Rights of individuals in the National Visa Information System
The National Visa Information System (NVIS) is an automated information system for the retention and processing of data from visa applications, including decisions on them, received by the Consular offices of the Bulgarian missions abroad, and for issuing visas at the Bulgarian border checkpoints. NVIS provides retention and processing of data, containing in applications for issuing Bulgarian identity documents, received by the Consular offices of Bulgarian missions abroad, as well as data for other Consular offices.
Data processing in the National Visa Information System of the Republic of Bulgaria and EU VIS (after Bulgaria`s accession to the Schengen area) is carried out in accordance with the Law for Protection of Personal Data, the regulations for its implementation and Regulation № 767 from 2008 of the European Parliament and the Council on the VIS and the exchange of data between Member States on short-stay visas.
Data subjects exercise their rights pursuant to Article 38 of Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation).
Controller of the system is the Ministry of Foreign Affairs – National Visa Center to the Directorate „Consular Relations”.
Biometric data (photographs and fingerprints) of visa applicants, and information on issued, declined, canceled, revoked or extended visas is kept in the system. NVIS data is kept for five years.
The Commission for Personal Data Protection monitors the lawfulness of: the processing of personal data in National Visa Information System of the Republic of Bulgaria and EU VIS, the protection of rights of individuals when processing their personal data and accessing these data, according to the terms and conditions, determined by the Law for Protection of Personal Data. To perform its monitoring functions, the CPDP carries out checks on the activities, undertaken by the designated authorities in relation to access to NVIS and EU VIS. It includes lists and profiles of duly authorized officials, the management and the measures for access, the responsibility for the lawful data processing and retention under Art. 41, paragraph 5 of Regulation № 767 of 2008 of the European Parliament and the Council.
Right of access
The right of access is the possibility for anyone who so requests to have knowledge of the information relating to him stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over personal data kept by third parties. This right is expressly provided for in Article 38 of Regulation (EO) 767/2008.
The right of access is exercised in accordance with the law of the Member State where the request is submitted. The procedures differ from one country to another, as well as the rules for communicating data to the applicant. When a Member State receives a request for access to an alert not issued by itself, that State must give the issuing country the opportunity to state its position as to the possibility of disclosing the data to the applicant. The information shall not be communicated to the data subject if this is indispensable for the performance of the legal task connected to the alert, or in order to protect the rights and freedoms of other people.
Access to data recorded in the VIS may be granted only by a Member State. Each Member State records any requests for such access.
Right to correction and deletion of data
Any person may request that data relating to him which are inaccurate be corrected and that data recorded unlawfully be deleted. The correction and deletion shall be carried out without delay by the Member State responsible, in accordance with its laws, regulations and procedures.
If the request is made to a Member State other than the Member State responsible, the authorities of the Member State with which the request was lodged will contact the authorities of the Member State responsible within a period of 14 days. The Member State responsible will check the accuracy of the data and the lawfulness of their processing in the VIS within a period of one month. If it emerges that data recorded in the VIS are inaccurate or have been recorded unlawfully, the Member State responsible will correct or delete the data. The Member State responsible will confirm in writing to the person concerned without delay that it has taken action to correct or delete data relating to him.
If the Member State responsible does not agree that data recorded in the VIS are inaccurate or have been recorded unlawfully, it will explain in writing to the person concerned without delay why it is not prepared to correct or delete data relating to him.
The Member State responsible will also provide the person concerned with information explaining the steps which he can take if he does not accept the explanation provided.
Remedies: the right to complain to the data protection authority or to initiate a judicial proceeding
Article 40 of Regulation (EC) No 767/2008 provides that ‘in each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to or the right of correction or deletion of data relating to him, provided for in Article 38(1) and (2)’.
It furthermore states that the assistance of the National Supervisory Authorities referred to in Article 39(2) of the Regulation shall remain available throughout the proceedings.