(SUMMARY)
Any individual is guaranteed the right of access to his/her own data, the right to rectification of inaccurate data and the right to erasure of unlawfully stored data in the Schengen Information System (hereinafter ‘SIS’).
The Schengen Information System (SIS)
The SIS is a large-scale IT system, set up as a compensatory measure for the abolition of internal border checks, and intends to ensure a high level of security within the area of freedom, security and justice of the European Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States. The SIS is already implemented in all EU Member States, with the exception of Cyprus, and in four Associated States: Iceland, Liechtenstein, Norway and Switzerland.
The SIS is an information system that allows national law enforcement, judicial and administrative authorities to perform their legal tasks by sharing relevant data. With regard to the European agencies, they have read-only access; i.e. the possibility to search and consult the SIS but not to update or delete the data or the alerts. EUROPOL has access to all categories of alerts stored in SIS, while EUROJUST has access to specific alerts in the field of police and judicial cooperation, and the European Border and Coast Guard (EBCG) has limited access to the SIS for certain teams and for specific purposes.
Legal basis
In 2018, the SIS legal framework went through a significant revision primarily to enlarge its purposes, to add certain categories of alerts, and to expand the authorities with granted access to SIS data. The new legal framework was adopted on 28 November 2018 and published on 7 December 2018.
The currently applicable SIS framework consists of the following regulations, covering three areas of competence:
- Regulation (EU) 2018/1860 (“SIS Regulation on the use of SIS for the return of illegally staying third-country nationals”);
- Regulation (EU) 2018/1861 (“SIS Regulation in the field of border checks”);
- Regulation (EU) 2018/1862 (“SIS Regulation in the field of police and judicial cooperation”), as amended by Regulation (EU) 2022/1190.
Categories of information processed
The SIS contains two broad categories of information: alerts on persons and alerts on objects. With regard to alerts on persons, SIS covers third country nationals subject to refusal of entry or stay in the Schengen area or subject to return procedures; persons wanted for arrest for surrender or extradition purposes (in the case of associated countries); missing persons (including vulnerable persons who need to be prevented from travelling, e.g., children at high risk of parental abduction, children at risk of becoming victims of trafficking in human beings, and children at risk of being recruited as foreign terrorist fighters), persons sought to assist with a criminal judicial procedure; persons subject to discreet, inquiry or specific checks;
unknown wanted persons who are connected to a crime (e.g. persons whose fingerprints are found on a weapon used in a crime); information on third country nationals in the interest of the Union (“information alerts”).
With regard to the alerts on objects, SIS stores data on objects sought for the purpose of seizure or use as evidence in criminal proceedings, or subject to discreet or specific checks. Such objects include vehicles; boats; firearms; identity documents – stolen, misappropriated, lost or invalidated; banknotes; credit cards; blank documents, and objects of high value (e.g., items of information technology, which can be identified and searched with a unique identification number).
Categories of personal data processed
When the alert concerns a person (with the exception of unknown wanted person), the information must always include: the surname, date of birth, the reason for the alert, the gender, a reference to the decision giving rise to the alert, the basis for the decision for refusal of entry and stay (when applicable), the action to be taken, last date of the period for voluntary departure if applicable, whether return is accompanied by an entry ban. If available, the alert may also contain information such as: any specific, objective, physical characteristics not subject to change; the place of birth; photographs; fingerprints; nationality(ies); whether the person concerned is armed, violent or has escaped; the authority issuing the alert; links to other alerts issued in SIS in accordance with Article 48 of Regulation (EU) 2018/1861 or Article 63 of Regulation (EU) 2018/1862.
When the alert concerns unknown wanted persons, only dactyloscopic data may be processed, either complete or incomplete sets of fingerprints or palm prints, which due to their unique character and the reference points contained therein should enable accurate and conclusive comparisons on a person’s identity.
Rights recognised to individuals whose data is processed in the SIS
Data subjects shall be able to exercise the rights in relation to their personal data processed in the SIS, as laid down in Articles 15, 16 and 17 of Regulation (EU) 2016/679 (GDPR) and in Articles 14 and 16 (1) and (2) of the Directive (EU) 2016/680 (LED), and in accordance with the SIS Regulations. In addition, data subjects are entitled to seek remedies to enforce such rights.
The data subjects have the following rights:
- right of access to data relating to them processed in the SIS;
- right to rectification of inaccurate data;
- right to erasure when data have been unlawfully stored;
- right to bring an action before the courts or competent supervisory authorities to access, rectify, erase, obtain information or obtain compensation in connection to an alert concerning them.
Anyone exercising any of these rights can apply to the competent authorities in a Schengen State of his or her choice. This option is possible because all national databases (N.SIS) are identical to the central system database (CS.SIS). Consequently, these rights can be exercised in any Schengen country regardless of the State that issued the alert. However, the Member State receiving the request from the data subject has to consult previously the Member State issuing the alert before providing any information to the data subject about the data processed in the SIS.
Regardless of specific national procedures to handle the application for access, rectification or erasure of data processed in the SIS, the reply to the data subject is due within a strict common deadline. The data subject shall be informed as soon as possible, and, in any event, within one month of receipt of the request, about the follow-up given to the exercise of the right. This period may be extended by two further months where necessary and in such case, the data subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.
Right of access
The right of access is the possibility for anyone who so requests to have knowledge of whether or not information relating to him or her are processed by a public or private organisation, and to receive information on these data. This is a fundamental right, enshrined in Article 8 (2) of the EU Charter of Fundamental Rights, and its exercise is instrumental to put into effect other data protection rights and to protect in general the freedoms and rights of individuals. The right of access in what concerns the data processed in the SIS is provided for in Article 53 (1) of Regulation (EU) 2018/1861 and in Article 67(1) of Regulation (EU) 2018/1862, which refer to the right of access laid down in Article 15 of the GDPR and Article 14 of the LED.
This means that data subjects have the right to obtain confirmation as to whether or not personal data concerning them are being processed in the SIS and, where that is the case, access to the personal data and the following information:
- The purpose of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients to whom the personal data have been disclosed, in particular in third countries or international organisations;
- The envisaged period for which the personal data will be stored;
- The existence of the right to request rectification of inaccurate data or erasure of unlawfully stored data;
- The right to lodge a complaint
- Communication of the source of the information when data is collected from a third party.
The right of access is exercised in accordance with the law of the Member State where the request is submitted, and there could be restrictions to access the data, i.e. a decision not to provide information, wholly or in part, to the data subject. This is possible to the extent that such limitation constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:
- avoid obstructing official or legal inquiries, investigations or procedures;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; or
- protect the rights and freedoms of others.
In that case, the applicant will be informed in writing, without undue delay, of any refusal or restriction, unless the provision of such justification undermines one of the above-mentioned objectives. The authority receiving the request for access will inform the applicant that he or she can lodge a complaint with the data protection authority or seek judicial remedy. If there is a complete or partial refusal of access, data subjects can exercise their rights vis-à-vis the SIS through the national data protection supervisory authority.
Rights to rectification and erasure of data
Besides the right of access, there is also the right to obtain the rectification of personal data factually inaccurate or incomplete or the right to ask for erasure of personal data unlawfully stored (Article 53(1) of Regulation (EU) 2018/1861 and Article 67(1) of Regulation (EU) 2018/1862). Under the Schengen legal framework, only the Member State responsible for issuing an alert in the SIS may alter or delete it.
If the request is submitted in a Member State that did not issue the alert, the competent authorities of the Members States concerned cooperate to handle the case, by exchanging information and making the necessary verifications. The applicant should provide the grounds for the request to rectify or erase the data and gather any relevant information supporting it.
Remedies: the right to complain to the data protection authority or to initiate a judicial proceeding
Articles 54 of Regulation (EU) 2018/1861 and 68 of Regulation (EU) 2018/1862 presents the remedies accessible to individuals when their request has not been satisfied. Any person may bring an action before the courts or the authority competent under the law of any Member State to access, rectify, erase, obtain information or to obtain compensation in connection with an alert relating to him or her. In case they have to deal with a complaint with a cross-border element, supervisory authorities should cooperate with each other to guarantee the rights of the data subjects.
Contact details of the body to which requests for access should be addressed
Ministry of Interior of the Republic of Bulgaria
SIRENE Bureau at the Ministry of Interior
(International Operational Cooperation Directorate)
Address: 1146 Knyaginya Maria Luiza Blvd,
Sofia 1233,
Bulgaria
Tel.: +359 2 9825 000
Fax: +359 2 9153 525
Email: priemna@mvr.bg
Web site: https://www.mvr.bg/