Informacijski pooblaščenec Republika Slovenija
   
dekorativna slika

Schengen information system

+ -

The Schengen Information System (and the Second Generation System – SIS II) is the cornerstone of Schengen cooperation and replaces abolished checks at common borders and facilitates the free movement of persons within the Schengen area. It is an information system that enables national law enforcement authorities, judicial authorities and administrative authorities to exchange and access to information on crossing external borders and visa policy. The system also includes data on the European Arrest Warrant, extradition, biometric data, data on search for terrorist activities.

SIS II currently includes 30 countries (all EU Member States, except for Ireland and Cyprus; plus Norway, Iceland, Switzerland and Liechtenstein).

More information on the Schengen Information System can be found on the website of the European Commission:

https://ec.europa.eu/home-affairs/policies/schengen-borders-and-visa_en .

  • Legal framework
  • What personal data are processed in the SIS II?
  • Who can use the data from the SIS II?
  • What is the SIRENE Bureau?
  • Who controls the processing of personal data in the SIS II?
  • What rights do I have regarding the processing of my personal data in the SIS II?

Schengen - Legal framework

On 14 June 1985 in Schengen Luxembourg, five Member States - Belgium, France, Germany, Luxembourg and the Netherlands - signed the Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (also known as the Schengen Agreement)  which aimed toward gradual abolition of checks at common borders and toward enhanced cooperation between police and custom authorities of Member States.

The Schengen Agreement was first introduced as a declaration of intent, defining the objectives that were determined by the signatory governments in order to establish the regime of free movement. Several years later, on 19 June 1990, the declaration of intent culminated with the creation of complementary regulations known as the Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders. This document included the establishment of an area of free movement of persons, capital, goods and services.

The articles of the Convention include a set of important principles, among which the following should be highlighted:

What personal data are processed in the SIS II?

The data stored in the SIS II are needed to identify a person (including photos and fingerprints) and contain all relevant information on the measure (including an instruction on the action to be taken when the person or object has been found). The SIS II contains certain specific categories of data entered only by the Member States. The entered data must be of sufficient importance for the entry into the SIS II and in accordance with the previously described purpose.

Data on persons are considered personal data and are carefully protected. The protection of personal data under the SIS II, in addition to the provisions of Council Decision 2007/533/JHA and Regulation (EC) No. 1987/2006 (and in part still the Schengen Convention), are regulated in particular by the Personal Data Protection Act of Slovenia and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Categories of alerts in the SIS II:

  • persons wanted for arrest for surrender or extradition purposes (Article 26 of Council Decision 2007/533/JHA),
  • third-country nationals of whom an alert has been issued for the purposes of refusing entry in the Schengen Area(Article 24 of Regulation (EC) No 1987/2006),
  • missing persons and persons who need to be placed under protection, especially minors (Article 32 of Council Decision 2007/533/JHA)
  • witnesses ,persons summoned to appear before the judicial authorities in connection with criminal proceedings, persons to be served with a criminal judgement or a summon to report in order to serve a penalty (Article 34 of Council Decision 2007/533/JHA) and
  • persons and objects for discreet or specific checks (Article 36 of Council Decision 2007/533/JHA).

For alerts on persons only the following information may be recorded:

  • surname(s) and forename(s),
  • birth name(s) and any previous names, nicknames or aliases,
  • any specific objective physical characteristics not subject to change,
  • place and date of birth
  • sex,
  • photographs,
  • fingerprints,
  • nationality(ies),
  • whether the person concerned is armed, violent or has escaped,
  • reason for the alert,
  • authority issuing the alert,
  • a reference to the decision giving rise to the alert (for example decision by the judicial court),
  • action to be taken,
  • type of criminal offence,
  • link(s) to other alerts issued in SIS II.

Other personal data, in particular data on racial background, political, religious and other beliefs, health status and sexual life, are not permitted to be recorded. 

In addition SIS II also contains data on:

  • vehicles, boats, aircrafts and containers for discreet or specific checks and
  • objects sought for the purposes of seizure or use as evidence in criminal proceedings.

Who can use the data from the SIS II?

Access to data included in SIS II is reserved exclusively to the following Member States authorities:

  • authorities responsible for border control and other police and customs checks carried out within the country,
  • authorities responsible for examining visa applications and issuing visas,
  • authorities responsible for issuing residence permits and for application of the provisions on aliens,
  • competent judicial bodies,
  • organizations competent for the registration of motor vehicles and issuing of registration plates.

These authorities have access only to those data in the SIS II they need to carry out their tasks. The data may only be used by authorized persons in accordance with the purposes defined in the Schengen law .

EUROPOL and EUROJUST have limited access to specific data that they require for the performance of their tasks.

List of competent authorities of Member States of the Schengen area is available here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2018:226:TOC 

What is the SIRENE Bureau?

The SIS II contains precisely defined categories of data that can be entered only by the Member States if the data are of sufficient importance for the entry into the SIS II and in accordance with the purpose. Therefore each Member State operating the SIS II must designate a central authority - SIRENE (Supplementary Information Request at the National Entries). Each Member State issues its alerts only via this authority. In Slovenia, this body is established within the Police.

SIRENE is on national level responsible for the uninterrupted operation of the SIS II and adopts required actions for ensuring the observance of the provisions of the Schengen legislation. SIRENE represents the foundation for international police cooperation in the Schengen area (systematic police cooperation based on the mutual exchange of data and alerts regarding persons and objects, ongoing and concurrently updated by requesting members according to the principle of mutual trust as if information was treated within the national legal scope).

More information on the functioning and competences of the national SIRENE Bureau: https://www.policija.si/eng/about-the-police/organization/general-police-directorate/criminal-police-directorate/sirene

Who controls the processing of personal data in the SIS II?

Under Article 60 of the Council Decision No 2007/533/JHA and Article 44 of the Regulation (EC) No 1987/2006 each contracting party ensures that an independent national supervisory authority shall monitor independently the lawfulness of the processing of SIS II personal data on their territory and its transmission from that territory, and the exchange and further processing of supplementary information. The Information Commissioner (Informacijski pooblaščenec) is the national supervisory authority in Slovenia.

The European Data Protection Supervisor (EDPS) is also responsible for the supervision of the processing of personal data under the SIS II.

EDPS is an independent supervisory authority for the protection of personal data and privacy and the promotion of good practices in the EU institutions. Its mission is to:

  • monitor the processing of personal data within the EU administration,
  • advise on all matters relating to the processing of personal information and privacy,
  • cooperate with related bodies in order to improve consistency in protecting personal information.

In the framework of supervision of the SIS II EDPS:

  • checks that the personal data processing activities of the Management Authority of the SIS II are carried out in accordance with the law that regulates the SIS II. EDPS applies the duties and powers accordingly as referred to in the Regulation (EU) No 2018/1725;
  • if the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully entered data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor, who shall, jointly with the national supervisory authorities concerned, act as mediator;
  • ensures that an audit of the Management Authority’s of the SIS II personal data processing activities is carried out in accordance with international auditing standards at least every four years. A report of such audit has to be sent to the European Parliament, the Council, the Management Authority, the Commission and the National Supervisory Authorities. The Management Authority of the SIS II is allowed to make comments before the report is adopted.

In order to ensure a consistent level of protection of personal data in the SIS II, representatives of the national Data Protection Authorities and the EDPS regularly meet within the SIS II Supervisory Coordination Group.

What rights do I have regarding the processing of my personal data in the SIS II?

In accordance with the fundamental principles for the protection of personal data, both nationals of the Schengen Member States and nationals of other countries have the following rights:

  • the right of access to data relating to them stored in the SIS II,
  • the right to correct inaccurate personal data stored in the SIS II,
  • the right to delete the unlawfully stored personal data in the SIS II.

Each individual has the right to bring proceedings before the courts or other competent authorities in the territory of each Member State within the Schengen area in order to correct or delete inaccurate data or to obtain information or compensation in connection with an alert relating to them.

Guide for exercising the right of access (2015)

Request for Information on Data in the Schengen Information System in Slovenia

I. Right of access

Right of access is the possibility for anyone, who requests so, to consult the information relating to him stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over their personal data.

Under Article 58 of Council Decision No 2007/533/JHA and Article 41 Regulation (EC) No 1987/2006 anyone has the right to have access to data entered in the SIS II which relate to him.

Anyone exercising his right of access and to consult data in the SIS II that relate to him, may apply to the competent authorities in any of the Schengen Member State, since all national SIS II databases contain identical data because of the technical support function. The right of access therefore pertains to data regardless of the state to which the request is addressed. However, the right of access is exercised in accordance with the law of the Member State addressed, thus the rules of procedure differ slightly from one country to another.

When a country in which a right of access is exercised, receives a request for access to an alert which it did not issue itself, that country must give the issuing country the opportunity to state its position as to the possibility of disclosing the data to the applicant. Likewise shall the national data protection supervisory authority while examining data subject’s application work in close cooperation with data protection supervisory authorityof the country that issued an alert.

However, the right of access may be refused if it is indispensable for the performance of an alert and in any event during the period of validity of an alert for the purpose of discreet surveillance and where national law allows for the right of information to be restricted, in particular in order to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.

The process of exercising the right to consult one’s own personal data in Slovenia is regulated in more detail by the Act on the Protection of Personal Data in the Field of Criminal Offences (ZVOPOKD) and the Act on the Information Commissioner (ZInfP). Article 24 of the ZVOPOKD stipulates that an individual has the right to request from the Police, as the controller of the N.SIS personal data collection, information on whether his personal data are being processed, and a copy or extract of such data. The individual has the right to obtain specific information on:

  • the purposes of the processing and their legal basis;
  • the types of personal data processed in the SIS concerning him;
  • the users or categories of users to whom the data have been disclosed, in particular if they are users in third countries or international organisations (however, in the cases of limitations referred to in Article 25(1) of the ZVOPOKD, only an indicative description of the users may be given);
  • the retention period or the period for periodic review of the need for retention;
  • the existence of a right to request rectification or erasure of data or restriction of processing and the right to lodge a complaint with a supervisory authority;
  • the existence of the right to lodge a complaint with the Information Commissioner and its contact details;

any available information on the source of the personal data processed in the SIS concerning him, unless the identity of the source is protected as secret or confidential under the provisions of the law. 

The application is filed in writing or orally for the record, with the:

Ministry of the Interior

Police

Štefanova 2

1000 Ljubljana

SLOVENIA

E-mail: uit@policija.si

The application may also be filled at all border crossing points, administrative units and Slovenian diplomatic and consular authorities abroad. The application is submitted to the Police immediately.

 The police must decide on the individual's request without undue delay, but no later than one month after receiving the request. The decision must also contain an indication of the right to appeal to the supervisory authority - the Information Commissioner.

The police shall not provide the individual with the information referred to in Article 24 of the ZVOPOKD for the reason referred to in Article 25(1) or (2)(1) of the ZVOPOKD, where this would reveal the identity of persons against whom covert investigative measures are carried out pursuant to the law regulating criminal proceedings or against whom covert recording and targeted control measures are ordered pursuant to the law regulating the tasks and powers of the police.

Pursuant to Article 25 of the ZVOPOKD, the right of an individual to have access to his own personal data may be restricted by law, in part or in full, with regard to individual or categories of processing, taking into account his human rights and fundamental freedoms and legitimate interests, only if and for as long as this is necessary and proportionate:

  • to prevent obstruction of or interference with official proceedings, the purposes of which are set out in Article 1(1) of the ZVOPOKD;
  • to prevent obstruction of or interference with other official procedures related to the previous point;
  • for the purpose of ensuring public security;
  • for the purpose of ensuring the security of the state or the defence of the state;
  • for the protection or exercise of human rights and fundamental freedoms of third parties.

 The police shall decide without undue delay, and at the latest within 15 days of receipt of the request, whether to refuse or restrict access and the reasons for this. This time limit may be extended by the authority by a decision in a maximum of 15 days if necessary, taking into account the complexity of the request or the number of requests. The decision shall also contain an indication of the right of appeal to the Information Commissioner.

The Information Commissioner, as the second instance authority, decides on the data subject's appeal against the decision of the Police.

 II. Right to correct and delete

Any person who establishes that data relating to him and stored in the filing system is inaccurate or unlawfully stored has the right to correct inaccurate data or to delete unlawfully stored data. Under Article 58 of Council Decision No 2007/533/JHA and Article 41 Regulation (EC) No 1987/2006 anyone has the right to correct and delete data entered in the SIS II which relate to him.

Anyone exercising his right to correct and delete data in SIS II that relate to him, may apply to judicial bodies or other competent authorities in any of the Schengen Member States, since all national SIS II databases contain identical data because of the technical support function. The right to correct and delete is exercised in accordance with the law of the state addressed.

Under the Schengen law only the Member State which issues an alert entered in the SIS II may alter or delete it.

When a Member State which did not issue an alert itself finds that certain personal data in the SIS II are inaccurate or unlawfully stored, it must inform the issuing country thereof. The issuing Member State checks the notification and, when necessary, immediately correct or delete the data.

If the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully stored data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor (EDPS), who shall, jointly with the national supervisory authorities concerned, act as mediator.

Procedure to correct inaccurate or delete unlawfully stored data in Slovenia

The procedure for the correction of materially inaccurate data or the deletion of unlawfully entered data, as well as the procedure for the restriction of processing, is regulated in more detail in Slovenia by the Act on the Protection of Personal Data in the Field of Criminal Offences (ZVOPOKD). With regard to SIS alerts issued by Slovenia, pursuant to Article 26 of the ZVOPOKD, the data subject has the right to request the Police to rectify, amend or delete his or her personal data which the data subject demonstrates to be incomplete, inaccurate or not up-to-date, or to have been collected or processed in breach of the law. The police must decide on this right without undue delay, and at the latest within 15 days of receipt of the request, and inform the data subject thereof. The police must include in the decision on the rights of the individual, which does not grant the request in full, an indication of the right to lodge a complaint with the Information Commissioner.

The Information Commissioner, as the second instance authority, decides on the data subject's appeal against the decision of the Police.

If the alert was not issued by Slovenia and there is evidence that the personal data entered in the SIS are incorrect or unlawfully entered, the Police must inform the competent authority of the country that issued the alert to carry out the correction or deletion.