What is the Visa Information System?
The purpose of the Visa Information System (VIS) is to facilitate the visa application procedure, prevent visa shopping and fraud, facilitate border checks as well as identity checks within the territory of the Member States and to contribute to the prevention of threats to the internal security of the Member States. To this end, the VIS provides a central repository of data on all short-stay Schengen visas. This data can be accessed by authorities issuing visas, e.g. consulates of Member States, by checkpoints at the Schengen border to verify the identity of visa holders, as well as for the purpose of identifying third-country nationals apprehended within the Schengen Area with fraudulent/without documents.
The architecture mirrors that of other large-scale IT systems: a central unit ('central VIS') managed by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice ('eu-LISA') is connected to national systems in the Member States.
What data is stored in the VIS?
The VIS Regulation, Articles 9-14, set out which data shall be introduced in the system at the various stages of the processing of a visa application.
The VIS holds personal data taken from the visa application (such as name, sex, date and place of birth, nationality, the home address of the applicant, the occupation, the planned travel itinerary, inviting persons, the type and number of the travel document, etc.), but it also includes a photograph and fingerprints of the applicant. In the course of the visa application procedure, other data is added, for example whether the visa is granted, extended, revoked or annulled. Furthermore, the place and date of the decision as well as the type of visa and the sticker number is added in the VIS.
Who has access to the VIS?
Competent visa authorities, meaning consulates and central visa authorities, consult the VIS for the purpose of examining applications and decisions related thereto.
For carrying out the checks at external borders and within the national territories, competent authorities have access to the VIS for the purpose of verifying the identity of the person, the authenticity of the visa or whether the person meets the requirements for entering, staying in or residing within the national territories.
Asylum authorities only have access to search the VIS for the purpose of determining the EU State responsible for the examination of an asylum application.
In specific cases, national law enforcement authorities can request access to data entered into the VIS for the purposes of preventing, detecting and investigating terrorist and criminal offences.
Access to VIS data is limited to authorised staff in the performance of their tasks. They must ensure that the use of VIS data is limited to that which is necessary, appropriate and proportionate for carrying out their tasks.
How long is data stored in the VIS?
Data is kept in the VIS for five years. This retention period starts from the expiry date of the issued visa, the date a negative decision is taken or the date a decision to modify an issued visa is taken.
Your specific data protection rights related to VIS
Your right of access to, rectification, completion, erasure of personal data and restriction of processing
Article 38 of the VIS Regulation explicitly states that the right of access, the right of rectification, the right of erasure well as the right of processing of the GDPR are applicable.
Consequently, you have the right of access to your data in the VIS, you may request that inaccurate data is corrected and unlawfully recorded data is deleted, and under certain conditions you have the right to obtain restriction of processing from the controller.
To exercise your rights, you should address your request directly to the central authority for visa applications:
Ministère des Affaires étrangères
Passport, visa and legalisation office
6, rue de l'Ancien Athénée
L-1144 Luxembourg
Luxembourg
E-mail: service.visas@mae.etat.lu
Data protection officer: dataprotection.mae@mae.etat.lu
Below, the CNPD provides model letters in order to help submitting the request.
Where the controller has reasonable doubts as to the identity of the person making the request, he may request additional information necessary to confirm the identity of the data subject.
If the central authority for visa applications does not or does not fully grant access to the data within one month, you may lodge a complaint with the national data protection authority. The same applies to the incorrect or insufficient correction or deletion of data in the VIS, or when you consider that the controller has incorrectly refused to restrict the processing.
However, note that the CNPD is not competent to handle any claims for damages or any appeal against a refusal, revocation or annulment of the visa. Those procedures must be brought before the competent courts.
In addition to the information provided above, the CNPD invites you to consult the dedicated section on the processing of personal data in the VIS system on the website of the Passport, visa and legalisation office of the Ministry of Foreign Affairs.
Your rights when the controller limits your data protection rights
Under certain circumstances provided by Article 38(7) of the VIS Regulation, the controller can limit the rights of the data subjects. This limitation is, however, restricted to personal data of a specific part of the visa application file and can under no circumstances encompass all the data of the applicant.
Should the controller decide to limit your rights, you should be informed of said limitation. However, please note that the controller can decide to omit such information on the restriction, but only where it would undermine the reason of the limitation.
Additionally, you will be informed of the judicial remedies available, as well as your possibility to lodge a complaint with the CNPD and/or to exercise your data subject rights indirectly via the CNPD.
If you wish to exercise your rights indirectly via the CNPD, please use the complaint form on the website of the CNPD. You should explicitly indicate that you wish to exercise your rights indirectly because of a limitation imposed by the data controller.
Please note that you should first address the central authority for visa applications for any requests to exercise your rights. You can only exercise your rights indirectly if the data controller applies limitations as described above.
Your right to lodge a complaint with the CNPD
As mentioned before, the CNPD is responsible for handling complaints should you consider that your data protection rights are not being complied with.
Role of the CNPD
The CNPD is competent in general when it comes to monitoring the lawfulness of the processing of personal data in Luxembourg. The CNPD is, however, not in charge of supervising the lawfulness of the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the administrative order acting in their judicial capacities. Hence, the CNPD is responsible for monitoring the lawfulness of the processing of personal data related to VIS by Luxembourg authorities falling under its competence.
In this respect, the CNPD informs data subjects of their rights regarding the processing of personal data in the VIS. Any person can contact the CNPD via the online form for information requests.
As mentioned before, the CNPD is also responsible for handling complaints should data subjects consider that their data protection rights are not being complied with or for handling indirect exercises of data subjects’ rights.
In addition to the general obligation to monitor the lawfulness of the processing of personal data by the Luxembourgish authorities in the VIS, the CNPD also carries out audits of the data processing operations by the responsible national authorities. The CNPD has the legal obligation to carry out an audit at least every four years.
Lastly, the national data protection authorities, including the CNPD, oversee the application of data protection rules in their respective countries, while the European Data Protection Supervisor (EDPS) monitors how data protection rules are applied in the central system managed by eu-LISA. The two levels work together under the Coordinated Supervision Committee (CSC) to ensure end-to-end coordinated surveillance.