Schengen Information System (SIS)| AEPD

Last updated:

What is the Schengen Information System (SIS II)?

The Schengen Information System (SIS II) is a large-scale information system that facilitates cooperation between national border control, customs and police authorities in the Schengen Area. The SIS II is in operation in 30 European countries, namely 26 EU Member States (only Ireland and Cyprus are not yet connected to SIS) as well as in Iceland, Liechtenstein, Norway and Switzerland.

The SIS II enables the competent authorities of the Schengen States to enter and consult alerts about persons and for objects. The reasons for issuing an alert include to refuse entry to a person who does not have the right to enter or stay in the Schengen territory, to find and detain a person for whom a European Arrest Warrant has been issued, to find a missing person, or to find stolen or lost property, such as a car or a passport.

 An SIS II alert contains information about a particular person or object and clear instructions on what to do when the person or object has been found.

 You can find a visual representation of how the SIS II works and how the new Regulations would change the framework in this European Commission factsheet.

About the SIS II SCG

The Schengen Information System II Supervision Coordination Group (“SIS II SCG”) is a body set up by the SIS II Regulation and the SIS II Decision (both referred to as “the SIS II legal framework”) to ensure a coordinated supervision in the area of personal data protection of the SIS II large-scale information system. The SIS II SCG consists of representatives of the National Supervisory Authorities of the Member States responsible for data protection and the European Data Protection Supervisor.

The SIS II SCG replaced the Schengen Joint Supervisory Authority (JSA) after the second-generation SIS (the “SIS II”), entered into force on 9 April 2013 – playing a similar role. In the Archive section you can find the webpage of the JSA.

The SIS II framework is also going to evolve following the approval of the new regulatory framework adopted in 2016 and constituted by Regulations 1860/2016, 1861/2016 and 1982/2016

Your rights

The SIS II Regulation provides persons with a right of access and a right to correction of inaccurate data and deletion of unlawfully stored data.

If you want to know which personal data are processed in the SIS II or if you want to correct or delete your data, because they were wrongfully entered in the SIS II, you can make a relevant request in any Schengen country, by contacting the competent authority. If you are currently outside the Schengen Area you can also contact the consulate of a Schengen country in the country in which you currently live. You will be informed about the follow-up of your request within three months at the latest.

The Group has adopted a Guide for exercising the right of access which provides you with detailed information on your rights under the SIS II legal framework. The Guide also lists all the competent authorities in the Member States and contains two model letters, one for the right of access and one for the right of correction or deletion.

Legislation

How is the SIS II organized?

The SIS II consists of a central system (“Central SIS II”), a national system (the "N.SIS II") in each Member State and a communication infrastructure that links the central system to the different national systems.

The responsibilities for the operation and management of SIS II are divided between the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) and the Member States. While eu-LISA is responsible for the operational management of the Central SIS II and the communication infrastructure, Member States are responsible for their national systems. Moreover, each Member State has to designate a national authority, which is responsible for the smooth operation and security of its national system and has to ensure the access of the competent authorities to SIS II.

The designated national authorities in the various Member States can be found here.

How does it work?

The competent authorities of the Member States enter, update or delete data in the SIS II via their national systems. Before a competent authority issues an alert, it has to determine whether the case is relevant enough to warrant its entry. The competent authorities are also responsible for ensuring that the data is accurate, up-to-date and lawfully entered into SIS II. When the alert is issued in the SIS II, only the relevant Member State is authorized to modify, correct, update or delete the data.

Alerts in the SIS II should not be kept longer than the time required to fulfil the purposes for which they were issued. For instance, after a missing person is found the relevant alert is deleted from the SIS II.

However, alerts are also automatically erased from the SIS II. As a general principle, alerts on persons are automatically erased after a period of three years, while alerts on objects are erased after a period of five to ten years.

Who has access to SIS II data?

The SIS II is accessible to authorized users within the competent authorities of Member States, such as national border control, police, customs, judicial, visa, vehicle registration authorities and some European agencies, including Europol. These authorities may only access the SIS II data which they need for the specific performance of their tasks. A list of the competent national authorities, which have access to the SIS II is published annually in the Official Journal of the European Union.

How is the protection of personal data ensured?

The national Supervisory Authorities oversee the application of the data protection rules in their respective countries, while the European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the Central SIS II managed by eu-LISA. Both levels cooperate to ensure a coordinated supervision.

When data of a person are stored in the SIS II, this person has the right to request access to these data and make sure that they are accurate and lawfully entered. If this is not the case, the individual has the right to request this data be corrected or deleted. 

Rights granted to individuals whose data are protected in the SIS II

In accordance with data protection principles, all individuals whose data are processed in the SIS II are granted specific rights by the SIS II Regulation and the SIS II Decision4, which will be analyzed below. Anyone exercising any of these rights can apply to the competent authorities in the State of his choice where SIS II is operated. This option is possible because all national databases (N.SIS II) are identical to the central system database. Therefore, these rights can be exercised in any country that operates SIS II, regardless of the Member State that issued the alert.

When an individual exercises his/her right of access, correction of inaccurate data and deletion of unlawfully stored data, replies by competent authorities are due within a strict deadline. Thus, the individual shall be informed as soon as possible and, in any event, not later than 60 days from the date on which he applies for access, or sooner if national law so provides6. Also, the individual shall be informed about the follow-up given to the exercise of his rights of correction and deletion as soon as possible and in any event not later than three months from the date on which he applies for correction or deletion, or sooner if national law so provides.7.

Right of access

The right of access is the possibility for anyone who so requests to have knowledge of the information relating to him or her stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over personal data kept by third parties. This right is expressly provided for in Article 41 of SIS II Regulation and in Article 58 of SIS II Decision.

The right of access is exercised in accordance with the law of the Member State where the request is submitted. The procedures differ from one country to another, as well as the rules for communicating data to the applicant. When a Member State receives a request for access to an alert not issued by itself, that State must give the issuing country the opportunity to state its position as to the possibility of disclosing the data to the applicant8. The information shall not be communicated to the data subject if it is indispensable for the performance of the legal task connected to the alert, or in order to protect the rights and freedoms of other people.

There are currently two types of system governing the right of access to data processed by law enforcement authorities, and thus also applicable to SIS data. In some Member States the right of access is direct, in others it is indirect.

In the case of direct access, the person concerned applies directly to the authorities handling the data (police, gendarmerie, customs, etc.). If national law allows, the applicant may be sent the information relating to him.

In the case of indirect access, the person sends his or her request for access to the national data protection authority of the State to which the request is submitted. The data protection authority conducts the necessary verifications to handle the request and replies to the applicant.

Right to correction and deletion of data

The right of access is complemented by the right to obtain the correction of the personal data when they are factually inaccurate or incomplete, and the right to ask for their deletion when they have been unlawfully stored (Article 41(5) of SIS II Regulation and 58(5) of SIS II Decision).

Under the Schengen legal framework only the State which issues an alert in the SIS II may alter or delete it (See Article 34(2) of SIS II Regulation and 49(2) of SIS II Decision). If the request is submitted in a Member State that did not issue the alert, the competent authorities of the Members States concerned cooperate to handle the case, by exchanging information and making the necessary verifications. The applicant should provide the grounds for the request to correct or delete the data and gather any relevant information supporting it.

Remedies: the right to complain to the data protection authority or initiate a judicial proceeding

Articles 43 of SIS II Regulation and 59 of SIS II Decision provide for the remedies accessible to individuals when their request has not been satisfied. Any person may bring an action before the courts or the authority competent under the law of any Member State to access, correct, delete or obtain information or to obtain compensation in connection with an alert relating to him.

In case they have to deal with a complaint with a cross-border element, national data protection authorities should cooperate with each other to guarantee the rights of the data subjects.

Forms

These rights can be exercise before the Ministry of Interior, D.G. National Police, at the following address:

MINISTERIO DEL INTERIOR - DIRECCION GENERAL DE LA POLICIA. DIVISION DE COOPERACION INTERNACIONAL –OFICINA SIRENE

C/ Julián Gonzalez Segador s/n Código Postal 28043 Localidad MADRID

For exercising of these rights, the following forms can be used: