The Visa Information System Supervision Coordination Group (VIS SCG) pursuant to article 43 of the VIS Regulation 767/2008/CE of 9 July 2008 was established in order to ensure a coordinated supervision of the VIS and the national systems.
The VIS SCG is made up of a representative of every Member State's data protection authority and the European Data Protection Supervisor (EDPS).
Tasks and duties
The European Data Protection Supervisor (EDPS) supervises the data processing operations in the VIS Central Unit. The national supervisory authorities, including the CNPD, monitor the legitimacy of data processing at national level, as well as the transmission of data to the central unit of the system.
The task of the VIS SCG is to ensure coordination between these supervision operations. To this end, and in accordance with the VIS Regulation (Regulation 2008/767/EC of 9 July 2008), the EDPS and the national supervisory authorities meet, in principle on a biannual basis, within the VIS SCG.
What is the Visa Information system (VIS)?
The Visa Information System (VIS) is a system for the exchange of visa data between Member States created by Council Decision 2004/512/EC of 8 June 2004 as completed by Regulation 2008/767/EC of 9 July 2008 (VIS Regulation).
As stated in Article 2 of the VIS Regulation, the purpose of the VIS is to facilitate the visa application procedure, prevent visa shopping and fraud, facilitate border checks as well as identity checks within the territory of the Member States and to contribute to the prevention of threats to the internal security of the Member States. To this end, the VIS provides a central repository of data on all short-stay Schengen visas. This data can be accessed by authorities issuing visas, e.g. consulates of Member States (Article 15), by checkpoints at the Schengen border to verify the identity of visa holders (Article 18), as well as for the purpose of identifying third-country nationals apprehended within the Schengen Area with fraudulent or without documents (Article 19).
The VIS Regulation sets out which data shall be included in the database at the various stages of processing a visa (application, issuing, discontinuation of examination, refusal, annulment/revocation, extension, Articles 9-14). Apart from data on the visa application (such as planned travel itinerary, inviting persons etc.) it also includes a photograph of the applicant and fingerprints (Article 9 (5) and (6)).
The architecture mirrors that of other large-scale IT systems: a central unit ('central VIS') managed by the European Agency for the operational management of large-scale IT systems in
the area of freedom, security and justice ('eu-LISA') (Article 26) and connected to national units in the Member States using sTesta. Article 32 sets out a list of mandatory security measures for the national units to implement; the national implementation shall also provide for audit trails (Article 34) and possibilities for a self-audit (Article 35).
Right of access of data subjects to VIS Data
Data subjects may, under Article 15 of the GDPR, request access to their data directly from the controller. To this end, the CNPD invites data subjects to consult the dedicated section on the processing of personal data in the VIS system on the website of the Ministry of Foreign and European Affairs, which contains the necessary information.