REGULATION (EU) 2019/1157 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 20 June 2019

on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 21(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The Treaty on the European Union (TEU) resolved to facilitate the free movement of persons while ensuring the safety and security of the peoples of Europe, by establishing an area of freedom, security and justice, in accordance with the provisions of the TEU and of the Treaty on the Functioning of the European Union (TFEU).

(2) Citizenship of the Union confers on every citizen of the Union the right of free movement, subject to certain limitations and conditions. Directive 2004/38/EC of the European Parliament and of the Council (3) gives effect to that right. Article 45 of the Charter of Fundamental Rights of the European Union (the Charter) also provides for freedom of movement and residence. Freedom of movement entails the right to exit and enter Member States with a valid identity card or passport.

(3) Pursuant to Directive 2004/38/EC, Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. Furthermore, that Directive provides that Member States may require Union citizens and their family members to register with the relevant authorities. Member States are required to issue registration certificates to Union citizens under the conditions set out therein. Pursuant to that Directive, Member States are also required to issue residence cards to family members who are not nationals of a Member State and, on application, to issue documents certifying permanent residence and to issue permanent residence cards.

(4) Directive 2004/38/EC provides that Member States may adopt the necessary measures to refuse, terminate or withdraw any right conferred by that Directive in the case of abuse of rights or fraud. Document forgery or false presentation of a material fact concerning the conditions attached to the right of residence have been identified as typical cases of fraud under that Directive.

(5) Considerable differences exist between the security levels of national identity cards issued by Member States and residence permits for Union nationals residing in another Member State and their family members. Those differences increase the risk of falsification and document fraud and also give rise to practical difficulties for citizens when they wish to exercise their right of free movement. Statistics from the European Document Fraud Risk Analysis Network show that incidents of fraudulent identity cards have increased over time.

(6) In its Communication of 14 September 2016 entitled ‘Enhancing security in a world of mobility: improved information exchange in the fight against terrorism and stronger external borders’, the Commission stressed that secure travel and identity documents are crucial whenever it is necessary to establish without doubt a person's identity, and announced that it would be presenting an action plan to tackle travel document fraud. According to that Communication, an improved approach relies on robust systems to prevent abuses and threats to internal security arising from failings in document security, in particular related to terrorism and cross-border crime.

(7) According to the Commission's Action Plan of 8 December 2016 to strengthen the European response to travel document fraud (the 2016 Action Plan), at least three quarters of fraudulent documents detected at the external borders, but also in the area without controls at internal borders, purport to have been issued by Member States and the Schengen associated countries. Less secure national identity cards issued by Member States are the most frequently detected false documents used for intra-Schengen travel.

(8) In order to deter identity fraud, Member States should ensure that the falsification and counterfeiting of identification documents and the use of such falsified or counterfeit documents are adequately penalised by their national law.

(9) The 2016 Action Plan addressed the risk from fraudulent identity cards and residence documents. The Commission, in the 2016 Action Plan, and in its 2017 EU Citizenship Report, committed itself to analysing policy options to improve the security of identity cards and residence documents.

(10) According to the 2016 Action Plan, issuing authentic and secure identity cards requires a reliable identity registration process and secure ‘breeder’ documents to support the application process. The Commission, the Member States and the relevant Union agencies should continue to work together to make breeder documents less vulnerable to fraud, given the increased use of false breeder documents.

(11) This Regulation does not require Member States to introduce identity cards or residence documents where they are not provided for under national law, nor does it affect the competence of the Member States to issue, under national law, other residence documents which fall outside the scope of Union law, for example residence cards issued to all residents on the territory regardless of their nationality.

(12) This Regulation does not prevent Member States from accepting, in a non-discriminatory manner, documents other than travel documents, for identification purposes, such as driving licences.

(13) Identification documents issued to citizens whose rights of free movement have been restricted in accordance with Union or national law, and which expressly indicate that they cannot be used as travel documents, should not be considered as falling within the scope of this Regulation.

(14) Travel documents compliant with part 5 of International Civil Aviation Organization (ICAO) Document 9303 on Machine Readable Travel Documents, (seventh edition, 2015) (‘ICAO Document 9303’), which do not serve identification purposes in the issuing Member States, such as the passport card issued by Ireland, should not be considered as falling within the scope of this Regulation.

(15) This Regulation does not affect the use of identity cards and residence documents with eID function by Member States for other purposes, nor does it affect the rules laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council (4), which provides for Union-wide mutual recognition of electronic identifications in access to public services and which helps citizens who are moving to another Member State, by requiring mutual recognition of electronic identification means subject to certain conditions. Improved identity cards should ensure easier identification and contribute to better access to services.

(16) Proper verification of identity cards and residence documents requires that Member States use the correct title for each type of document covered by this Regulation. In order to facilitate the checking of documents covered by this Regulation in other Member States, the document title should also appear in at least one additional official language of the institutions of the Union. Where Member States already use, for identity cards, well-established designations other than the title ‘identity card’, they should be able to continue to do so in their official language or languages. However, no new designations should be introduced in the future.

(17) Security features are necessary to verify if a document is authentic and to establish the identity of a person. The establishment of minimum security standards and the integration of biometric data in identity cards and in residence cards of family members who are not nationals of a Member State are important steps in rendering their use in the Union more secure. The inclusion of such biometric identifiers should allow Union citizens to fully benefit from their rights of free movement.

(18) The storage of a facial image and two fingerprints (‘biometric data’) on identity and residence cards, as already provided for in respect of biometric passports and residence permits for third-country nationals, represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity and residence cards.

(19) As a general practice, Member States should, for the verification of the authenticity of the document and the identity of the holder, primarily verify the facial image and, where necessary to confirm without doubt the authenticity of the document and the identity of the holder, Member States should also verify the fingerprints.

(20) Members States should ensure that, in cases where a verification of biometric data does not confirm the authenticity of the document or the identity of its holder, a compulsory manual check is carried out by qualified staff.

(21) This Regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in Member States, which is a matter of national law that needs to comply with Union law regarding data protection. Moreover, this Regulation does not provide a legal basis for setting up or maintaining a centralised database at Union level.

(22) Biometric identifiers should be collected and stored in the storage medium of identity cards and residence documents for the purposes of verifying the authenticity of the document and the identity of the holder. Such a verification should only be carried out by duly authorised staff and only when the document is required to be produced by law. Moreover, biometric data stored for the purpose of the personalisation of identity cards or residence documents should be kept in a highly secure manner and only until the date of collection of the document and, in any case, no longer than 90 days from the date of issue of the document. After that period, those biometric data should be immediately erased or destroyed. This should be without prejudice to any other processing of these data in accordance with Union and national law regarding data protection.

(23) The specifications of ICAO Document 9303 which ensure global interoperability including in relation to machine readability and use of visual inspection should be taken into account for the purpose of this Regulation.

(24) Member States should be able to decide whether to include a person's gender on a document covered by this Regulation. Where a Member State includes a person's gender on such a document, the specifications of ICAO Document 9303 ‘F’, ‘M’ or ‘X’ or the corresponding single initial used in the language or languages of that Member State should be used, as appropriate.

(25) Implementing powers should be conferred on the Commission in order to ensure that future security standards and technical specifications adopted pursuant to Council Regulation (EC) No 1030/2002 (5) are duly taken into account, where appropriate, for identity cards and residence cards. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (6). To that end, the Commission should be assisted by the Committee established by Article 6 of Council Regulation (EC) No 1683/95 (7). Where necessary, it should be possible for the implementing acts adopted to remain secret in order to prevent the risk of counterfeiting and falsifications.

(26) Member States should ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that such procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe and the United Nations Convention on the Rights of the Child. Member States should ensure that the best interest of the child is a primary consideration throughout the collection procedure. To that end, qualified staff should receive appropriate training on child-friendly practices for the collecting of biometric identifiers.

(27) Where difficulties are encountered in the collection of biometric identifiers, Member States should ensure that appropriate procedures are in place to respect the dignity of the person concerned. Therefore, specific considerations relating to gender, and to the specific needs of children and of vulnerable persons should be taken into account.

(28) The introduction of minimum security and format standards for identity cards should allow Member States to rely on the authenticity of those documents when Union citizens exercise their right of free movement. The introduction of reinforced security standards should provide sufficient guarantees to public authorities and private entities to enable them to rely on the authenticity of identity cards when used by Union citizens for identification purposes.

(29) A distinguishing sign in the form of the two-letter country code of the Member State issuing the document, printed in negative in a blue rectangle and encircled by 12 yellow stars, facilitates the visual inspection of the document, in particular when the holder is exercising the right of free movement.

(30) While the option to provide for additional national features is maintained, Member States should ensure that those features do not diminish the efficiency of the common security features or negatively affect the cross-border compatibility of the identity cards, such as the capability that the identity cards can be read by machines used by Member States other than those which issue the identity cards.

(31) The introduction of security standards in identity cards and in residence cards of family members who are not nationals of a Member State should not result in a disproportionate increase in fees for Union citizens or third-country nationals. Member States should take this principle into consideration when issuing calls for tender.

(32) Member States should take all necessary steps to ensure that biometric data correctly identify the person to whom an identity card is issued. To this end, Member States could consider collecting biometric identifiers, particularly the facial image, by means of live enrolment by the national authorities issuing identity cards.

(33) Member States should exchange with each other such information as is necessary to access, authenticate and verify the information contained on the secure storage medium. The formats used for the secure storage medium should be interoperable, including in respect of automated border crossing points.

(34) Directive 2004/38/EC addresses the situation where Union citizens, or family members of Union citizens who are not nationals of a Member State, who do not have the necessary travel documents are to be given every reasonable opportunity to prove by other means that they are covered by the right of free movement. Such means can include identification documents used on a provisional basis and residence cards issued to such family members.

(35) This Regulation respects the obligations set out in the Charter and in the United Nations Convention on the Rights of Persons with Disabilities. Therefore, Member States are encouraged to work with the Commission to integrate additional features that render identity cards more accessible and user-friendly to people with disabilities, such as visually impaired persons. Member States are to explore the use of solutions, such as mobile registration devices, for the issuance of identity cards to persons incapable of visiting the authorities responsible for issuing identity cards.

(36) Residence documents issued to citizens of the Union should include specific information to ensure that they are identified as such in all Member States. This should facilitate the recognition of the Union citizen's use of the right of free movement and of the rights inherent to this use, but harmonisation should not go beyond what is appropriate to address the weaknesses of current documents. Member States are free to select the format in which these documents are issued and could issue them in a format complying with the specifications of ICAO Document 9303.

(37) As regards residence documents issued to family members who are not nationals of a Member State, it is appropriate to make use of the same format and security features as those provided for in Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954 of the European Parliament and of the Council (8). In addition to proving the right of residence, those documents also exempt their holders who are otherwise subject to a visa obligation from the requirement to obtain a visa when accompanying or joining the Union citizen within the Union territory.

(38) Directive 2004/38/EC provides that documents issued to family members who are not nationals of a Member State are to be called ‘Residence card of a family member of a Union citizen’. In order to facilitate their identification, residence cards of a family member of a Union citizen should bear a standardised title and code.

(39) Taking into account both the security risk and the costs incurred by Member States, identity cards as well as residence cards of a family member of a Union citizen with insufficient security standards should be phased out. In general, a phasing-out period of ten years for identity cards and five years for residence cards should be sufficient to strike a balance between the frequency with which documents are usually replaced and the need to fill the existing security gap within the Union. However, for cards which do not have important security features, or are not machine readable, a shorter phasing-out period is necessary on security grounds.

(40) Regulation (EU) 2016/679 of the European Parliament and of the Council (9) applies with regard to the personal data to be processed in the context of the application of this Regulation. It is necessary to further specify safeguards applicable to the processed personal data and in particular to sensitive data such as biometric identifiers. Data subjects should be made aware of the existence in their documents of the storage medium containing their biometric data including its accessibility in contactless form as well as of all instances where the data contained in their identity cards and residence documents are used. In any case, data subjects should have access to personal data processed in their identity cards and residence documents and should have the right to have them rectified by way of issuance of a new document where such data is erroneous or incomplete. The storage medium should be highly secure and effectively protect personal data stored on it from unauthorised access.

(41) Member States should be responsible for the proper processing of biometric data, from collection to integration of the data on the highly secure storage medium, in accordance with Regulation (EU) 2016/679.

(42) Member States should exercise particular caution when cooperating with an external service provider. Such cooperation should not exclude any liability of the Member States arising under Union or national law for breaches of obligations with regard to personal data.

(43) It is necessary to specify in this Regulation the basis for the collection and storage of data on the storage medium of identity cards and residence documents. In accordance with Union or national law and respecting the principles of necessity and proportionality, Member States should be able to store other data on a storage medium for electronic services or for other purposes relating to the identity card or residence document. The processing of such other data including their collection and the purposes for which they can be used should be authorised by Union or national law. All national data should be physically or logically separated from biometric data referred to in this Regulation and should be processed in accordance with Regulation (EU) 2016/679.

(44) Member States should apply this Regulation at the latest 24 months after the date of its entry into force. As from the date of application of this Regulation, Member States should only issue documents which respect the requirements set out in this Regulation.

(45) The Commission should report on the implementation of this Regulation two years, and 11 years, respectively, after its date of application, including on the appropriateness of the level of security, taking into account its impact on fundamental rights and data protection principles. In accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (10), the Commission should, six years after the date of application of this Regulation, and every six years thereafter, carry out an evaluation of this Regulation on the basis of information gathered through specific monitoring arrangements, in order to assess the actual effects of this Regulation and the need for any further action. For the purpose of monitoring, Member States should collect statistics on the number of identity cards and residence documents which they issued.

(46) Since the objectives of this Regulation, namely to enhance security and to facilitate the exercise of the rights of free movement by Union citizens and their family members cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(47) This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter including human dignity, the right to the integrity of the person, the prohibition of inhuman or degrading treatment, the right to equality before the law and non-discrimination, the rights of children, the rights of the elderly, respect for private and family life, the right to the protection of personal data, the right of free movement and the right to an effective remedy. Member States should comply with the Charter when implementing this Regulation.

(48) The European Data Protection Supervisor and the Fundamental Rights Agency issued opinions on 10 August 2018 (11) and on 5 September 2018 (12) respectively,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

SUBJECT MATTER, SCOPE AND DEFINITIONS

Article 1 Subject matter This Regulation strengthens the security standards applicable to identity cards issued by Member States to their nationals and to residence documents issued by Member States to Union citizens and their family members when exercising their right to free movement.

Article 2 Scope This Regulation applies to: (a) identity cards issued by Member States to their own nationals as referred to in Article 4(3) of Directive 2004/38/EC; This Regulation shall not apply to identification documents issued on a provisional basis with a period of validity of less than six months. (b) registration certificates issued in accordance with Article 8 of Directive 2004/38/EC to Union citizens residing for more than three months in a host Member State and documents certifying permanent residence issued in accordance with Article 19 of Directive 2004/38/EC to Union citizens upon application; (c) residence cards issued in accordance with Article 10 of Directive 2004/38/EC to family members of Union citizens who are not nationals of a Member State and permanent residence cards issued in accordance with Article 20 of Directive 2004/38/EC to family members of Union citizens who are not nationals of a Member State.

CHAPTER II

NATIONAL IDENTITY CARDS

Article 3 Security standards/format/specifications 1. Identity cards issued by Member States shall be produced in ID-1 format and shall contain a machine-readable zone (MRZ). Such identity cards shall be based on the specifications and minimum security standards set out in ICAO Document 9303 and shall comply with the requirements set out in points (c), (d), (f) and (g) of the Annex to Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954. 2. The data elements included on identity cards shall comply with the specifications set out in part 5 of ICAO document 9303. By way of derogation from the first subparagraph, the document number may be inserted in zone I and the designation of a person's gender shall be optional. 3. The document shall bear the title ‘Identity card’ or another well-established national designation in the official language or languages of the issuing Member State, and the words ‘Identity card’ in at least one other official language of the institutions of the Union. 4. The identity card shall contain, on the front side, the two-letter country code of the Member State issuing the card, printed in negative in a blue rectangle and encircled by 12 yellow stars. 5. Identity cards shall include a highly secure storage medium which shall contain a facial image of the holder of the card and two fingerprints in interoperable digital formats. For the capture of biometric identifiers, Member States shall apply the technical specifications as established by Commission Implementing Decision C(2018) 7767 (13). 6. The storage medium shall have sufficient capacity and capability to guarantee the integrity, the authenticity and the confidentiality of the data. The data stored shall be accessible in contactless form and secured as provided for in Implementing Decision C(2018) 7767. Member States shall exchange the information necessary to authenticate the storage medium and to access and verify the biometric data referred to in paragraph 5. 7. Children under the age of 12 years may be exempt from the requirement to give fingerprints. Children under the age of 6 years shall be exempt from the requirement to give fingerprints. Persons in respect of whom fingerprinting is physically impossible shall be exempt from the requirement to give fingerprints. 8. When necessary and proportionate to the aim to be achieved, Member States may enter such details and observations for national use as may be required in accordance with national law. The efficiency of minimum security standards and the cross-border compatibility of identity cards shall not be diminished as a result. 9. Where Member States incorporate a dual interface or a separate storage medium in the identity card, the additional storage medium shall comply with the relevant ISO standards and shall not interfere with the storage medium referred to in paragraph 5. 10. Where Member States store data for electronic services such as e-government and e-business in the identity cards, such national data shall be physically or logically separated from the biometric data referred to in paragraph 5. 11. Where Member States add additional security features to identity cards, the cross-border compatibility of such identity cards and the efficiency of the minimum security standards shall not be diminished as a result.

Article 4 Period of validity 1. Identity cards shall have a minimum period of validity of five years and a maximum period of validity of ten years. 2. By way of derogation from paragraph 1, Member States may provide for a period of validity of: (a) less than five years, for identity cards issued to minors; (b) in exceptional cases, less than five years, for identity cards issued to persons in special and limited circumstances and where their period of validity is limited in compliance with Union and national law; (c) more than 10 years, for identity cards issued to persons aged 70 and above. 3. Member States shall issue an identity card having a validity of 12 months or less where it is temporarily physically impossible to take fingerprints of any of the fingers of the applicant.

Article 5 Phasing out 1. Identity cards which do not meet the requirements set out in Article 3 shall cease to be valid at their expiry or by 3 August 2031, whichever is earlier. 2. By way of derogation from paragraph 1: (a) identity cards which do not meet the minimum security standards set out in part 2 of ICAO document 9303 or which do not include a functional MRZ, as defined in paragraph 3, shall cease to be valid at their expiry or by 3 August 2026, whichever is earlier; (b) identity cards of persons aged 70 and above at 2 August 2021, which meet the minimum security standards set out in part 2 of ICAO document 9303 and which have a functional MRZ, as defined in paragraph 3, shall cease to be valid at their expiry. 3. For the purpose of paragraph 2, a functional MRZ shall mean: (a) a machine-readable zone compliant with part 3 of ICAO document 9303; or (b) any other machine-readable zone for which the issuing Member State notifies the rules required for reading and displaying the information contained therein, unless a Member State notifies the Commission, by 2 August 2021, of its lack of capacity to read and display this information. Upon receipt of a notification as referred to in point (b) of the first subparagraph, the Commission shall inform the Member State concerned and the Council accordingly.

CHAPTER III

RESIDENCE DOCUMENTS FOR UNION CITIZENS

Article 6 Minimum information to be indicated Residence documents when issued by Member States to Union citizens, shall indicate at a minimum the following: (a) the title of the document in the official language or languages of the Member State concerned and in at least one other official language of the institutions of the Union; (b) a clear reference that the document is issued to a Union citizen in accordance with Directive 2004/38/EC; (c) the document number; (d) the name (surname and forename(s)) of the holder; (e) the date of birth of the holder; (f) the information to be included on registration certificates and documents certifying permanent residence, issued in accordance with Articles 8 and 19 of Directive 2004/38/EC, respectively; (g) the issuing authority; (h) on the front-side, the two-letter country code of the Member State issuing the document, printed in negative in a blue rectangle and encircled by twelve yellow stars. If a Member State decides to take fingerprints, Article 3(7) shall apply accordingly. Persons in respect of whom fingerprinting is physically impossible shall be exempt from the requirement to give fingerprints.

CHAPTER IV

RESIDENCE CARDS FOR FAMILY MEMBERS WHO ARE NOT NATIONALS OF A MEMBER STATE

Article 7 Uniform format 1. When issuing residence cards to family members of Union citizens who are not nationals of a Member State, Member States shall use the same format as established by Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954, and as implemented by Implementing Decision C(2018) 7767. 2. By way of derogation from paragraph 1, a card shall bear the title ‘Residence card’ or ‘Permanent residence card’. Member States shall indicate that these documents are issued to a family member of a Union citizen in accordance with Directive 2004/38/EC. For this purpose, Member States shall use the standardised code ‘Family Member EU Art 10 DIR 2004/38/EC’ or ‘Family Member EU Art 20 DIR 2004/38/EC’, in data field [10], as referred to in the Annex to Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954. 3. Member States may enter data for national use in accordance with national law. When entering and storing such data, Member States shall respect the requirements set out in the second paragraph of Article 4 of Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954.

Article 8 Phasing out of existing residence cards 1. Residence cards of family members of Union citizens who are not nationals of a Member State, which do not meet the requirements of Article 7 shall cease to be valid at their expiry or by 3 August 2026, whichever is earlier. 2. By way of derogation from paragraph 1, residence cards of family members of Union citizens who are not nationals of a Member State, which do not meet the minimum security standards set out in part 2 of ICAO document 9303 or which do not include a functional MRZ compliant with part 3 of ICAO document 9303, shall cease to be valid at their expiry or by 3 August 2023, whichever is earlier.

CHAPTER V

COMMON PROVISIONS

Article 9 Contact point 1. Each Member State shall designate at least one central authority as a contact point for the implementation of this Regulation. Where a Member State has designated more than one central authority, it shall designate which of those authorities will be the contact point for the implementation of this Regulation. It shall communicate the name of that authority to the Commission and the other Member States. If a Member State changes its designated authority, it shall inform the Commission and the other Member States accordingly. 2. Member States shall ensure that the contact points are aware of relevant information and assistance services at Union level included in the Single Digital Gateway set out in Regulation (EU) 2018/1724 of the European Parliament and of the Council (14) and that they are able to cooperate with such services.

Article 10 Collection of biometric identifiers 1. The biometric identifiers shall be collected solely by qualified and duly authorised staff designated by the authorities responsible for issuing identity cards or residence cards, for the purpose of being integrated into the highly secure storage medium provided for in Article 3(5) for identity cards and in Article 7(1) for residence cards. By way of derogation from the first sentence, fingerprints shall be collected solely by qualified and duly authorised staff of such authorities, except in the case of applications submitted to the diplomatic and consular authorities of the Member State. With a view to ensuring the consistency of biometric identifiers with the identity of the applicant, the applicant shall appear in person at least once during the issuance process for each application. 2. Member States shall ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that those procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms and the United Nations Convention on the Rights of the Child. Where difficulties are encountered in the collection of biometric identifiers, Member States shall ensure that appropriate procedures are in place to respect the dignity of the person concerned. 3. Other than where required for the purpose of processing in accordance with Union and national law, biometric identifiers stored for the purpose of personalisation of identity cards or residence documents shall be kept in a highly secure manner and only until the date of collection of the document and, in any case, no longer than 90 days from the date of issue. After this period, these biometric identifiers shall be immediately erased or destroyed.

Article 11 Protection of personal data and liability 1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure the security, integrity, authenticity and confidentiality of the data collected and stored for the purpose of this Regulation. 2. For the purpose of this Regulation, the authorities responsible for issuing identity cards and residence documents shall be considered as the controller referred to in Article 4(7) of Regulation (EU) 2016/679 and shall have responsibility for the processing of personal data. 3. Member States shall ensure that supervisory authorities can fully exercise their tasks as referred to in Regulation (EU) 2016/679, including access to all personal data and all necessary information as well as access to any premises or data processing equipment of the competent authorities. 4. Cooperation with external service providers shall not exclude any liability on the part of a Member State which may arise under Union or national law in respect of breaches of obligations with regard to personal data. 5. Information in machine-readable form shall only be included in an identity card or residence document in accordance with this Regulation and the national law of the issuing Member State. 6. Biometric data stored in the storage medium of identity cards and residence documents shall only be used in accordance with Union and national law, by the duly authorised staff of competent national authorities and Union agencies, for the purpose of verifying: (a) the authenticity of the identity card or residence document; (b) the identity of the holder by means of directly available comparable features where the identity card or residence document is required to be produced by law. 7. Member States shall maintain, and communicate annually to the Commission, a list of the competent authorities with access to the biometric data stored on the storage medium referred to in Article 3(5) of this Regulation. The Commission shall publish online a compilation of such national lists.

Article 12 Monitoring By 2 August 2020, the Commission shall establish a detailed programme for monitoring the outputs, results and impact of this Regulation, including its impact on fundamental rights. The monitoring programme shall set out the means by which and the intervals at which the data and other necessary evidence are to be collected. It shall specify the action to be taken by the Commission and by Member States in collecting and analysing the data and other evidence. Member States shall provide the Commission with the data and other evidence necessary for such monitoring.

Article 13 Reporting and Evaluation 1. Two years, and 11 years, respectively, after the date of application of this Regulation, the Commission shall report to the European Parliament, to the Council and to the European Economic and Social Committee on its implementation, in particular on the protection of fundamental rights and personal data. 2. Six years after the date of application of this Regulation, and every subsequent six years, the Commission shall carry out an evaluation of this Regulation and present a report on the main findings to the European Parliament, to the Council and to the European Economic and Social Committee. The report shall in particular focus on: (a) the impact of this Regulation on fundamental rights; (b) the mobility of Union citizens; (c) the effectiveness of biometric verification in ensuring the security of travel documents; (d) a possible use of residence cards as travel documents; (e) a possible further visual harmonisation of identity cards; (f) the necessity of introducing common security features of identification documents used on a provisional basis in view of their better recognition. 3. Member States and relevant Union agencies shall provide the Commission with the information necessary for the preparation of these reports.

Article 14 Additional technical specifications 1. In order to ensure, where appropriate, that identity cards and residence documents referred to in points (a) and (c) of Article 2 comply with future minimum security standards, the Commission shall establish, by means of implementing acts, additional technical specifications, relating to the following: (a) additional security features and requirements, including enhanced anti-forgery, counterfeiting and falsification standards; (b) technical specifications for the storage medium of the biometric features referred to in Article 3(5) and their security, including prevention of unauthorised access and facilitation of validation; (c) requirements for quality and common technical standards for the facial image and the fingerprints. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 15(2). 2. In accordance with the procedure referred to in Article 15(2), it may be decided that the specifications referred to in this Article are to be secret and are not to be published. In such a case, they shall be made available only to the bodies designated by the Member States as responsible for printing and to persons duly authorised by a Member State or by the Commission. 3. Each Member State shall designate one body having responsibility for printing identity cards, and one body having responsibility for printing residence cards of family members of Union citizens, and shall communicate the names of such bodies to the Commission and to the other Member States. Member States shall be entitled to change such designated bodies and shall inform the Commission and the other Member States accordingly. Member States may also decide to designate a single body having responsibility for printing both identity cards and residence cards of family members of Union citizens and shall communicate the name of this body to the Commission and to the other Member States. Two or more Member States may also decide to designate a single body for those purposes and shall inform the Commission and the other Member States accordingly.

Article 15 Committee procedure 1. The Commission shall be assisted by the Committee established by Article 6 of Regulation (EC) No 1683/95. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee does not deliver an opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

Article 16 Entry into force This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 2 August 2021.

This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, 20 June 2019. For the European Parliament The President A. TAJANI For the Council The President G. CIAMBA

(1) OJ C 367, 10.10.2018, p. 78.

(2) Position of the European Parliament of 4 April 2019 (not yet published in the Official Journal) and decision of the Council of 6 June 2019.

(3) Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).

(4) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).

(5) Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ L 157, 15.6.2002, p. 1).

(6) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

(7) Council Regulation (EC) No 1683/95 of 29 May 1995 laying down a uniform format for visas (OJ L 164, 14.7.1995, p. 1).

(8) Regulation (EU) 2017/1954 of the European Parliament and of the Council of 25 October 2017 amending Council Regulation (EC) No 1030/2002 laying down a uniform format for residence permits for third-country nationals (OJ L 286, 1.11.2017, p. 9).

(9) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(10) OJ L 123, 12.5.2016, p. 1.

(11) OJ C 338, 21.9.2018, p. 22.

(12) Not yet published.

(13) Commission Implementing Decision C(2018) 7767 of 30 November 2018 laying down the technical specifications for the uniform format for residence permits for third country nationals and repealing Decision C(2002) 3069.

(14) Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, p. 1).