No, SIS does not contain personal data on all European citizens or residents.
The system only contains data on people and objects wanted by the competent public authorities in EU countries and Schengen associated countries. EU law regulates which personal data can be stored and for what purposes. EU law also regulates the period during which data may be stored in SIS and when the data must be deleted.
If you suspect your personal data are being unlawfully processed in SIS or via SIRENE Bureaux, you can request that those data are deleted and you can seek judicial redress before the competent judicial authorities in any of the countries that use SIS. You may consult the SIS Guide on the right to access data.
If you are a non-EU national who has just been issued with a return decision or with an order of refusal of entry and stay, you have the right to be informed whether an alert will be issued in SIS about you and also given information about the retention of your data. This right of information may be restricted, in particular in order to safeguard national security, defence, public security, and the prevention, detection, investigation and prosecution of criminal offences.
If you believe that an alert may have been issued unlawfully about you in SIS, you have the right to request access to the data and also to request their deletion.
If you believe that incorrect data have been entered about you in the SIS, you have the right to request access to the data and also to request the correction or deletion of the data.
You can exercise any of the above mentioned rights in any of the countries using SIS. The national procedures and contact points for access requests for each country can be found in the Guide for exercising the right of access and are also available on the website of the European Data Protection Supervisor.
The right of information is only applicable to personal data entered in SIS as part of alerts on return decisions or as part of alerts on refusal of entry and stay. These data are subject to the rules of the General Data Protection Regulation and the special data protection rules found in the Regulations regulating SIS alerts on return decisions, and SIS alerts on refusals of entry and stay (Regulation (EU) 2018/1860 and Regulation (EU) 2018/1861). This information is generally included in the decision or notified to the data subject when that person is served with the return decision and/or order on refusal of entry and stay. Everyone who is subject to such a decision, order or alert has the right to ask for this information.
The data in SIS can only be checked where EU law permits their use. The data in the system can be checked by national authorities when they are performing their border management and public security related functions or functions related to the free movement of people.
SIS is a highly secure and protected database that is exclusively accessible to authorised users within competent authorities who are responsible for:
- border control, in accordance with the Schengen Borders Code
- police and customs checks carried out within the relevant country, and the coordination of such checks by designated authorities
- the prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences or the enforcement of criminal penalties, within the relevant country, provided that the Data Protection Directive applies
- examining the conditions and taking decisions relating to: (i) the entry and stay of third-country nationals in Schengen countries, including on residence permits and long-stay visas; and (ii) the return of third-country nationals, as well as carrying out checks on third country nationals who illegally enter or stay in Schengen countries
- security checks on third-country nationals who apply for international protection (insofar as the authorities carrying out the checks are not ‘determining authorities’ as defined in point (f) of Article 2 of the Directive on common procedures for granting and withdrawing international protection) and, where relevant, providing advice in accordance with the Council Regulation on the creation of an immigration liaison officers network
- examining visa applications and taking decisions relating to those applications including on whether to annul, revoke or extend visas, in accordance with the EU’s Visa Code
- verifying different identities and combating identity fraud, in accordance with Chapter V of the Interoperability Regulation
- naturalisation, as provided for in national law, for the purposes of examining an application for naturalisation
- initiating public prosecutions in criminal proceedings and for judicial inquiries prior to charging a person, in the performance of their tasks, as provided for in national law, and by their coordinating authorities
- issuing registration certificates for vehicles, as referred to in the Council Directive on the registration documents for vehicles, for the sole purpose of checking whether vehicles and accompanying vehicle registration certificates and number plates presented to them for registration have been stolen, misappropriated, lost, purport to be such a document but are false or are sought as evidence in criminal proceedings
- issuing registration certificates or ensuring traffic management for boats, including boat engines, and aircraft, including aircraft engines, for the sole purpose of checking whether boats, including boat engines, and aircraft, including aircraft engines, presented to them for registration or subject to traffic management have been stolen, misappropriated, lost or are sought as evidence in criminal proceedings
- issuing registration certificates for firearms, for the purpose of checking whether the person requesting registration is wanted for arrest for surrender or extradition purposes or for the purposes of discreet, inquiry or specific checks or whether firearms presented for registration are sought for seizure or for use as evidence in criminal proceedings
- the manual processing of ETIAS applications by the ETIAS National Unit, pursuant to Article 8 of the Regulation establishing a European Travel Information and Authorisation System (ETIAS)
SIS can also be accessed by:
- Europol, where access is necessary to fulfil its mandate
- national members of Eurojust and their assistants, where access is necessary to fulfil their mandate
- members of Frontex teams, where access is necessary to carry out their task and is required by the operational plan for a specific operation.
These authorities may only access the SIS data that they need to carry out their tasks. A list of competent national authorities with access to SIS is published annually in the Official Journal of the European Union.
When people travel, their data are processed in different systems depending on their immigration status, their destination and the mode of transport chosen. Air-passenger data for example can be checked against SIS and other systems in accordance with the EU PNR Directive and the API Directive, and the laws transposing these at national level.
Data belonging to non-EU nationals applying for a visa, residence permit or citizenship in an EU country are checked against SIS in accordance with the applicable EU or national legislation. When entering or exiting the Schengen area, your data are checked against SIS during the border control check. Your data are also checked against SIS whenever you are checked by law enforcement officers in any of the countries that use the system.
Data recorded in SIS can only be retained in the system for as long as is necessary to achieve that specific alert’s purpose. Once this is achieved, the country that issued the alert must delete the data without delay. EU law requires the issuing countries to regularly review data held in the system.
Different review and retention periods apply depending on the type of alert:
- Alerts for arrest and alerts on missing persons must be reviewed within 5 years.
- Alerts on return decisions and alerts for refusal of entry and stay must also be reviewed within 5 years.
- Alerts on persons sought to assist with judicial procedures and alerts on unknown wanted persons must be reviewed within 3 years.
- Alerts for discreet, inquiry or specific checks, and alerts on children at risk of abduction or vulnerable persons at risk must be reviewed within 1 year.
- Alerts on objects for seizure or use as evidence must be reviewed within 10 years, or shorter for certain object types.
Countries may extend the retention period for an alert if it is necessary and proportionate to do so to achieve the purpose of the alert.
EU law provides that, in certain situations, data derived from the system may be kept at national level in accordance with national law.