Schengen Information System (SIS)

An alert entered in SIS by one Schengen country becomes available in real time in all other Schengen countries using SIS, allowing the competent authorities across the EU to find the alert.

Technically, the SIS consists of the following elements:

• a central system (‘central SIS’);
• national SIS systems in all countries using SIS (‘N.SIS’);
• a network linking these different systems.

Each Schengen country using SIS is responsible for setting up, operating and maintaining its national system and structures. The European Commission is responsible for the overall supervision, evaluation of the system and the adoption of implementing and delegated acts laying down detailed rules for the operation of SIS. The EU Agency for the Management of Large-Scale IT Systems (eu-LISA) is responsible for the operational management of the central SIS and the network (link).

An alert in SIS contains information on particular persons or objects, as well as instructions on what authorities are expected to do once the person or object is found.

SIS contains in particular alerts on persons or objects falling within one of the following categories of alerts:

• alerts for refusal of entry and stay: alerts on third-country nationals who do not have the right to enter or stay in the Schengen area;
• alerts on persons wanted for arrest: alerts on persons in respect of whom a European Arrest Warrant or an extradition request has been issued;
• alerts on missing persons: alerts to find missing persons, including children, and to place them under protection if lawful and necessary;
• alerts on persons whose assistance is required in judicial proceedings: alerts aiming to know the place of residence or domicile of persons whose assistance is required in judicial proceedings in criminal matters (e.g. as witnesses);
• alerts on persons and objects for discreet checks, for inquiry checks or specific checks: alerts for obtaining information on persons or related objects for the purposes of preventing, detecting, investigating or prosecutingcriminal offences, and the prevention of threats to public or national security;
• alerts on objects for seizure or use as evidence in criminal proceedings: alerts on objects (e.g. vehicles, travel documents, number plates or industrial equipment) sought for seizure or use as evidence in criminal proceedings. Alerts on travel documents may also be entered to prevent the person holding them from travelling;

• alerts on return decisions: alerts on third-country nationals subject to return decisions issued by a Schengen countriy;
• alerts on children at risk of abduction by their own parents, close family members or guardians: alerts to prevent the abduction or disappearance of such children;
• alerts on vulnerable persons who need to be prevented from travelling: for example, where a concrete and apparent risk exists that they become victims of trafficking in human beings, or of gender-based violence ;
• alerts on unknown wanted persons: alerts containing only fingerprints and palm prints belonging to the offender, discovered at the scene of terrorist offences or other serious crimes under investigation. Such alerts shall be issued for the purpose of identifying the author in accordance with national law.

The SIS also offers the possibility to add links between alerts (e.g. between an alert on a person and an alert on a vehicle).

The categories of data contained in SIS differ depending on the nature of the alert.

For alerts on persons , in particular:

• identification data: the data necessary for the identification of the requested person and other information relevant to the searching end-user;

• reason for reporting: the ‘reason for issuing an alert’ describing, in a structured manner, the reasons why the person is being sought;

• measures required: the ‘action to be taken’ describing, in a structured way, what the officer should do when the person is found;

• information on criminal proceedings: the copy of the European Arrest Warrant (EAW) of a person wanted for arrest and data on victims of identity theft (if applicable);
• photographs: photographs of the person subject to the alert;

• fingerprints and palm prints: dactyloscopic data (fingerprint and/or palm prints) of the subject of the alert or, for specific cases, those discovered at the crime scene;

• information on objects related to persons: data relating to objects entered in SIS in order to locate a person who is the subject of an alert, for example the vehicle used by the person sought – these data may be added only to specific types of alerts on persons;

• identification documents: data describing the identification document of the person subject to the alert – a copy of the document may be attached;

• DNA profile: DNA profile of the person subject to the alert or his/her family members (only in the case of missing persons who need to be placed under protection).

For alerts on objects, in particular

• identification data: data necessary to identify the object sought and other information relevant to the searching end-user;

• reason for reporting: the ‘reason for reporting’, describing, in a structured manner, the reasons why the object is sought;

• measures required: the ‘action to be taken’ describing, in a structured way, what the officer should be when the object is found;

• images: images/photographs of the object.

The minimum data to be entered in SIS varies according to the type of alert provided for in the three European regulations.

Only the country that enters the alert and related data in SIS is  has the right to update and delete them.

Biometric data :

Since 2013, fingerprints can be stored in SIS which may be used to confirm the identity of a person located by other means. However, the introduction of an AFIS (Automated Fingerprint Identification System) in March 2018 also allows people to be identified using just his or her fingerprints.

As of March 2023, SIS also stores palm prints and fingerprints. These are used for the search and the identification of people through biometric caracteristices.

From March 2023, SIS stores DNA profiles of people reported missing or of their parents, grandparents or siblings for the purpose of identification of a missing person.

Access to SIS data is limited to authorised staff in the performance of their tasks. They must ensure that the use of SIS data is limited to that which is necessary, appropriate and proportionate for carrying out their tasks. The following entities have direct access to consult SIS data in the performance of their tasks:

• the Grand-Ducal Police,
• the Custom and Excise Administration,
• the state Prosecutor General and the State Prosecutor,
• the investigating judge,
• the Minister responsible for foreign affairs,
• the Minister responsible for immigration,
• the Minister responsible for Luxembourg nationality,
• the Minister responsible for armes,
• the Minister having the State Information Technology Center (CTIE) in its remit,
• the Commissioner for maritime affairs,
• the Civil Aviation Directorate,
• the State Intelligence Service.

Furthermore, the National Society of Automobile Traffic (SNCA) has indirect access to SIS data in the performance of their tasks.

Data can only be retained in the SIS for as long as is necessary to achieve that specific alert’s purpose. Once this purpose is achieved, the Schengen country that issued the alert must delete the data without delay. EU law requires  Schengen countries, which entered the alert, to regularly review data which they entered in the SIS.

Different review and retention periods apply depending on the type of alert:

• Alerts for arrest and alerts on missing persons must be reviewed within five years;
• Alerts on return decisions and alerts for refusal of entry and stay must also be reviewed within five years;
• Alerts on persons sought to assist with judicial procedures and alerts on unknown wanted persons must be reviewed within three years.
• Alerts for discreet, inquiry or specific checks, and alerts on children at risk of abduction or vulnerable persons at risk must be reviewed within one year.
• Alerts on objects for seizure or use as evidence must be reviewed within ten years, or within shorter periods for certain object types.

The retention period for an alert may be extended if it is necessary and proportionate to achieve the purpose of the alert.

All data subjects have the right to request access to their personal data, the correction of inaccurate data as well the erasure of data unlawfully stored in the SIS.

National procedures and contact points for the requests on exercise of the data subject rights have been compiled in a comprehensive guide (link). The guide also contains model letters that data subjects can complete in order to exercise their respective rights.

In addition,  the CNPD provides below model letters to help you submitting your request.

To exercise your data subject rights, you must first address your request to the Data Protection Officer of the Grand-Ducal Police. You can send an email or a letter to the following address:

Direction générale de la Police grand-ducale

Cité Policière Grand-Duc Henri

A l’attention du Délégué à la Protection des Données

Complexe A, rue de Trèves

L-2957 Luxembourg

E-mail: dpo@police.etat.lu

Your request must include specific information required by the Grand-Ducal Police. Further details on this are available on the website of the Grand-Ducal Police in the section “Protection of individuals with regard to the processing of personal data in the Schengen Information System (SIS)” (link).

Your request should be answered within one month of receipt of the request. Where necessary, that period may be extended by two further months. If this is the case, you should be informed of the reasons for the delay within the one-month period.

Should you not receive an answer within the time limits or should you not be satisfied with the answer received, you have the right to lodge a complaint with the CNPD by using the dedicated online form (link).

Under certain circumstances the controller can limit your rights.

Should the controller decide to limit your rights, you should be informed of said limitation. However, the controller can decide to omit such information on the restriction, if it would undermine the purpose of the limitation.

Additionally, the controller is obliged to inform you about the judicial remedies available, as well as your possibility to lodge a complaint with the CNPD and/or to exercise your data subject rights indirectly via the CNPD.

If you wish to exercise your rights indirectly via the CNPD, please use the complaint form on the website of the CNPD (Link). You should explicitly indicate that you wish to exercise your rights indirectly because of a limitation imposed by the data controller.

As stated above, you should address your requests to to exercise your data subject rights to the Data Protection Officer of the Grand-Ducal Police . You can only exercise your rights indirectly if the data controller applies limitations as described above.

As mentioned before, the CNPD is responsible to handle complaintsrelated to a violation of your rights as a data subject. To submit a complaint to the CNPD you should use the complaint form available on the website of the CNPD.