What is the Visa Information System?
The Visa Information System (VIS) is a system for the exchange of data among Member States regarding applications for Schengen short-stay visas and the decisions taken on those applications.
The purpose of the VIS is to facilitate the visa application procedure, prevent visa shopping and fraud, facilitate checks at external borders as well as identity checks within the territory of the Member States and to contribute to the prevention of threats to the internal security of the Member States. This data in VIS can be accessed by authorities issuing visas, e.g. consulates of Member States verifying the requests for visa, or by checkpoints at the Schengen border to verify the identity of visa holders..
The architecture of VIS mirrors that of other large-scale IT systems: a central system ('central VIS') managed by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice ('eu-LISA'), which is connected to national systems in the Member States (link).
What data is stored in the VIS?
The Articles 9-14 of the Regulation (EC) 767/2008 (‘VIS Regulation’), sets out which data shall be introduced in the VIS at the various stages of the processing of a visa application.
The VIS holds personal data taken from the visa application (such as name, sex, date and place of birth, nationality, the home address of the applicant, the occupation, the planned travel itinerary, inviting persons, the type and number of the travel document etc.), but it also includes a photograph and fingerprints of the applicant. In the course of the visa application procedure, other data is added, for example whether the visa is granted, extended revoked or annulled. Furthermore, the place and date of the decision as well as the type of visa and the sticker number is added in the VIS.
Who has access to the VIS?
Competent visa authorities, meaning consulates and central visa authorities, consult the VIS for the purpose of examining applications and of issuing decisions related thereto.
For carrying out the checks at external borders and within the national territories, competent authorities have access to the VIS for the purpose of verifying the identity of the person, the authenticity of the visa or whether the person meets the requirements for entering, staying in or residing within the national territories.
Asylum authorities have access to search the VIS, in partcularfor the purpose of determining the Member State responsible for the examination of an asylum application and for examining the application for asylum .
In specific cases, national law enforcement authorities can request access to data entered into the VIS for the purposes of preventing, detecting and investigating terrorist and criminal offences.
Access to VIS data is limited to authorised staff in the performance of their tasks. They must ensure that the use of VIS data is limited to that which is necessary, appropriate and proportionate for carrying out their tasks.
Your specific data protection rights related to VIS
Your right of access to, rectification, erasure of personal data and restriction of processing
Article 38 of the VIS Regulation explicitly states that the right of access (link), the right of rectification (link), the right of erasure (link) as well as the right to restriction (link) of processing of the GDPR are applicable.
Consequently, data subjects have the right of access to their data in the VIS, the right that inaccurate data about them is corrected and uncompleted data is completed as well as the right to obtain deletion of unlawfully recorded data. Under certain conditions they have the right to obtain restriction of processing from the controller.
To exercise your data subject rights, you should address first your request directly to the central authority for visa applications. You can send an email or a letter to the following address:
Ministère des Affaires étrangères et européennes, de la Défense, de la Coopération et du Commerce extérieur
Bureau des passeports, visas et légalisations
6, rue de l'Ancien Athénée
L-1144 Luxembourg
E-mail: service.visas@mae.etat.lu
Below, the CNPD provides model letters in order to help submitting the request.
Your request should be answered within one month of its receipt.
Should you not receive an answer within the time limits or should you not be satisfied with the answer received, you have the right to lodge a complaint with the CNPD by using the dedicated online complaint form (link).
Further information is available on the website of the Passport, visa and legalisation office of the Ministry of Foreign and European Affairs (link).
Your rights when the controller limits your data protection rights
Under certain circumstances, the controller can limit the rights of the data subjects..
Should the controller decide to limit your rights, you should be informed of said limitation. However, the controller can decide to omit such information on the restriction, where it would undermine the purpose of the limitation.
Additionally, the controller mus inform you of the judicial remedies available, as well as your possibility to lodge a complaint with the CNPD and/or to exercise your data subject rights indirectly via the CNPD.
If you wish to exercise your rights indirectly via the CNPD, please use the complaint form on the website of the CNPD (link). You should explicitly indicate that you wish to exercise your rights indirectly because of a limitation imposed by the data controller.
As already mentioned, you should first address your request to the central authority for visa applications for any requests to exercise your rights. You can only exercise your rights indirectly if the data controller applies limitations as described above.
Your right to lodge a complaint with the CNPD
As mentioned before, the CNPD is competent to handle complaints related to a violation of your rights as a data subject. To submit a complaint to the CNPD you should use the complaint form available on the website of the CNPD.
Role of the CNPD
The CNPD has general competence to monitor the lawfulness of the processing of personal data according to the VIS Regulation by Luxembourg authorities. The CNPD is however not competent to supervise the lawfulness of the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the courts of administrative order acting in their judicial capacities.
In this respect, the CNPD informs data subjects on their rights regarding the processing of personal data according to the VIS Regulation. Any data subject can contact the CNPD via the online form for information requests (link). There is no need to submit documents (e.g., a copy of an ID) to the CNPD when filing the request.
As mentioned before, the CNPD is also responsible to handle complaints related to a violation of data protection rights and to handle indirect exercises of data subjects’ rights.
In addition to the general obligation to monitor the lawfulness of the processing of personal data by the Luxembourgish authorities according to the VIS Regulation, the CNPD also carries out at least every four years audits of the data processing operations by the responsible national authorities.
The national data protection authorities, including the CNPD, and the European Data Protection Supervisor (EDPS), who monitors the application of data protection rules in the central system managed by eu-LISA, work together in the framework of the Coordinated Supervision Committee (CSC) to ensure end-to-end coordinated surveillance (link).