Guide for exercising the right of access to the SIS II
Persons whose personal data are collected, held or otherwise processed in the second generation Schengen Information System (hereinafter `SIS II`) are entitled to rights of access, correction of inaccurate data and deletion of unlawfully stored data1.This Guide describes the modalities for exercising those rights
I. Introduction to the Second Generation Schengen Information System (SIS II)
The SIS II is a large-scale IT system, set up as a compensatory measure for the abolition of internal border checks, and intends to ensure a high level of security within the area of freedom, security and justice of the European Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States. The SIS II is already implemented in all EU Member States, with the exception of Cyprus, Croatia and Ireland2, and in four Associated States: Iceland, Norway, Switzerland and Liechtenstein.
The SIS II is an information system that allows national law enforcement, judicial and administrative authorities to perform specific tasks by sharing relevant data. The European agencies EUROPOL and EUROJUST also have limited access privileges to this system.
SIS II enables border guards, as well as visa issuing and migration authorities, to enter and consult alerts on third-country nationals for the purpose of refusing their entry into or stay in the Schengen area.
SIS supports police and judicial cooperation by allowing competent authorities to create and consult alerts on missing persons and on persons or objects related to criminal offences.
Vehicle registration services may consult SIS in order to check the legal status of the vehicles presented to them for registration. They only have access to SIS alerts on vehicles, registration certificates and number plates.
A SIS alert does not only contain information about a particular person or object but also instructions for the authorities on what to do when the person or object has been found. The specialised national SIRENE Bureaus located in each Member State serve as single points of contact for the exchange of supplementary information and coordination of activities related to SIS alerts.
Categories of information processed
SIS II centralises two broad categories of information taking the form of alerts on, firstly, persons - who are either wanted for arrest, missing, sought to assist with a judicial procedure, for discreet or specific checks, or third country nationals subject to refusal of entry or stay in the Schengen area, and, secondly, objects - such as vehicles, travel documents, credit cards, for seizure or use as evidence in criminal proceedings, or for discreet or specific checks.
Depending on the type of alert, the SIS II is regulated either by Regulation (EC) 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System with respect to alert procedures falling under Title IV of the Treaty establishing the European Community (former first pillar)3 or by Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System in what concerns procedures falling under Title VI of the Treaty on European Union (former third pillar).
Categories of personal data processed
When the alert concerns a person, the information must always include the name, surname and any aliases, the sex, a reference to the decision giving rise to the alert and the action to be taken. If available, the alert may also contain information such as any specific, objective, physical characteristics not subject to change; the place and date of birth; photographs; fingerprints; nationality(ies); whether the person concerned is armed, violent or has escaped; reason for the alert; the authority issuing the alert; links to other alerts issued in SIS II in accordance with Article 37 of SIS II Regulation or Article 52 of SIS II Decision.
Architecture of the system
The SIS II is composed of:
• a central system („Central SIS II”);
• a national system (the „N.SIS II”) in each Member State (the national data systems that will communicate with the Central SIS II);
• a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated to SIS II data and the exchange of data between the authorities responsible for the exchange of all supplementary information (SIRENE Bureaux)
II. Schengen Information System
The Schengen Information System (SIS II) is a highly secure and protected database that is exclusively accessible to the authorised users within competent authorities, such as national border control, police, customs, judicial, visa and vehicle registration authorities. These authorities may only access SIS II data that they need for the performance of their tasks. A list of competent national authorities having access to SIS is published annually in the Official Journal of the European Union.
The European Agencies EUROPOL and EUROJUST have limited access rights to carry out certain types of queries on specified alert categories.
After Bulgaria’s access to the second generation Schengen Information System (‘SIS II’), data subjects’ rights are governed by legal acts of the European Union, which consist of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) and Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II), Article 58.
Data subject is any natural person whose personal data are processed pursuant to Article 41 of Regulation (EC) No 1987/2006 and Article 58 of Council Decision 2007/533/JHA. Each data subject has the right of access to information regarding personal data relating to him or her that are processed by the responsible institutions. The Ministry of Interior, as SIS II controller, is obliged to provide the data subject with information on the measures taken to address his or her request within one month of receipt of that request.
Right of access
The right of access is the possibility for anyone who so requests to have knowledge of the information relating to him stored in a data file as referred to in national law. This is a fundamental principle of data protection which enables data subjects to exercise control over personal data kept by third parties. This right is expressly provided for in Article 41 of SIS II Regulation and in article 58 of SIS II Decision.
The right of access is exercised in accordance with the law of the Member State where the request is submitted. The procedures differ from one country to another, as well as the rules for communicating data to the applicant. When a Member State receives a request for access to an alert not issued by itself, that State must give the issuing country the opportunity to state its position as to the possibility of disclosing the data to the applicant.
The information shall not be communicated to the data subject if this is indispensable for the performance of the legal task connected to the alert, or in order to protect the rights and freedoms of other people.
Also there are currently two types of system governing the right of access to data processed by law enforcement authorities, and thus also applicable to SIS data. In some Member States the right of access is direct, in others it is indirect.
In this case the person concerned applies directly to the authorities processing the data (police, gendarmerie, customs, etc.). If national law permits, the applicant may be sent the information relating to him..
In this case the person applies for access to the national data protection authority of the State where the request is submitted. The data protection authority conducts the necessary verifications to handle the request and provides a reply to the applicant.
When an individual exercises his right of access, correction of inaccurate data and deletion of unlawfully stored data, replies by competent authorities are due within a strict deadline. Thus, the individual shall be informed as soon as possible and in any event not later than 60 days from the date on which he applies for access, or sooner if national law so provides
Also the individual shall be informed about the follow-up given to the exercise of his rights of correction and deletion as soon as possible and in any event not later than three months from the date on which he applies for correction or deletion, or sooner if national law so provides.
Right to correction and deletion of data
Besides the right of access, there are also the right to obtain the correction of personal data factually inaccurate or incomplete or the right to ask for deletion of personal data unlawfully stored (Article 41(5) of SIS II Regulation and 58(5) of SIS II Decision).
Under the Schengen legal framework only the Member State responsible for issuing an alert in the SIS may alter or delete it (See Article 34(2) of SIS II Regulation and 49(2) of SIS II Decision).
If the request is submitted in a Member State that did not issue the alert, the competent authorities of the Members States concerned cooperate to handle the case, by exchanging information and making the necessary verifications.
The applicant should provide the grounds for the request to correct or delete the data and gather any relevant information supporting it.
Remedies: the right to complain to the data protection authority or to initiate a judicial proceeding
Articles 43 of SIS II Regulation and 59 of SIS II Decision present the remedies accessible to individuals when their request has not been satisfied. Any person may bring an action before the courts or the authority competent under the law of any Member State to access, correct, delete or obtain information or to obtain compensation in connection with an alert relating to him.
In case they have to deal with a complaint with a cross-border element, DPAs should cooperate with each other to guarantee the rights of the data subjects.
Every individual has the right of access to his/her personal data, collected without his/her knowledge and processed in Ministry of Interior’s (MoI) information funds or SIS and should submit access request to the national SIRENE Bureau, established as a unit in the International Operative Cooperation Directorate of the MoI.
This legal framework will apply until December 2021.
Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 and Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU were adopted in November 2018. Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862 entered into force on 28 December 2019 and will become fully operational in December 2021.
After the start of implementation of the new SIS II legal framework, pursuant to Article 67 of Regulation (EU) 2018/1862 and Article 53 of Regulation (EU) 2018/1861, data subjects will exercise the rights laid down in Articles 15, 16 and 17 of Regulation (EU) 2016/679 and in Article 14 and Article 16(1) and (2) of Directive (EU) 2016/680.
Sometimes false identity documents or identity documents belonging to someone else are used when carrying out criminal offences or attempting to enter or stay in the Schengen Area. In order to avoid the negative consequences of a possible misidentification, data on the person whose identity has been misused may be added to an SIS alert. This is only allowed with the explicit consent of that person. Furthermore, the data on the misused identity may only be used for avoiding misidentification and must be removed at the same time as the corresponding alert or earlier, if the victim so requests.
Contact details of the body to which requests for access should be addressed
Ministry of Interior of the Republic of Bulgaria
Sofia, 1000 29 „6-th September” str.
Tel.: + 359 2/9825000 – MoI’s main office
Web site: http://www.mvr.bg/contactus.htm