Schengen Information System (SIS)

What is the Schengen Informations System?

The Schengen Information System (SIS) is the most widely used and largest information-sharing system for security and border management in Europe. As there are no internal borders between Schengen countries in Europe, SIS compensates for the abolition of border controls and is the most effective cooperation tool for border and immigration authorities as well as for police, customs and judicial authorities in the EU and Schengen associated countries.

Competent national authorities, such as police and border guards, may enter and consult alerts on persons and objects in a common database. These persons and objects can be located anywhere in the EU and in the Schengen area during border, police or other legal checks.

Since 1995, the Schengen Information System has helped Europe maintain its security in the absence of internal border controls.

In 2013, the second-generation SIS (SIS II) was deployed, with additional functionalities, such as the possibility to add fingerprints and photographs to alerts.

Since 2018, the SIS legal framework has evolved with the adoption of three European Regulations, namely Regulation (EU) 2018/1860, Regulation (EU) 2018/1861 and Regulation (EU) 2018/1862. These regulations are fully operational since 7 March 2023. Their aim is to strengthen SIS measures, including the introduction of new types of alerts, updated data and improved functionalities.

Functioning

An alert entered in SIS by one country becomes available in real time in all other countries using SIS, allowing the competent authorities across the EU to find the alert.

Technically, the SIS consists of the following elements:

  • a central system (‘central SIS’);
  • national SIS systems in all countries using SIS (‘N.SIS’);
  • a network linking these different systems.

Each country using SIS is responsible for setting up, operating and maintaining its national system and structures. The European Commission is responsible for the overall supervision, evaluation of the system and the adoption of implementing and delegated acts laying down detailed rules for the operation of SIS and SIRENE. The EU Agency for the Management of Large-Scale IT Systems (eu-LISA) is responsible for the operational management of the Central System and the Network.

An alert in SIS shall contain information on particular persons or objects, as well as instructions on what authorities are expected to do once the person or object is found.

Types of alerts contained in SIS

SIS shall contain only alerts on persons or objects falling within one of the following categories of alerts:

  • alerts for refusal of entry and stay: alerts on third-country nationals who do not have the right to enter or stay in the Schengen area;
  • alerts on persons wanted for arrest: alerts on persons in respect of whom a European Arrest Warrant or an extradition request has been issued;
  • alerts on missing persons: alerts to find missing persons, including children, and to place them under protection if legal and necessary;
  • alerts on persons whose assistance is required in judicial proceedings: alerts aiming to know the place of residence or domicile of persons whose assistance is required in judicial proceedings in criminal matters (e.g. as witnesses);
  • alerts on persons and objects for discreet or specific checks: alerts for obtaining information on persons or related objects for the purposes of the prosecution of criminal offences and the prevention of threats to public or national security;
  • alerts on objects for seizure or use as evidence in criminal proceedings: alerts on objects (e.g. vehicles, travel documents, number plates and industrial equipment) sought for seizure or use as evidence in criminal proceedings. Alerts on travel documents may also be entered specifically to prevent the person holding them from travelling;
  • alerts on return decisions: alerts on third-country nationals subject to return decisions issued by Schengen countries;
  • alerts on children at risk of abduction by their own parents, close family members or guardians: alerts to prevent the abduction or disappearance of such children;
  • alerts on vulnerable persons who need to be prevented from travelling: alerts to protect vulnerable persons (adults or children) against the risk of being illegally taken abroad or to prevent them from travelling without the necessary authorisations;
  • alerts on persons and objects for inquiry checks: additional alerts for obtaining information on related persons or objects for the purpose of prosecuting criminal offences and for the prevention of threats to public or internal security;
  • alerts on unknown wanted persons: alerts containing only fingerprints and palm traces belonging to the offender, discovered at the scene of terrorist offences or other serious crimes under investigation. Such alerts shall be issued for the purpose of identifying the author under national law.

Data processed in SIS

The categories of data contained in SIS differ depending on the nature of the alert.

For alerts on persons:

  • identification data: the data necessary for the identification of the requested person and other information relevant to the searching end-user;
  • reason for reporting: the ‘reason for issuing an alert’ describing, in a structured manner, the reasons why the person is being sought;
  • measures required: the ‘action to be taken’ describing, in a structured way, what the officer should do when the person is found;
  • information on criminal proceedings: the copy of the European Arrest Warrant (EAW) of a person wanted for arrest and data on victims of identity theft (if applicable);
  • photographs: photographs of the person subject to the alert;
  • fingerprints and palm prints: fingerprint (fingerprint and/or palm) data of the subject of the alert or, for specific cases, those discovered at the crime scene;
  • information on objects related to persons: data relating to objects entered in SIS in order to locate a person who is the subject of an alert, for example the vehicle used by the person sought – these data may be added only to alerts on persons referred to in Articles 26, 32 and 34 of Regulation (EU) 2018/1862;
  • identification documents: data describing the identification document of the person subject to the alert – a copy of the document may be attached;
  • DNA profile: DNA profile of the person subject to the alert or his/her family members (only in the case of missing persons who need to be placed under protection).

 

For alerts on objects:

  • identification data: data necessary to identify the object sought and other information relevant to the searching end-user;
  • reason for reporting: the ‘reason for reporting’, describing, in a structured manner, the reasons why the object is sought;
  • measures required: the ‘action to be taken’ describing, in a structured way, what the officer should be when the object is found;
  • images: images/photographs of the object.

The country that enters the alert and related data in SIS is the ‘data owner’. This means that only that country is allowed or able to update and delete the alert.

For alerts on persons, the minimum set of data is:

  • name;
  • year of birth;
  • a reference to the decision giving rise to the alert;
  • the action to be taken.

Where available, photographs and fingerprints should be added in order to facilitate identification and avoid misidentification. The system also offers the possibility to add links between alerts (e.g. between an alert on a person and an alert on a vehicle).

 

Regarding biometrics :

Since 2013, SIS has been able to store fingerprints which may be used to confirm the identity of a person located by other means. However, the introduction of an AFIS (Automated Fingerprint Identification System) in March 2018 also allows people to be identified using just his or her fingerprints.

As of March 2023, SIS also stores palm prints, fingermarks and palm marks. These are used for biometric searches and for the confirmation of identities. From March 2023, SIS stores DNA profiles of people reported missing or of their parents, grandparents or siblings for the purpose of confirming identity.

Who has access to the SIS?

Access to SIS data is limited to authorised staff in the performance of their tasks. They must ensure that the use of SIS data is limited to that which is necessary, appropriate and proportionate for carrying out their tasks. The following entities have direct access to consult SIS data in the performance of their tasks:

  • the Grand-Ducal Police,
  • the Custom and Excise Administration,
  • the state Prosecutor General and the State Prosecutor,
  • the investigating jugde,
  • the Minister responsible for foreign affairs,
  • the Minister responsible for immigration,
  • the Minister responsible for Luxembourg nationality,
  • the Minister responsible for armes,
  • the Minister having the State Information Technology Center (CTIE) in its remit,
  • the Commissioner for maritime affairs,
  • the Civil Aviation Directorate,
  • the State Intelligence Service.

Furthermore, the National motor vehicle company (SNCA) has indirect access to SIS data in the performance of their tasks.

How long is data stored in the SIS?

Data recorded in SIS can only be retained in the system for as long as is necessary to achieve that specific alert’s purpose. Once this is achieved, the country that issued the alert must delete the data without delay. EU law requires the issuing countries to regularly review data held in the system.

Different review and retention periods apply depending on the type of alert:

  • Alerts for arrest and alerts on missing persons must be reviewed within 5 years;
  • Alerts on return decisions and alerts for refusal of entry and stay must also be reviewed within 5 years;
  • Alerts on persons sought to assist with judicial procedures and alerts on unknown wanted persons must be reviewed within 3 years.
  • Alerts for discreet, inquiry or specific checks, and alerts on children at risk of abduction or vulnerable persons at risk must be reviewed within 1 year.
  • Alerts on objects for seizure or use as evidence must be reviewed within 10 years, or shorter for certain object types.

The retention period for an alert may be extended if it is necessary and proportionate to achieve the purpose of the alert.

Your specific data protection rights related to SIS

Your right of access to, rectification, completion and erasure of personal data

All data subjects have the right to request access to their data, the correction or completion of inaccurate data as well the erasure of data illegally stored in the SIS.

In addition, any person subject to an alert on a return decision or an alert for refusal of entry and stay shall have the right to be informed of that alert.

National procedures and contact points for access requests have been compiled in a comprehensive guide.

The guide also contains model letters that data subjects can complete in order to exercise their respective rights.

Below, the CNPD provides model letters to help submitting the request.

To exercise your data protection rights, you may apply directly to the Data Protection Officer of the Grand-Ducal Police.

Cité Policière Grand-Duc Henri

Délégué à la Protection des Données

Complexe A, rue de Trèves

L-2957 Luxembourg

Luxembourg

General contact: secgen@police.etat.lu

E-mail: dpo@police.etat.lu

More specific information on how to contact the Grand-Ducal Police can be found on their website.

The Grand-Ducal Police then has one month to respond to the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the information is not provided or is not fully provided within the above-mentioned timeframe, or if you are not satisfied with the answer received, you may lodge a complaint with the CNPD. The same applies to the incorrect or insufficient correction or deletion of data in the SIS.

Your rights when the controller limits your data protection rights

Under certain circumstances the controller can limit your rights.

Should the controller decide to limit your rights, you should be informed of said limitation. However, please note that the controller can decide to omit such information on the restriction, but only where it would undermine the reason of the limitation.

Additionally, you will be informed of the judicial remedies available, as well as your possibility to lodge a complaint with the CNPD and/or to exercise your data subject rights indirectly via the CNPD.

If you wish to exercise your rights indirectly via the CNPD, please use the complaint form on the website of the CNPD. You should explicitly indicate that you wish to exercise your rights indirectly because of a limitation imposed by the data controller.

Please note that you should first address the Data Protection Officer of the Grand-Ducal Police for any requests to exercise your rights. You can only exercise your rights indirectly if the data controller applies limitations as described above.

Your right to lodge a complaint with the CNPD

As mentioned before, the CNPD is responsible to handle complaints should you consider that your data protection rights are not complied with.

Role of the CNPD

The CNPD has general competence to monitor the lawfulness of the processing of personal data in Luxembourg. The CNPD is however not competent to supervise the lawfulness of the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the administrative order acting in their judicial capacities. Hence, the CNPD is competent to monitor the lawfulness of the processing of personal data related to SIS by Luxembourg authorities falling under its competence.

In this respect, the CNPD informs data subjects on their rights regarding the processing of personal data in the SIS. Any person can contact the CNPD via the online form for information requests.

As mentioned before, the CNPD is also responsible to handle complaints should data subjects consider that their data protection rights are not complied with or to handle indirect exercises of data subjects’ rights.

In addition to the general obligation to monitor the lawfulness of the processing of personal data by the Luxembourgish authorities in the SIS, the CNPD also carries out audits of the data processing operations by the responsible national authorities. The CNPD has the legal obligation to carry out an audit at least every four years.

Lastly, the national data protection authorities, including the CNPD, oversee the application of data protection rules in their respective countries, while the European Data Protection Supervisor (EDPS) monitors how data protection rules are applied in the central system managed by eu-LISA. The two levels work together under the Coordinated Supervision Committee (CSC) to ensure end-to-end coordinated surveillance.

Dernière mise à jour