The second generation Schengen Information System (SIS II) is a highly secure and protected database that is exclusively accessible to the authorised users within competent authorities, such as national border control, police, customs, judicial, visa and vehicle registration authorities. These authorities may only access SIS II data that they need for the performance of their tasks. A list of competent national authorities having access to SIS is published annually in the Official Journal of the European Union.
The European Agencies EUROPOL and EUROJUST have limited access rights to carry out certain types of queries on specified alert categories.
How is the protection of personal rights ensured?
SIS II has strict requirements on data quality and data protection. The basic principle is that the state that entered the alert is responsible for its content. The national data protection authorities supervise the application of the data protection rules in the respective Member States, while the European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the central system managed by eu-LISA. Both levels cooperate to ensure coordinated end-to-end supervision.
If data about a person are stored, that person has the right to request access to those data and make sure that they are accurate and lawfully entered. If this is not the case, the person has the right to request correction or deletion.
All European institutions accessing SIS II should comply with the requirements of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions and bodies when they process personal data and develop new policies.
Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862 were adopted in November 2018. These regulations entered into force on 28 December 2019 and will become fully applicable in December 2021. They will introduce changes concerning the right of access and consulting and deleting alerts.
