The Schengen Information System (SIS) and the Visa Information System (VIS) are systems of the European Union that serve the cooperation of member states, and the personal data of citizens/data subjects are processed within them based on the provisions of the relevant Regulations. The data entered in the mentioned systems are available to each member state’s competent data controllers / law enforcement bodies.
An alert entered in SIS by one country becomes available in real time in all other countries that use SIS, so that competent authorities across the EU can find the alert.
Technically, SIS consists of the following components:
- a central system
- national SIS systems in all the countries using SIS
- a network between the systems
Each country that uses SIS is responsible for setting up, operating and maintaining its national system and structures. The European Commission is responsible for general supervision, evaluating the system, and adopting implementing and delegated acts on how the SIS and SIRENE work. More information about the SIS could be find at:
What is Schengen Information System (SIS II)?
The Schengen Information System (SIS II) is a large-scale information system that facilitates cooperation between national border control, customs and police authorities in the Schengen Area. The SIS II is in operation in 29 countries (25 EU MS + 4 Associated Countries).
25 EU: Austria; Belgium; Bulgaria; Croatia; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Italy; Latvia; Lithuania; Luxembourg; Malta; the Netherlands; Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden.
Associated Countries connected to SIS II are: Iceland; Liechtenstein; Norway and Switzerland.
The SIS II enables the competent authorities of the Schengen States to enter and consult alerts about persons and for objects. The reasons for issuing an alert include to refuse entry to a person who does not have the right to enter or stay in the Schengen territory, to find and detain a person for whom a European Arrest Warrant has been issued, to find a missing person, or to find stolen or lost property, such as a car or a passport.
An SIS II alert contains information about a particular person or object and clear instructions on what to do when the person or object has been found.
You can find a visual representation of how the SIS II works and how the new Regulations would change the framework in this European Commission factsheet.
Data subject rights
Guide for exercising the right of access provides you with detailed information on your rights under the SIS II legal framework. The Guide also lists all the competent authorities in the Member States and contains two model letters, one for the right of access and one for the right of correction or deletion.
Citizens/data subjects can exercise the rights guaranteed by Articles 15, 16, and 17 of the General Data Protection Regulation pursuant to the provisions of Art. 53 of the Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks and Art. 67 of the Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, and send a request to obtain information on whether their personal data is processed in the SIS and to correct or delete it.
The request is submitted to the authority in the Republic of Croatia that is responsible for processing personal data in the SIS, which is the Ministry of Interior.
Ministarstvo unutarnjih poslova RH
Ulica grada Vukovara 33, 10000 Zagreb
Forms are available on the links:
More information is available on link: https://mup.gov.hr/personal-data-protection/124
If the Agency receives a request for exercising some of the previously mentioned rights, in the given response it will instruct the party to contact the competent data controller. If the party is not satisfied with the response received from the data controller, it has the right to lodge a complaint with the Agency, and the Agency will carry out proceedings within its jurisdiction and issue a legal decision on the matter.
Regulation on Schengen Information System (SIS) is available on link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R1861
How is the SIS II organized?
The Schengen Information System (SIS II) is a system that serves for the exchange of information between competent law enforcement authorities, border police, customs and authorities that issue visas in member states, and it refers to persons and things. Each member state can enter in the system a warning that refers to a person and thing related to a committed criminal offense, missing person, or stolen thing (for ex. vehicle). Warnings may also contain an instruction to carry out a discreet check of persons and things. The warning in SIS II remains active as long as there is a need for it, that is, until the member state that entered it deletes it, while other member states do not have the authority to delete said warnings. The personal data entered in the SIS II are to the extent that they were available to the creator of the alert. A member state can enter a warning in the SIS II for a person who is not a citizen of one of the member states and deny him or her the possibility of entering the Schengen area in connection with the decision of a court or other law enforcement body. Information on the ban on a person’s entry into the Schengen area is available through the SIS and to the data controller responsible for issuing visas.
The SIS II consists of a central system (“Central SIS II”), a national system (the “N.SIS II”) in each Member State and a communication infrastructure that links the central system to the different national systems.
The responsibilities for the operation and management of SIS II are divided between the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) and the Member States. While eu-LISA is responsible for the operational management of the Central SIS II and the communication infrastructure, Member States are responsible for their national systems. Moreover, each Member State has to designate a national authority, which is responsible for the smooth operation and security of its national system and has to ensure the access of the competent authorities to SIS II.
The designated national authorities in the various Member States can be found here.
How does it work?
The competent authorities of the Member States enter, update or delete data in the SIS II via their national systems. Before a competent authority issues an alert, it has to determine whether the case is relevant enough to warrant its entry. The competent authorities are also responsible for ensuring that the data is accurate, up-to-date and lawfully entered into SIS II. When the alert is issued in the SIS II, only the relevant Member State is authorized to modify, correct, update or delete the data.
Alerts in the SIS II should not be kept longer than the time required to fulfil the purposes for which they were issued. For instance, after a missing person is found the relevant alert is deleted from the SIS II.
However, alerts are also automatically erased from the SIS II. As a general principle, alerts on persons are automatically erased after a period of three years, while alerts on objects are erased after a period of five to ten years.
Who has access to SIS II data?
The SIS II is accessible to authorized users within the competent authorities of Member States, such as national border control, police, customs, judicial, visa, vehicle registration authorities and some European agencies, including Europol. These authorities may only access the SIS II data which they need for the specific performance of their tasks. A list of the competent national authorities, which have access to the SIS II is published annually in the Official Journal of the European Union.
How is the protection of personal data ensured?
The national Supervisory Authorities oversee the application of the data protection rules in their respective countries, while the European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the Central SIS II managed by eu-LISA. Both levels cooperate to ensure a coordinated supervision.
When data of a person are stored in the SIS II, this person has the right to request access to these data and make sure that they are accurate and lawfully entered. If this is not the case, the individual has the right to request this data be corrected or deleted.
About the SIS II SCG
The Schengen Information System II Supervision Coordination Group (“SIS II SCG”) is a body set up by the SIS II Regulation and the SIS II Decision (both referred to as “the SIS II legal framework”) to ensure a coordinated supervision in the area of personal data protection of the SIS II large-scale information system. The SIS II SCG consists of representatives of the National Supervisory Authorities of the Member States responsible for data protection and the European Data Protection Supervisor.
The SIS II SCG replaced the Schengen Joint Supervisory Authority (JSA) after the second-generation SIS (the “SIS II”), entered into force on 9 April 2013 – playing a similar role.
Visa Information System (VIS)
The visa information system is a system that serves to exchange information about visas between member states of the European Union. It contains personal data collected in the process of issuing visas, including biometric data such as fingerprints and a photo of the person. The purpose of the system is also the prevention of fraudulent activities related to visas with the availability of all relevant information related to persons and identification documents contained in the processing systems of other law enforcement bodies.
Data subject rights
Citizens/data subjects based on Article 38 of Regulation (EC) no. 767/2008 OF THE EUROPEAN PARLIAMENT AND COUNCIL of July 9, 2008 on the Visa information system (VIS) and the exchange of data between member states on short-term visas (the VIS Regulation), have the possibility to exercise the rights guaranteed by Articles 15, 16, and 17 of the General Data Protection Regulation and send a request to obtain information about personal data processed in the VIS and to correct or delete them. The request is submitted to the authority in the Republic of Croatia that is responsible for processing personal data in the VIS, which is the Ministry of Foreign and European Affairs.
Ministarstvo vanjskih i europskih poslova
Trg N.Š. Zrinskog 7-8, 10000 Zagreb
Forms to exercise your rights can be found on the website of the Ministry of Foreign and European Affairs
More information is available on link: https://mvep.gov.hr/services-for-citizens/22850
Regulation on Visa Information System (VIS) is available on link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008R0767
Asylum applicants and migrants apprehended at the external border have a duty to give their fingerprints. When their fingerprints are taken, persons have the right to understand who is processing their personal data and why. They have the right to know what data are stored and for how long. They should know how to access it, correct and erase their data, in case of mistakes and whom to contact for these purposes.