Informacijski pooblaščenec Republika Slovenija
    SLO | ENG

Schengen information system

+ -

The Schengen Information System (and the Second Generation System – SIS II) is the cornerstone of Schengen cooperation and replaces abolished checks at common borders and facilitates the free movement of persons within the Schengen area. It is an information system that enables national law enforcement authorities, judicial authorities and administrative authorities to exchange and access to information on crossing external borders and visa policy. The system also includes data on the European Arrest Warrant, extradition, biometric data, data on search for terrorist activities.

SIS II currently includes 30 countries (all EU Member States, except for Ireland and Cyprus; plus Norway, Iceland, Switzerland and Liechtenstein).

More information on the Schengen Information System can be found on the website of the European Commission:

http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/schengen-information-system/index_en.htm.

  • Legal framework

  • What personal data are processed in the SIS II?

  • Who can use the data from the SIS II?

  • What is the SIRENE Bureau?

  • Who controls the processing of personal data in the SIS II?

  • What rights do I have regarding the processing of my personal data in the SIS II?

 

Schengen - Legal framework

On 14 June 1985 in Schengen Luxembourg, five Member States - Belgium, France, Germany, Luxembourg and the Netherlands - signed the Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (also known as the Schengen Agreement)  which aimed toward gradual abolition of checks at common borders and toward enhanced cooperation between police and custom authoritiesof Member States.

The Schengen Agreement was first introduced as a declaration of intent, defining the objectives that were determined by the signatory governments in order to establish the regime of free movement. Several years later, on 19 June 1990, the declaration of intent culminated with the creation of complementary regulations known as the Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders. This document included the establishment of an area of free movement of persons, capital, goods and services.

The articles of the Convention include a set of important principles, among which the following should be highlighted:

  • establishment of a computer system which is common to all Member States and called the "Schengen Information System (SIS)";

  • introduction of free movement of persons, both citizens of the European Union and non-citizens, within the Schengen area;

  • establishment of a new term "external border", with the emphasis on the conditions required for allowing entry to citizens of third countries;

  • definition of the Schengen common policy on visas and introduction of a standardized visa which is valid throughout the entire territory;

  • as regards refugees, definition of a series of procedural rules and several criteria which must be used when determining the country responsible for processing a request for asylum whenever the asylum seeker has or has had connections with more than one Member State;

  • as regards police cooperation, the Convention makes use of a whole range of special mechanisms such as discreet cross-border surveillance and pursuit on the territories of other Member States;

  • and finally, the establishment of a joint supervisory body, responsible for ensuring the protection of persons in relation to automatic processing of personal data.

The legal framework of the SIS II includes:

What personal data are processed in the SIS II?

The data stored in the SIS II are needed to identify a person (including photos and fingerprints) and contain all relevant information on the measure (including an instruction on the action to be taken when the person or object has been found). The SIS II contains certain specific categories of data entered only by the Member States. The entered data must be of sufficient importance for the entry into the SIS II and in accordance with the previously described purpose.

Data on persons are considered personal data and are carefully protected. The protection of personal data under the SIS II, in addition to the provisions of Council Decision 2007/533/JHA and Regulation (EC) No. 1987/2006 (and in part still the Schengen Convention), are regulated in particular by the Personal Data Protection Act of Slovenia and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Categories of alerts in the SIS II:

  • persons wanted for arrest for surrender or extradition purposes (Article 26 of Council Decision 2007/533/JHA),

  • third-country nationals of whom an alert has been issued for the purposes of refusing entry in the Schengen Area(Article 24 of Regulation (EC) No 1987/2006),

  • missing persons and persons who need to be placed under protection, especially minors (Article 32 of Council Decision 2007/533/JHA)

  • witnesses ,persons summoned to appear before the judicial authorities in connection with criminal proceedings, persons to be served with a criminal judgement or a summon to report in order to serve a penalty (Article 34 of Council Decision 2007/533/JHA) and

  • persons and objects for discreet or specific checks (Article 36 of Council Decision 2007/533/JHA).

For alerts on persons only the following information may be recorded:

  • surname(s) and forename(s),

  • birth name(s) and any previous names, nicknames or aliases,

  • any specific objective physical characteristics not subject to change,

  • place and date of birth

  • sex,

  • photographs,

  • fingerprints,

  • nationality(ies),

  • whether the person concerned is armed, violent or has escaped,

  • reason for the alert,

  • authority issuing the alert,

  • a reference to the decision giving rise to the alert (for example decision by the judicial court),

  • action to be taken,

  • type of criminal offence,

  • link(s) to other alerts issued in SIS II.

Other personal data, in particular data on racial background, political, religious and other beliefs, health status and sexual life, are not permitted to be recorded. 

In addition SIS II also contains data on:

  • vehicles, boats, aircrafts and containers for discreet or specific checks and

  • objects sought for the purposes of seizure or use as evidence in criminal proceedings.

Who can use the data from the SIS II?

Access to data included in SIS II is reserved exclusively to the following Member States authorities:

  • authorities responsible for border control and other police and customs checks carried out within the country,

  • authorities responsible for examining visa applications and issuing visas,

  • authorities responsible for issuing residence permits and for application of the provisions on aliens,

  • competent judicial bodies,

  • organizations competent for the registration of motor vehicles and issuing of registration plates.

These authorities have access only to those data in the SIS II they need to carry out their tasks. The data may only be used by authorized persons in accordance with the purposes defined in the Schengenlaw .

EUROPOL and EUROJUST have limited access to specific data that they require for the performance of their tasks.

List of competent authorities of Member States of the Schengen area is available here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2018:226:TOC 

 

What is the SIRENE Bureau?

The SIS II contains precisely defined categories of data that can be entered only by the Member States if the data are of sufficient importance for the entry into the SIS II and in accordance with the purpose. Therefore each Member State operating the SIS II must designate a central authority - SIRENE (Supplementary Information Request at the National Entries). Each Member State issues its alerts only via this authority. In Slovenia, this body is established within the Police.

SIRENE is on national level responsible for the uninterrupted operation of the SIS II and adopts required actions for ensuring the observance of the provisions of the Schengen legislation. SIRENE represents the foundation for international police cooperation in the Schengen area (systematic police cooperation based on the mutual exchange of data and alerts regarding persons and objects, ongoing and concurrently updated by requesting members according to the principle of mutual trust as if information was treated within the national legal scope).

More information on the functioning and competences of the national SIRENE Bureau: https://www.policija.si/eng/about-the-police/organization/general-police-directorate/criminal-police-directorate/sirene

Who controls the processing of personal data in the SIS II?

Under Article 60 of the Council Decision No 2007/533/JHA and Article 44 of the Regulation (EC) No 1987/2006 each contracting party ensures that an independent national supervisory authority shall monitor independently the lawfulness of the processing of SIS II personal data on their territory and its transmission from that territory, and the exchange and further processing of supplementary information. The Information Commissioner (Informacijski pooblaščenec) is the national supervisory authority in Slovenia.

The European Data Protection Supervisor (EDPS) is also responsible for the supervision of the processing of personal data under the SIS II.

EDPS is an independent supervisory authority for the protection of personal data and privacy and the promotion of good practices in the EU institutions. Its mission is to:

  • monitor the processing of personal data within the EU administration,

  • advise on all matters relating to the processing of personal information and privacy,

  • cooperate with related bodies in order to improve consistency in protecting personal information.

In the framework of supervision of the SIS II EDPS:

  • checks that the personal data processing activities of the Management Authority of the SIS II are carried out in accordance with the law that regulates the SIS II. EDPS applies the duties and powers accordingly as referred to in the Regulation (EU) No 2018/1725;

  • if the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully entered data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor, who shall, jointly with the national supervisory authorities concerned, act as mediator;

  • ensures that an audit of the Management Authority’s of the SIS II personal data processing activities is carried out in accordance with international auditing standards at least every four years. A report of such audit has to be sent to the European Parliament, the Council, the Management Authority, the Commission and the National Supervisory Authorities. The Management Authority of the SIS II is allowed to make comments before the report is adopted.

In order to ensure a consistent level of protection of personal data in the SIS II, representatives of the national Data Protection Authorities and the EDPS regularly meet within the SIS II Supervisory Coordination Group.

What rights do I have regarding the processing of my personal data in the SIS II?

In accordance with the fundamental principles for the protection of personal data, both nationals of the Schengen Member States and nationals of other countries have the following rights:

  • the right of access to data relating to them stored in the SIS II,

  • the right to correct inaccurate personal data stored in the SIS II,

  • the right to delete the unlawfully stored personal data in the SIS II.

Each individual has the right to bring proceedings before the courts or other competent authorities in the territory of each Member State within the Schengen area in order to correct or delete inaccurate data or to obtain information or compensation in connection with an alert relating to them.

Guide for exercising the right of access (2015)

Request for Information on Data in the Schengen Information System in Slovenia 

I. Right of access

Right of access is the possibility for anyone, who requests so, to consult the information relating to him stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over their personal data.

Under Article 58 of Council Decision No 2007/533/JHA and Article 41 Regulation (EC) No 1987/2006 anyone has the right to have access to data entered in the SIS II which relate to him.

Anyone exercising his right of access and to consult data in the SIS II that relate to him, may apply to the competent authorities in any of the Schengen Member State, since all national SIS II databases contain identical data because of the technical support function. The right of access therefore pertains to data regardless of the state to which the request is addressed. However, the right of access is exercised in accordance with the law of the Member State addressed, thus the rules of procedure differ slightly from one country to another.

When a country in which a right of access is exercised, receives a request for access to an alert which it did not issue itself, that country must give the issuing country the opportunity to state its position as to the possibility of disclosing the data to the applicant. Likewise shall the national data protection supervisory authority while examining data subject’s application work in close cooperation with data protection supervisory authorityof the country that issued an alert.

However, the right of access may be refused if it is indispensable for the performance of an alert and in any event during the period of validity of an alert for the purpose of discreet surveillance and where national law allows for the right of information to be restricted, in particular in order to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.

The process of exercising the right to consult one’s own personal data in Slovenia is regulated in accordance with the Personal Data Protection Act (Articles 30 and 31) and the Information Commissioner Act. Article 30 of Personal Data Protection Act imposes to Police, which is subordinated body to the Ministry of Interior, as the data controller of the N.SIS II database, an obligation to:

1. enable consultation of the SIS II filing system catalogue;

2. certify whether data relating to him are being processed or not, and to enable him to consult personal data contained in the N.SIS II filing system that relate to him, and to transcribe or copy them;
3. supply him an extract of personal data contained in the N.SIS II filing system that relate to him;

4. provide a list of data recipients to whom personal data were supplied, when, on what basis and for what purpose;

5. provide information on the sources on which records contained about the individual in the SIS II are based, and on the method of processing;

6. provide information on the purpose of processing and the type of personal data being processed in the SIS II, and all necessary explanations in this connection;

7. explain technical and logical-technical procedures of decision-making.

 

The application is filed in writing or orally for the record, with the:

Police, Ministry of the Interior
Štefanova 2
1501 Ljubljana, Slovenia

Telephone: +386 1 428 40 00
Fax: +386 1 428 47 33
E-mail: gp.mnz@gov.si

 

The application may also be filled at all border crossing points, administrative units and Slovenian diplomatic and consular authorities abroad. The application is submitted to the Police immediately.

The Police must enable the individual to consult, transcribe, copy and obtain a certificate no later than 15 days from the date of receipt of the request, or within the same interval to inform the individual in writing of the reasons for refusal. The Police is obliged to supply the extract from subparagraph 3, the list from subparagraph 4, information from subparagraphs 5 and 6 and the explanation from subparagraph 7 to the individual within 30 days from the date he received the request, or within the same interval to inform him in writing of the reasons for refusal. Otherwise, it is considered that the request is rejected.

The individual’s right to consult personal data that relate to him may in Slovenia be exceptionally restricted in accordance with the Article 36 of Personal Data Protection Act by statute for reasons of protection of national sovereignty and national defence, protection of national security and the constitutional order of the state, security, political and economic interests of the state, the exercise of the responsibilities of the police, the prevention, discovery, detection, proving and prosecution of criminal offences and minor offences, the discovery and punishment of violations of ethical norms for certain professions, for monetary, budgetary or tax reasons, supervision of the police, and protection of the individual to whom the personal data relate, or the rights and freedoms of others. These restrictions may only be provided in the extent necessary to achieve the purpose for which the restriction was provided.

The Information Commissioner is competent for deciding on the appeal of an individual when the request to consult personal data that relate to him was refused or the applicant was refused the answer to his application by the competent authority.

 

 

 II. Right to correct and delete

Any person who establishes that data relating to him and stored in the filing system is inaccurate or unlawfully stored has the right to correct inaccurate data or to delete unlawfully stored data. Under Article 58 of Council Decision No 2007/533/JHA and Article 41 Regulation (EC) No 1987/2006 anyone has the right to correct and delete data entered in the SIS II which relate to him.

Anyone exercising his right to correct and delete data in SIS II that relate to him, may apply to judicial bodies or other competent authorities in any of the Schengen Member States, since all national SIS II databases contain identical data because of the technical support function. The right to correct and delete is exercised in accordance with the law of the state addressed.

Under the Schengen law only the Member State which issues an alert entered in the SIS II may alter or delete it.

When a Member State which did not issue an alert itself finds that certain personal data in the SIS II are inaccurate or unlawfully stored, it must inform the issuing country thereof. The issuing Member State checks the notification and, when necessary, immediately correct or delete the data.

If the Member States are unable to reach an agreement on deleting or correcting inaccurate or unlawfully stored data within two months, the Member State which did not issue the alert shall submit the matter to the European Data Protection Supervisor (EDPS), who shall, jointly with the national supervisory authorities concerned, act as mediator.

Procedure to correct inaccurate or delete unlawfully stored data in Slovenia

In Slovenia the right to have factually inaccurate or unlawfully stored data corrected or deleted is regulated by the Personal Data Protection Act (ZVOP-1) and the Information Commissioner Act (ZInfP). In the conformity with Article 32 of the Personal Data Protection Act the Police must on the request of an individual to whom personal data relate, supplement, correct, block or erase personal data contained in the SIS II (if it is an alert issued by Slovenia) which the individual proves as being incomplete, inaccurate or not up to date, or that they were collected or processed contrary to statute. 

The request or objection from Article 32 of the Personal Data Protection Act is lodged in writing or orally for the record with the Police. Costs relating to the supplementing, correction and erasure of personal data and of the notification and decision on the objection is borne by the Police as data controller.

In case Slovenia has not issued the alert and there is evidence suggesting that personal data in the SIS II are factually inaccurate or have been unlawfully stored, Police advises the competent authority of the country that issued the alert to correct or delete the data. 

Police is obliged to perform the supplementing, correction, blocking or deletion of personal data within 15 days from the date of receipt of the request, and to inform the person who lodged the request thereof, or within the same interval to inform him of the reasons why he will not do so. Otherwise, it is considered that the request is rejected.

Individual who finds that his rights provided by the Personal Data Protection Act have been violated may in line with Article 34 of the Act request judicial protection for as long as such violation lasts. The individual may also file an application for the unlawful processing of personal data with the Information Commissioner, which can then act in accordance with its inspection powers. If the violation ceases, the individual may file a suit to rule that the violation existed if he is not provided with other judicial protection in relation to the violation. 

The competent court decides in the procedure under the provisions of the statute regulating administrative disputes unless otherwise provided by the Personal Data Protection Act. The procedure is urgent and a priority, meaning that the court is obliged to carry out the procedure as soon as possible. The procedure in which the court examines the suit is in principle not public. An individual may request from the court to bind the data controller, until a final decision is issued in the administrative dispute, to prevent any kind of processing of the disputed personal data. In the event damages have been inflicted to the individual, he is entitled to claim compensation according to statue.