorised access and other security risks.

5. The national API supervision authority referred to in Article 37 and PIUs shall have access to the relevant logs referred to in paragraph 1 of this Article where necessary for the purposes referred to in paragraph 3 of this Article.

6. Air carriers and eu-LISA shall keep the logs that they created pursuant to paragraphs 1 and 2, respectively, for a period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that period.

However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 3, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph of this paragraph, air carriers and eu-LISA shall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.