Home » Protectia_datelor_in_SIS_II
 Română | English | Francais

DATA PROTECTION IN SIS II

 

1.Data in the SIS II and retention periods

The Schengen Information System II (SIS II) is the database in Europe aiming at supporting police and judicial co-operation and managing external border control. Participating States` Authorities provide entries, called „alerts“, on wanted and missing persons, lost and stolen property and entry bans. Thus, SIS II contains information on wanted persons, missing persons, stolen objects and vehicles.

The SIS II can be consulted by police, border police, customs and partially by authorities responsible for issuing visas and residence permits. It enables its users to check persons and objects both at external borders and within the territory of the Schengen States. The Schengen States are therefore the owners of the data they introduce into the SIS II and bear responsibility for their accuracy.

SIS II contains the following categories of data:

  • alerts on third-countries` nationals, who have to be banned from entering the Schengen area;
  • alerts on persons, wanted for arrest or extradition;
  • alerts on missing persons;
  • alerts on missing persons who have to be placed under protection and/or whose whereabouts have to be established;
  • alerts on persons wanted for the purposes of penal proceedings;
  • alerts on persons and objects, that have to be put under a discreet surveillance;
  • alerts on objects, subject to confiscation or will be used as evidence in penal criminal proceedings.

Types of data entered in SIS  

The alerts on persons introduced in SIS II at most the following elements:

  • surname and name, name given at birth and previous name, any aliases which may be entered separately,
  • any specific, objective, physical characteristics not subject to change,
  • date and place of birth,
  • sex,
  • photographs,
  • fingerprints,
  • nationality(ies),
  • whether the person concerned is armed, violent or has escaped,
  • reason for the alert,
  • authority issuing the alert,
  • references to the decision or judgment giving rise to the alert,
  • actions to be taken,
  • link(s) to other alerts,
  • type of offence.

It is worth noticing that the alerts on persons cannot be entered without the date referring to (i) surname and name, name given at birth and previous name, any aliases which may be entered separately, (ii) sex, (iii) actions to be taken and, as the case may be, (iv) references to the decision or judgment giving rise to the alert.

The quality, accuracy and completeness of the data elements enabling identification are the key conditions for the functioning of SIS II. When available, photographs and fingerprints must be added to facilitate identification and avoid misidentification. The system also offers the possibility to add links between alerts (e.g. between an alert on a person and a vehicle).

 Since 2013, SIS II can store fingerprints which may be used to confirm the identity of a person (a one-to-one search). The introduction of an Automated Fingerprint Identification System (AFIS) since March 2018 also allows for the identification of persons on the basis of their fingerprints (a one-to-many search).

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU was adopted in 2018. Regulation (EU) 2018/1862 entered into force on 28 December 2019 and has become fully applicable in December 2021. It introduced changes in the categories of data contained in SIS and their retention periods.

SIS II also contains data on objects which have been stolen or lost:

  • vehicles;
  • firearms;
  • aircraft;
  • boats;
  • industrial equipment;
  • identity documents;
  • credit cards;
  • banknotes.

With reference to the retention periods of alerts regarding persons, these are kept in the respective system only for the period necessary for achieving the purpose for which they were entered.

Thus, within 3 years after entering an alert on persons, it shall be assessed the necessity of maintaining the alert for the purpose it was entered. In case of alerts for performing discreet checks regarding persons, the deadline for carrying out this analysis is one year after entering the alert. The alerts for which there is no request for extending the validity period shall be deleted automatically.

All transactions performed on data are recorded in the system for monitoring the legality of the transaction on these data, for ensuring the proper functioning of the system, as well as the data security and integrity. The use of the recordings for other purposes is forbidden. These records shall include data within the alert, the history of the alert, data and time of transmission of data in relation to the respective alert, the data used for performing a search, comments regarding the data sent, the name of the authority and name of the person that performed transactions on the data.

The records are kept for at least one year but no longer than 3 years since creation. For the records that include the history of the alerts, the storing period starts when the alert is deleted.

2.Control upon data processing and functioning of N.SIS

Supervision at European level

Supervision of the central SIS II is exercised by the European Data Protection Supervisor (EDPS). Supervision of each national SIS II is entrusted to the data protection authorities in each country.

The SIS II Supervision Coordination Group was set up in 2013 to ensure a coordinated supervision between the EDPS and the national supervisory authorities. Further information about the Group can be found here.

Supervision at national level

The processing of data stored in SIS II must comply with the relevant data protection requirements. The competent authorities in each country using SIS II verify the information they enter in the system. The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) and the European Commission have both taken measures to ensure the physical protection of data in SIS II.

The SIS II Supervision Coordination Group, consisting of representatives of the EU Member States’ national supervisory authorities and the European Data Protection Supervisor (EDPS), ensures that the data contained in SIS II are processed in accordance with the data protection rules. The EDPS oversees personal data processing in the central system.

The legality of the personal data processing in the N.SIS on the territory of Romania and transmitting this data abroad, as well as subsequent exchanging and processing of supplementary information are subject to monitoring and control by Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal.

All data subjects have the right to be informed of the data on them that are stored in SIS II and to request correction of inaccuracies or deletion of unlawfully stored data.

3.Access to SIS II data

The second generation Schengen Information System (SIS II) is a highly secure and protected database that is exclusively accessible to the authorised users within competent authorities, such as national border control, police, customs, judicial, visa and vehicle registration authorities. These authorities may only access SIS II data that they need for the performance of their tasks. A list of competent national authorities having access to SIS is published annually in the Official Journal of the European Union.

The European Agencies EUROPOL and EUROJUST have limited access rights to carry out certain types of queries on specified alert categories.

How is the protection of personal rights ensured?

SIS II has strict requirements on data quality and data protection. The basic principle is that the state that entered the alert is responsible for its content. The national data protection authorities supervise the application of the data protection rules in the respective Member States, while the European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the central system managed by eu-LISA. Both levels cooperate to ensure coordinated end-to-end supervision.

If data about a person are stored, that person has the right to request access to those data and make sure that they are accurate and lawfully entered. If this is not the case, the person has the right to request correction or deletion.

All European institutions accessing SIS II should comply with the requirements of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions and bodies when they process personal data and develop new policies.

Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862 were adopted in November 2018. These regulations entered into force on 28 December 2019 and became fully applicable in December 2021. These regulations introduced changes concerning the right of access and consulting and deleting alerts.

4.Guide for exercising the right of access to the SIS II

Persons whose personal data are collected, held or otherwise processed in SIS II are entitled to rights of access, correction of inaccurate data and deletion of unlawfully stored data. This Guide describes the modalities for exercising those rights.

Introduction to SIS II

The SIS II is a large-scale IT system, set up as a compensatory measure for the abolition of internal border checks, and intends to ensure a high level of security within the area of freedom, security and justice of the European Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States. The SIS II is already implemented in all EU Member States, except for Cyprus, Croatia and Ireland, and in four Associated States: Iceland, Norway, Switzerland and Liechtenstein.

The SIS II is an information system that allows national law enforcement, judicial and administrative authorities (the competent authorities) to perform specific tasks by sharing relevant data. The European agencies EUROPOL and EUROJUST also have limited access privileges to this system.

SIS II enables border guards, as well as visa issuing and migration authorities, to enter and consult alerts on third-country nationals for the purpose of refusing their entry into or stay in the Schengen area.

SIS supports police and judicial cooperation by allowing competent authorities to create and consult alerts on missing persons and on persons or objects related to criminal offences.

Vehicle registration services may consult SIS in order to check the legal status of the vehicles presented to them for registration. They only have access to SIS alerts on vehicles, registration certificates and number plates.

A SIS alert does not only contain information about a particular person or object but also instructions for the authorities on what to do when the person or object has been found. The specialised national SIRENE Bureaus located in each Member State serve as single points of contact for the exchange of supplementary information and coordination of activities related to SIS alerts.

Categories of information processed

SIS II centralises two broad categories of information taking the form of alerts on, firstly, persons – who are either wanted for arrest, missing, sought to assist with a judicial procedure, for discreet or specific checks, or third country nationals subject to refusal of entry or stay in the Schengen area, and, secondly, objects – such as vehicles, travel documents, credit cards, for seizure or use as evidence in criminal proceedings, or for discreet or specific checks.

Legal basis

Depending on the type of alert, the SIS II is regulated by Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals, by Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006, respectively by Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU.

Categories of personal data processed

When the alert concerns a person, the information must always include the name, surname and any aliases, the sex, a reference to the decision giving rise to the alert and the action to be taken. If available, the alert may also contain information such as any specific, objective, physical characteristics not subject to change; the place and date of birth; photographs; fingerprints; nationality(ies); whether the person concerned is armed, violent or has escaped; reason for the alert; the authority issuing the alert; links to other alerts issued in SIS II in accordance with Article 48 of Regulation (EU)2018/1861 or Article 63 of Regulation (EU) 2018/1862.

Architecture of the system

The SIS II is composed of:

  • a central system („Central SIS II”);
  • national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS
  • a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux.

Schengen Information System

The Schengen Information System (SIS II) is a highly secure and protected database that is exclusively accessible to the authorised users within competent authorities, such as national border control, police, customs, judicial, visa and vehicle registration authorities. These authorities may only access SIS II data that they need for the performance of their tasks. A list of competent national authorities having access to SIS is published annually in the Official Journal of the European Union.

            The European Agencies EUROPOL and EUROJUST have limited access rights to carry out certain types of queries on specified alert categories.

            Data subjects’ rights are governed by legal acts of the European Union, which consist of Regulation (EU)2018/1861 and Regulation (EU) 2018/1862.

            Data subject is any natural person whose personal data are processed pursuant to Article 53 of Regulation (EU) 2018/1861 and Article 67 of Regulation (EU) 2018/1862. Each data subject has the right of access to information regarding personal data relating to him or her that are processed by the responsible institutions.