Schengen information system

The Schengen Information System (and the Second-Generation System – SIS II) is the cornerstone of Schengen cooperation and replaces abolished checks at common borders and facilitates the free movement of persons within the Schengen area. It is an information system that enables national law enforcement authorities, judicial authorities and administrative authorities to exchange and access to information on crossing external borders and visa policy. The system also includes data on the European Arrest Warrant, extradition, biometric data and search data related to terrorist activities. In March 2023, SIS was renewed with new alerts, upgraded data and enhanced functionalities.

SIS II currently includes 31 countries (EU Member States plus Norway, Iceland, Switzerland and Liechtenstein).

More information on the Schengen Information System can be found on the website of the European Commission:

https://home-affairs.ec.europa.eu/policies/schengen-borders-and-visa/schengen-information-system_en

Legal framework
What personal data are processed in the SIS?
Who can use the data from the SIS?
What is the SIRENE Bureau?
Who controls the processing of personal data in the SIS?
What rights do I have regarding the processing of my personal data in the SIS?

Schengen - Legal framework

On 14 June 1985 in Schengen Luxembourg, five Member States - Belgium, France, Germany, Luxembourg and the Netherlands - signed the Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (also known as the Schengen Agreement) which aimed toward gradual abolition of checks at common borders and toward enhanced cooperation between police and custom authorities of Member States.

The Schengen Agreement was first introduced as a declaration of intent, defining the objectives that were determined by the signatory governments in order to establish the regime of free movement. Several years later, on 19 June 1990, the declaration of intent culminated with the creation of complementary regulations known as the Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders. This document included the establishment of an area of free movement of persons, capital, goods and services.

The articles of the Convention include a set of important principles, among which the following should be highlighted:

establishment of a computer system which is common to all Member States and called the "Schengen Information System (SIS)";
introduction of free movement of persons, both citizens of the European Union and non-citizens, within the Schengen area;
establishment of a new term "external border", with the emphasis on the conditions required for allowing entry to citizens of third countries;
definition of the Schengen common policy on visas and introduction of a standardized visa which is valid throughout the entire territory;
as regards refugees, definition of a series of procedural rules and several criteria which must be used when determining the country responsible for processing a request for asylum whenever the asylum seeker has or has had connections with more than one Member State;
as regards police cooperation, the Convention makes use of a whole range of special mechanisms such as discreet cross-border surveillance (ČEZMEJNO TAJNO SLEDENJE) and pursuit on the territories of other Member States;
and finally, the establishment of a joint supervisory body, responsible for ensuring the protection of persons in relation to automatic processing of personal data.

The legal framework of the SIS today includes:

What personal data are processed in the SIS?

The data stored in the SIS are needed to identify a person (including photos and fingerprints) and contain all relevant information on the measure (including an instruction on the action to be taken when the person or object has been found). The SIS contains certain specific categories of data entered only by the Member States. The entered data must be of sufficient importance for the entry into the SIS and in accordance with the previously described purpose.

Data on persons are considered personal data and are carefully protected. The protection of personal data under the SIS, in addition to the provisions of Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862 (and in part still the Schengen Convention), are regulated in particular by the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (Official journal of the Republic of Slovenia, No 177/20; ZVOPOKD) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Categories of alerts in the SIS:

persons wanted for arrest for surrender or extradition purposes (Article 26 of Regulation (EU) 2018/1862),
third-country nationals of whom an alert has been issued for refusal of entry and stay in the Schengen Area (Article 24 of Regulation (EU) 2018/1861),
missing persons, children and vulnerable persons of age who need to be prevented from traveling for their own protection or to avert danger (Article 32 of Regulation (EU) 2018/1862)
witnesses or persons who are required to appear before the judicial authorities in the context of criminal proceedings in connection with criminal proceedings, persons to be served with a criminal judgement or a summon to serve a prison sentence (Article 34 of Regulation (EU) 2018/1862) and
persons and objects for discreet checks, inquiry checks or specific checks (Article 36 of Regulation (EU) 2018/1862).

For alerts on persons only the following information may be recorded:

surname(s)
forename(s),
birth name(s)
previously used names and any aliases possibly entered separately,
any specific objective and physical characteristics not subject to change,
place and date of birth,
gender,
fingerprints, palm prints or both,
any nationalities held,
whether the person concerned is armed; violent; has absconded or escaped; poses a risk of suicide; poses a threat to public health; is involved in an activity referred to in Articles 3 to 14 of directive (EU) 2017/541,
reason for the alert,
authority which created the alert,
a reference to the decision giving rise to the alert,
action to be taken in the case of a hit,
links to other alerts pursuant to Article 48,
whether the person concerned is a family member of a citizen of the Union or other person who is a beneficiary of the right of free movement as referred to in Article 26,
whether the decision for refusal of entry and stay is based on:
- a previous conviction as referred to in point (a) of Article 24(2);
- a serious security threat as referred to in point (b) of Article 24(2);
- circumvention of Union or national law on entry and stay as referred to in point (c) of Article 24(2);
- an entry ban as referred to in point (b) of Article 24(1); or
- a restrictive measure referred to in Article 25;
type of offence,
category of the person's identification documents,
country of issue of the person's identification documents,
number(s) of the person's identification documents,
date of issue of the person's identification documents,
photographs and facial images,
dactyloscopic data,
a copy of the identification documents, in colour wherever possible.

Other personal data, in particular data on racial background, political, religious and other beliefs, health status and sexual life, are not permitted to be recorded.

In addition, SIS also contains data on:

vehicles, boats, aircrafts and containers for discreet checks, inquiry checks or specific checks and
objects sought for the purposes of seizure or use as evidence in criminal proceedings.

Who can use the data from the SIS?

Access to data included in SIS is reserved exclusively to the following Member States authorities:

authorities responsible for border control and police and customs checks carried out within the Member State,
authorities responsible for the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the execution of criminal penalties, within the Member State concerned, provided that Directive (EU) 2016/680 applies;
authorities responsible for examining the conditions and taking decisions related to the entry and stay of third-country nationals on the territory of the Member States, including on residence permits and long-stay visas, and to the return of third-country nationals, as well as carrying out checks on third country nationals who are illegally entering or staying on the territory of the Member States,
authorities responsible for security checks on third-country nationals who apply for international protection, insofar as authorities performing the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of Directive 2013/32/EU of the European Parliament and of the Council (38), and, where relevant, providing advice in accordance with Council Regulation (EC) No 377/2004,
authorities responsible for naturalisation,
competent judicial authorities,
services responsible for issuing registration certificates for vehicles, boats, aircraft and firearms.

These authorities have access only to those data in the SIS that they need to carry out their tasks. The data may only be used by authorized persons in accordance with the purposes defined in the Schengen law.

EUROPOL, EUROJUST and Frontex have limited access to carry out only certain searches.

List of competent authorities of Member States of the Schengen area is available here:

https://eur-lex.europa.eu/legal-content/SL/TXT/PDF/?uri=OJ:C:2018:226:FULL&from=EN

What is the SIRENE Bureau?

The SIS contains precisely defined categories of data that can be entered only by the Member States if the data are of sufficient importance for the entry into the SIS and in accordance with the purpose. Therefore, each Member State operating the SIS must designate a central authority - SIRENE (Supplementary Information Request at the National Entries). Each Member State issues its alerts only via this authority. In Slovenia, this body is established within the Police.

SIRENE is on national level responsible for the uninterrupted operation of the SIS and adopts required actions for ensuring the observance of the provisions of the Schengen legislation. SIRENE represents the foundation for international police cooperation in the Schengen area (systematic police cooperation based on the mutual exchange of data and alerts regarding persons and objects, ongoing and concurrently updated by requesting members according to the principle of mutual trust as if information was treated within the national legal scope).

More information on the functioning and competences of the national SIRENE Bureau:

https://www.policija.si/eng/about-the-police/organization/general-police-directorate/criminal-police-directorate/sirene-national-bureau

Who supervises the processing of personal data in the SIS?

Under Article 55 of the Regulation (EU) 2018/1861 and Article 69 of the Regulation (EU) 2018/1862 Member States shall ensure that an independent national supervisory authority shall monitor the lawfulness of the processing of personal data in SIS on their territory, its transmission from their territory and the exchange and further processing of supplementary information on their territory. The Information Commissioner (Informacijski pooblaščenec) is the national supervisory authority in Slovenia.

The European Data Protection Supervisor (EDPS) is also responsible for the supervision of the processing of personal data under the SIS.

EDPS is an independent supervisory authority for the protection of personal data and privacy and the promotion of good practices in the EU institutions. Its mission is to:

monitor the processing of personal data within the EU administration,
advise on all matters relating to the processing of personal information and privacy,
cooperate with related authorities in order to ensure consistency of data protection.

In the framework of supervision of the SIS EDPS:

checks that the personal data processing activities of the eu-LISA are carried out in accordance with the law that regulates the SIS. The duties and powers of the EDPS as laid down in Regulation (EU) 2018/1725 apply;
if the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully entered data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor, who shall, jointly with the national supervisory authorities concerned, act as mediator;
ensures that an audit of the processing of personal data by eu-LISA is carried out in accordance with international auditing standards at least every four years. A report on that audit shall be sent to the European Parliament, to the Council, to eu-LISA, to the Commission and to the national supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

In order to ensure a consistent level of protection of personal data in the SIS, representatives of the national Data Protection Authorities and the EDPS regularly meet within the Coordinated Supervision Committee.

What rights do I have regarding the processing of my personal data in the SIS?

In accordance with the fundamental principles for the protection of personal data, both nationals of the Schengen Member States and nationals of other countries have the following rights:

the right of access to data relating to them stored in the SIS,
the right to correct inaccurate personal data stored in the SIS,
the right to delete the unlawfully stored personal data in the SIS.

Data subjects may exercise rights in relation to their personal data processed in the SIS, as set out in Articles 15, 16 and 17 of the General Regulation (EU) 2016/679 (GDPR) and Articles 14 and 16(1) and (2) of Directive 2016/680/EU (LED), and in accordance with Article 53 of Regulation (EU) 2018/1861 and Article 67 of Regulation (EU) 2018/1862.

Every individual therefore has the right, in the territory of each Schengen State, to request from a court or other authority competent under national law rectification, erasure, information or compensation in connection with an alert relating to him or her.

Coordinated Supervision Committee - a group of national supervisory authorities and the European Data Protection Supervisor (EDPS), which is responsible for the coordinated supervision of large-scale information systems and EU bodies, offices and agencies, has drawn up a Guide for exercising data subjects’ rights of access, rectification and erasure.

Request for information on data in the SIS in Slovenia

I. Right of access

Right of access is the possibility for anyone, who requests so, to consult the information relating to him stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over their personal data.

Under Article 53 of Regulation (EU) 2018/1861 and Article 67 Regulation (EU) 2018/1862 anyone has the right to have access to data entered in the SIS which relate to him.

Anyone exercising his right of access and to consult data in the SIS that relate to him, may apply to the competent authorities in any of the Schengen Member State, since all national SIS databases contain identical data because of the technical support function. The right of access therefore pertains to data regardless of the state to which the request is addressed. However, the right of access is exercised in accordance with the law of the Member State addressed, thus the rules of procedure differ slightly from one country to another.

When a Member State in which a right of access is exercised, receives a request for access to an alert which it did not issue itself, that country must give the issuing Member State the opportunity to state its position as to the possibility of disclosing the data to the applicant. Likewise, shall the national data protection supervisory authority while examining data subject’s application work in close cooperation with data protection supervisory authority of the Member State that issued an alert.

However, the right of access may be refused if it is indispensable for the performance of an alert and in any event during the period of validity of an alert for the purpose of discreet surveillance and where national law allows for the right of information to be restricted, in particular in order to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.

The process of exercising the right to consult one’s own personal data in Slovenia is regulated in accordance with the Act on the Protection of Personal Data and Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (Article 24; ZVOPOKD). Article 24 of ZVOPOKD stipulates that an individual has the right to request from the Police, as the controller of the N.SIS personal data file, information on whether his or her personal data are being processed and a copy or extract of those data. The individual has the right to obtain specific information on:

1. the purposes of the processing and their legal basis;

2. the types of personal data processed in the SIS about him/her;

3. the users or categories of users to whom the data have been disclosed, in particular if they are users in third countries or international organisations (however, in the cases of restrictions referred to in Article 25(1) of ZVOPOKD, only an indicative description of the users may be given);

4. the retention period or the period for periodic review of the need for retention;

5. the existence of the right to request rectification or erasure of the data or restriction of processing and the right to lodge a complaint with the supervisory authority;

6. the existence of the right to lodge a complaint with the Information Commissioner and its contact details;

7. any available information on the source of the personal data processed in the SIS concerning him/her, unless the identity of the source is protected as secret or confidential under the provisions of the law.

The application is filed in writing or orally for the record, with the:

Police, Ministry of the Interior
Štefanova 2
1501 Ljubljana

Slovenia

E-mail: uit@policija.si

The application may also be filled at all border crossing points, administrative units and Slovenian diplomatic and consular posts abroad. The application is submitted to the Police immediately.

The Police must decide on the individual's request without undue delay, but no later than one month after receiving the request. The decision must also contain an indication of the right to lodge a complaint with the supervisory authority - the Information Commissioner.

The police shall not provide an individual with the information referred to in Article 24 of the ZVOPOKD for the reason referred to in Article 25(1) or (2)(1) of the ZVOPOKD, where this would reveal the identity of persons against whom undercover investigative measures are carried out pursuant to the law regulating criminal proceedings or against whom discreet or targeted control measures are ordered pursuant to the law regulating the tasks and powers of the police.

The right of an individual to access his or her own personal data may, taking into account his or her human rights and fundamental freedoms and legitimate interests, be partially or completely restricted by law in respect of individual processing or individual categories of processing, if and for as long as this is necessary and proportionate:

1. to prevent obstruction or influence on official procedures, the purposes of which are specified in the first paragraph of Article 1 of this Act;

2. to prevent obstruction or interference with other official procedures related to the previous point;

3. to ensure public safety;

4. for the purpose of ensuring national security or national defence;

5. for the protection or exercise of human rights and fundamental freedoms of third parties.

The Police shall, without undue delay and no later than 15 days from receipt of the request, decide on the refusal or restriction of access and the reasons for it. If necessary, the authority may extend this period by a decision for a maximum of 15 days, taking into account the complexity of the request or the number of requests. The decision shall also contain information on the right to appeal to the supervisory authority.

The Information Commissioner is competent to decide on a complaint of an individual if the request to consult personal data that relate to him was refused or the individual was refused the answer to his request.

II. Right to correct and delete

Any person who establishes that data relating to him and stored in the filing system is inaccurate or unlawfully stored has the right to correct inaccurate data or to delete unlawfully stored data. For the SIS database, this right is governed by Article 53 of Regulation (EU) 2018/1861 and Article 67 of Regulation (EU) 2018/1862.

Anyone can submit a request for correction or deletion of their own personal data in the SIS to a court or competent authority of any country in the Schengen area, as all national SIS databases are identical. The actual procedure for requesting rectification or erasure is governed by the national law of the country which is conducting the procedure relating to the request.

Under the Schengen law only the Member State which issues an alert entered in the SIS may amend, correct or delete it.

When a Member State which did not issue an alert, itself finds that certain personal data in the SIS are inaccurate or unlawfully stored, it must notify the issuing Member State thereof. The issuing Member State shall check the notification and, when necessary, immediately correct or delete the disputed data.

If the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully stored data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor (EDPS), who shall, jointly with the national supervisory authorities concerned, act as mediator.

Procedure to correct inaccurate or delete unlawfully stored data in Slovenia

The procedure for the correction of factually inaccurate data or the deletion of unlawfully entered data, as well as the procedure for the restriction of processing, is regulated in more detail in Slovenia by the Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (ZVOPOKD).

With regard to SIS alerts issued by Slovenia, pursuant to Article 26 of the ZVOPOKD, the data subject shall have the right to request the Police to rectify, complete or erase personal data concerning him or her which he or she establishes to be incomplete, inaccurate or not up-to-date, or which have been collected or processed in breach of the law.

The Police must decide on this right without undue delay, but no later than 15 days after receiving the request, and inform the individual accordingly. The Police must include in the decision on the rights of the individual, which does not fully grant the request, an indication of the right to appeal to the supervisory authority - the Information Commissioner.

The Information Commissioner is competent to decide on a complaint of an individual if the request for rectification or erasure of personal data that relate to him was refused, or the individual was refused the answer to his request.

If the alert was not issued by Slovenia and there is evidence that the personal data entered in the SIS are incorrect or unlawfully entered, the Police must inform the competent authority of the issuing country to carry out the correction or deletion.