FantasticSearch

1. Air carriers shall create logs of all processing operations related to API data under this Regulation undertaken by using the automated means referred to in Article 5(2). Those logs shall cover the date, time and place of transfer of the API data. Those logs shall not contain any personal data, other than the information necessary to identify the relevant member of the staff of the air carrier.

2. eu-LISA shall keep logs of all processing operations relating to the transfer and transmission of API data through the router under this Regulation. Those logs shall cover:

(a) the air carrier that transferred the API data to the router;

(b) the competent border authorities to which the API data were transmitted through the router;

(c) the date and time of the transfer or transmission referred to in points (a) and (b), and the place of that transfer or transmission;

(d) any access by the staff of eu-LISA necessary for the maintenance of the router, as referred to in Article 26(3);

(e) any other information relating to those processing operations necessary to monitor the security and integrity of the API data and the lawfulness of those processing operations. Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (d) of the first subparagraph.

3. The logs referred to in paragraphs 1 and 2 of this Article shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation, including proceedings for penalties for infringements of those requirements in accordance with Articles 36 and 37.

4. Air carriers and eu-LISA shall take appropriate measures to protect the logs that they created pursuant to paragraphs 1 and 2, respectively, against unauthorised access and other security risks.

5. The national API supervision authority referred to in Article 36 and competent border authorities shall have access to the relevant logs referred to in paragraph 1 of this Article where necessary for the purposes referred to in paragraph 3 of this Article.

6. Air carriers and eu-LISA shall keep the logs that they created pursuant to paragraphs 1 and 2, respectively, for a period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that period. However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 3, and those procedures have already begun at the moment of the expiry of the period referred to in the first subparagraph of this paragraph, eu-LISA and air carriers shall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.