The Visa Information System Supervision Coordination Group (VIS SCG) pursuant to article 43 of the VIS Regulation 767/2008/CE of 9 July 2008 was established in order to ensure a coordinated supervision of the VIS and the national systems.
The VIS SCG is made up of a representative of every Member State's data protection authority and the European Data Protection Supervisor (EDPS).
Tasks and duties
As established in the VIS Regulation (Regulation 2008/767/EC of 9 July 2008), the lawfulness of the processing of personal data by the Member States shall be monitored by the national Data Protection Authorities and the European Data Protection Supervisor (EDPS).
In Luxembourg, two different supervisory authorities are competent for the monitoring of the use of the VIS data. The CNPD is competent for supervising the processing of VIS data by the Ministry of Foreign and European Affairs, the embassies and the consulates, whereas the “Article 17” supervisory authority is competent for supervising the processing of VIS data by the law enforcement authorities.
What is the Visa Information system (VIS)?
The Visa Information System (VIS) is a system for the exchange of visa data between Member States created by Council Decision 2004/512/EC of 8 June 2004 as completed by Regulation 2008/767/EC of 9 July 2008 (VIS Regulation).
As stated in Article 2 of the VIS Regulation, the purpose of the VIS is to facilitate the visa application procedure, prevent visa shopping and fraud, facilitate border checks as well as identity checks within the territory of the Member States and to contribute to the prevention of threats to the internal security of the Member States. To this end, the VIS provides a central repository of data on all short-stay Schengen visas. This data can be accessed by authorities issuing visas, e.g. consulates of Member States (Article 15), by checkpoints at the Schengen border to verify the identity of visa holders (Article 18), as well as for the purpose of identifying third-country nationals apprehended within the Schengen Area with fraudulent or without documents (Article 19).
The VIS Regulation sets out which data shall be included in the database at the various stages of processing a visa (application, issuing, discontinuation of examination, refusal, annulment/revocation, extension, Articles 9-14). Apart from data on the visa application (such as planned travel itinerary, inviting persons etc.) it also includes a photograph of the applicant and fingerprints (Article 9 (5) and (6)).
The architecture mirrors that of Eurodac and other large-scale IT systems: a central unit ('central VIS') managed by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice3 ('eu-LISA') (Article 26) and connected to national units in the Member States using sTesta. Article 32 sets out a list of mandatory security measures for the national units to implement; the national implementation shall also provide for audit trails (Article 34) and possibilities for a self-audit (Article 34).
Right of access of data subjects to VIS Data
VIS data, processed by the Ministry of Foreign and European Affairs, do not fall under article 17 of the Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data.
Therefore, the common regime of the right of access pursuant to article 28 of the aforementionned Law is applicable. This article provides for direct access requiring the person concerned to apply directly to the Ministry of Foreign and European Affaires for access to its data.
The representatives of the Grand Duchy of Luxembourg in the VIS SCG
- Mr Thierry LALLEMANG, member of the Article 17 supervisory authority, commissioner of the CNPD;
- Ms Tine A. LARSEN, member of the Article 17 supervisory authority, chair of the CNPD.