Schengen Information System (SIS)

The Schengen Information System (SIS) is the most widely used and largest information-sharing system for security and border management in Europe. As there are no internal borders between Schengen countries in Europe, SIS compensates for the abolition of border controls and is the most effective cooperation tool for border and immigration authorities as well as for police, customs and judicial authorities in the EU and Schengen associated countries.

Competent national authorities, such as police and border guards, may enter and consult alerts on persons and objects in a common database. These persons and objects can be located anywhere in the EU and in the Schengen area during border, police or other legal checks.

Since 1995, the Schengen Information System has helped Europe maintain its security in the absence of internal border controls.

In 2013, the second generation SIS (SIS II) was deployed, with additional functionalities, such as the possibility to add fingerprints and photographs to alerts.

Since 2018, the SIS legal framework has evolved with the adoption of three European Regulations, namely Regulation (EU) 2018/1860, Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862. These regulations are fully operational since 7 March 2023. Their aim is to strengthen SIS measures, including the introduction of new types of alerts, updated data and improved functionalities.

Functioning

An alert entered in SIS by one country becomes available in real time in all other countries using SIS, allowing the competent authorities across the EU to find the alert.

Technically, the SIS shall consist of the following elements:

a central system;
national SIS systems in all countries using SIS;
a network linking these different systems.

Each country using SIS is responsible for setting up, operating and maintaining its national system and structures. The European Commission is responsible for the overall supervision, evaluation of the system and the adoption of implementing and delegated acts laying down detailed rules for the operation of SIS and SIRENE. The EU Agency for the Management of Large-Scale IT Systems (eu-LISA) is responsible for the operational management of the Central System and the Network.

An alert in SIS shall contain information on particular persons or objects, as well as instructions on what authorities are expected to do once the person or object is found.

Types of alerts contained in SIS

SIS shall contain only alerts on persons or objects falling within one of the following categories of alerts:

alerts for refusal of entry and stay: alerts on third-country nationals who do not have the right to enter or stay in the Schengen area;
alerts on persons wanted for arrest: alerts on persons in respect of whom a European Arrest Warrant or an extradition request(Switzerland and Liechtenstein) has been issued;
alerts on missing persons: alerts to find missing persons, including children, and to place them under protection if legal and necessary;
alerts on persons whose assistance is required in judicial proceedings: alerts aiming to know the place of residence or domicile of persons whose assistance is required in judicial proceedings in criminal matters (e.g. as witnesses);
alerts on persons and objects for discreet or specific checks: alerts for obtaining information on persons or related objects for the purposes of the prosecution of criminal offences and the prevention of threats to public or national security;
alerts on objects for seizure or use as evidence in criminal proceedings: alerts on objects (e.g. vehicles, travel documents, number plates and industrial equipment) sought for seizure or use as evidence in criminal proceedings. Alerts on travel documents may also be entered specifically to prevent the person holding them from travelling;

alerts on return decisions: alerts on third-country nationals subject to return decisions issued by Schengen countries;
alerts on children at risk of abduction by their own parents, close family members or guardians: alerts to prevent the abduction or disappearance of such children;
alerts on vulnerable persons who need to be prevented from travelling: alerts to protect vulnerable persons (adults or children) against the risk of being illegally taken abroad or to prevent them from travelling without the necessary authorisations;
alerts on persons and objects for inquiry checks: additional alerts for obtaining information on related persons or objects for the purpose of prosecuting criminal offences and for the prevention of threats to public or internal security;
alerts on unknown wanted persons: alerts containing only fingerprints and palm traces belonging to the offender, discovered at the scene of terrorist offences or other serious crimes under investigation. Such alerts shall be issued for the purpose of identifying the author under national law.

Data processed in SIS

The categories of data contained in SIS differ depending on the nature of the alert.

For alerts on persons:

identification data: the data necessary for the identification of the requested person and other information relevant to the searching end-user;
reason for reporting: the ‘reason for issuing an alert’ describing, in a structured manner, the reasons why the person is being sought;
measures required: the ‘action to be taken’ describing, in a structured way, what the officer should do when the person is found;
information on criminal proceedings: copy of the European Arrest Warrant (EAW) of a person wanted for arrest and data on victims of identity theft (if applicable);
photographs: photographs of the person subject to the alert;
fingerprints and palm prints: fingerprint (fingerprint and/or palm) data of the subject of the alert;

information on objects related to persons: data relating to objects entered in SIS in order to locate a person who is the subject of an alert, for example the vehicle used by the person sought – these data may be added only to alerts on persons referred to in Articles 26, 32 and 34 of Regulation (EU) 2018/1862;
identification documents: data describing the identification document of the person subject to the alert – a copy of the document may be attached;
fingerprint and palm traces: fingerprint data (fingerprints and/or palm traces) discovered at the crime scene;
DNA profile: DNA profile of the person subject to the alert or his/her family members (only in the case of missing persons who need to be placed under protection).

For alerts on objects:

identification data: data necessary to identify the object sought and other information relevant to the searching end-user;
reason for reporting: the ‘reason for reporting’, describing, in a structured manner, the reasons why the object is sought;
measures required: the ‘action to be taken’ describing, in a structured way, what the officer should be when the object is found;
images: images/photographs of the object.

The country that enters the alert and related data in SIS is the ‘data owner’. This means that only that country is allowed or able to update and delete the alert.

For alerts on persons, the minimum set of data is:

name;
year of birth;
a reference to the decision giving rise to the alert;
the action to be taken.

Where available, photographs and fingerprints should be added in order to facilitate identification and avoid misidentification. The system also offers the possibility to add links between alerts (e.g. between an alert on a person and an alert on a vehicle).

Regarding biometrics :

Since 2013, SIS has been able to store fingerprints which may be used to confirm the identity of a person located by other means. However, the introduction of an AFIS (Automated Fingerprint Identification System) in March 2018 also allows people to be identified using just his or her fingerprints. Thanks to this system, criminals and other persons of interest will find it even more difficult to enter and move within the EU using counterfeited or forged documents, or documents belonging to other people.

As of March 2023, SIS also stores palm prints, fingermarks and palmmarks. These are used for biometric searches and for the confirmation of identities. From March 2023, SIS stores DNA profiles of people reported missing or of their parents, grandparents or siblings for the purpose of confirming identity.

Role of the CNPD

National data protection authorities, including the CNPD, oversee the application of data protection rules in their respective countries, while the European Data Protection Supervisor (EDPS) monitors how data protection rules are applied in the central system managed by eu-LISA. The two levels work together under the Coordinated Supervision Committee (CSC) to ensure end-to-end coordinated surveillance.

Data subjects rights

All data subjects have the right to:

access their data;
correct inaccurate data;
erase data illegally stored in the system.

In addition, any person subject to an alert on a return decision or an alert for refusal of entry and stay shall have the right to be informed of that alert.

National procedures and contact points for access requests have been compiled in a comprehensive guide. The guide also contains model letters that data subjects can complete in order to exercise their respective rights.

In Luxembourg, in order to exercise their rights, data subjects may apply directly to the Data Protection Officer of the Grand-Ducal Police, who then has one month to respond to the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

The CNPD invites the persons concerned to consult the section on SIS on the website of the Grand-Ducal Police, containing the necessary information.

If the Grand-Ducal Police does not reply within the above-mentioned timeframe or if the person concerned is not satisfied with the reply, he or she has the right to lodge a complaint with the CNPD.

If the Grand-Ducal Police decides to restrict the rights of the data subject, it shall inform the data subject as far as possible and inform them that they may exercise their rights through the CNPD.