How is personal data protected?
SIS has strict requirements on data quality and data protection. The basic principle is that the country that entered the alert is responsible for its content. That country must ensure that the data are accurate, updated, and lawfully entered and stored.
The national data protection authorities supervise the application of the data protection rules in their respective countries, while the European Data Protection Supervisor monitors how the data protection rules are being applied in the central system managed by eu-LISA. Both levels work together to ensure coordinated end-to-end supervision.
If data about a person are stored, that person has the right to request access to the data. By accessing the data, the person can make sure that everything stored about them is accurate and lawfully entered. If this is not the case, the person has the right to request correction or deletion.
What can I do if I suspect my identity is being misused by a person registered in SIS?
Sometimes false identity documents or identity documents belonging to someone else are used when carrying out criminal offences or attempting to enter or stay in the Schengen Area. This can lead to issues for the legitimate holder of the identity. If you think this has happened to you, you should contact your national contact point for access and tell them about it. One action they can take to reduce the impact on you is to add some or all of the following data about you (with your agreement) to an alert in SIS:
- names at birth
- previously used names and any aliases possibly entered separately
- any specific objective and physical characteristic not subject to change
- place of birth
- date of birth
- photographs and facial images
- fingerprints, palm prints or both
- any nationalities held
- the category of your identification documents
- the country of issue of your identification documents
- the number(s) of your identification documents
- the date of issue of your identification documents
- your address
- your father's name
- your mother's name
This is only allowed with your explicit consent. Data linked to the misused identity is only accessible to the authorities who have the right to access the alert that has been issued for the person misusing your identity, and can only be used to avoid misidentification. The alert with your data must be removed at the same time as the alert for the person misusing your identity – or earlier, if you request this.
What rights do people have regarding their data stored in SIS?
If a person believes that their personal information has been misused, needs to be corrected or deleted, they may make use of the data protection rights recognised in the SIS legislation. These are:
- the right to access personal data stored in SIS
- the right to correct inaccurate personal data or have unlawfully stored personal data be erased
- the right to bring proceedings before the courts or competent authorities to correct or erase personal data or to obtain compensation for any damages resulting from breaches of data protection law.
The SIS legislation gives a person the right to initiate action before the competent authority, including a court, under national rules to obtain information, access, rectify, erase or obtain compensation (if the person suffers damages) in connection with an alert relating to him or her.
Countries using SIS have mutually agreed to enforce final decisions handed down by the courts or authorities. This agreement means that a decision taken by a court or competent authority in one country should be recognised and enforced in all the countries that use SIS.
These rights can be exercised in any country that uses SIS. The national procedures and contact points for access requests have been compiled in a comprehensive guide.