FantasticSearch

1. The Member State of origin shall ensure the security of data before and during transmission to Eurodac.

2. Each Member State shall, in relation to all data processed by its competent authorities pursuant to this Regulation, adopt the necessary measures, including a data security plan, in order to:

(a) physically protect the data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to data-processing equipment and national installations in which the Member State carries out operations in accordance with the purposes of Eurodac (equipment, access control and checks at entrance to the installation);

(c) prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data (storage control);

(e) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f) prevent the unauthorised processing of data in Eurodac and any unauthorised modification or erasure of data processed in Eurodac (control of data entry);

(g) ensure that persons authorised to access Eurodac have access only to the data covered by their access authorisation, by means of individual and unique user IDs and confidential access modes only (data access control);

(h) ensure that all authorities with a right of access to Eurodac create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, erase and search the data, and make those profiles and any other relevant information which those authorities might require for supervisory purposes available to the supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679 and in Article 41 of Directive (EU) 2016/680, without delay, at their request (personnel profiles);

(i) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j) ensure that it is possible to verify and establish what data have been processed in Eurodac, when, by whom and for what purpose (control of data recording);

(k) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from Eurodac or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l) ensure that installed systems may, in the event of interruption, be restored (recovery);

(m) ensure that Eurodac performs its functions, that the appearance of faults in the functions is reported (reliability) and that stored personal data cannot be corrupted by means of the system malfunctioning (integrity); and (n) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring in order to ensure compliance with this Regulation (self-auditing) and to automatically detect within 24 hours any relevant events arising from the application of measures listed in points (b) to (k) that might indicate the occurrence of a security incident.

3. Member States and Europol shall inform eu-LISA of security incidents related to Eurodac detected on their systems without prejudice to the notification and communication of a personal data breach, pursuant to Articles 33 and 34 of Regulation (EU) 2016/679 and Articles 30 and 31 of Directive (EU) 2016/680, as well as Articles 34 and 35 of Regulation (EU) 2016/794, respectively. eu-LISA shall inform the Member States, Europol and the European Data Protection Supervisor, without undue delay, of security incidents related to Eurodac detected on their systems without prejudice to Articles 34 and 35 of Regulation (EU) 2018/1725. The Member States concerned, eu-LISA and Europol shall collaborate during a security incident.

4. eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 2 of this Article as regards the operation of Eurodac, including the adoption of a data security plan. Prior to the start of the operational use of Eurodac, the security framework for Eurodac’s business and technical environment shall be updated, in accordance with Article 33 of Regulation (EU) 2018/1725.

5. The European Union Agency for Asylum shall take necessary measures in order to implement Article 18(4), including the adoption of a data security plan as referred to in paragraph 2 of this Article.