VIS regulation

SUMMARY OF:

Regulation (EC) No 767/2008 concerning the visa information system and the exchange of data between Member States on short-stay visas (VIS regulation)

WHAT IS THE AIM OF THE REGULATION?

It sets up the visa information system (VIS) and lays down the procedures and conditions for the exchange of visa data with regard to short-stay visa applications between European Union (EU) Member States which have signed the Schengen Agreement and Convention.

KEY POINTS

Note to reader: this regulation has been amended several times. This summary reflects the content of the regulation, as amended, where these amendments have actually entered into force.

Purpose

The purpose of the VIS, originally set up under Decision 2004/512/EC, is to improve the implementation of the common visa policy, consular cooperation and consultations between the central visa authorities by:

facilitating the visa application procedure;
preventing ‘visa shopping’;
facilitating the fight against fraud;
facilitating checks at external border crossing points and in the national territories;
assisting in identifying persons who do not meet the requirements for entering, staying or residing in the national territories;
facilitating the application of Regulation (EU) No 604/2013, which determines the Member State responsible for examining a non EU-country national’s asylum application (see summary);
contributing to the prevention of threats to Member States’ internal security.

In specific cases, the national authorities and Europol may request access to data entered into the VIS for the purpose of preventing, detecting and investigating terrorist and criminal offences.

The following categories of data are recorded in the VIS:

alphanumeric data on the applicant and on the visas requested, issued, refused, annulled, revoked or extended;
photographs;
fingerprint data;
links to previous visa applications and to the application files of persons travelling together.

Categories of data recorded in the common identity repository

The following data are recorded in the common identity repository (CIR):

family name, given names, date of birth, sex;
surname at birth (former surname(s)), place and country of birth, current nationality and nationality at birth;
travel document information, including:
- type and number,
- issuing country,
- issuing authority,
- date of expiry of validity.

Access to the VIS

Only duly authorised staff of the visa authorities may enter, amend or delete VIS data;
Only duly authorised staff of the visa authorities and authorities who carry out checks at the external border crossing points, immigration checks and asylum may consult VIS data.
Authorities with access to VIS must ensure that:
- its use is limited to that which is necessary, appropriate and proportionate for carrying out their tasks;
- in using VIS, visa applicants and holders are not discriminated against and that their human dignity and integrity are respected.

Data entry by the visa authorities

The visa authority creates the application file, where an application is admissible according to the Visa Code, laid down in amending Regulation (EC) No 810/2009 (see summary). It enters the data specified in Article 9 of Regulation (EC) No 767/2008 into the VIS.
The visa authority adds other data where a decision has been taken to issue a visa, for example:
- the issuing authority;
- the type of visa;
- the number of the visa sticker;
- the territory in which the visa holder is entitled to travel;
- the start and end dates of the visa’s validity;
- the number of entries authorised by the visa in the territory.
The grounds must be specified where a decision has been taken to:
- refuse, annul or revoke a visa; or
- extend its period of validity.

Use of the VIS

The VIS is used:

by competent visa authorities examining applications and the decisions relating to those applications;
between central visa authorities for consultation and requests for documents;
by competent visa authorities for the purposes of reporting and statistics (without identifying individual applicants).

Access to VIS data by other authorities

Amending Regulation (EU) 2017/2226 introducing the EU Entry/Exit System (EES) (see summary) resulted in more efficient and rapid border checks by means of a secure communication channel between the central system of the EES and the central VIS. Direct consultation between the EES and the VIS is only possible where both Regulation (EC) No 767/2008 and Regulation (EU) 2017/2226 so provide.
Visa authorities using the VIS may consult the EES from the VIS:
- when examining and deciding on visa applications;
- in order to retrieve and export the visa-related data directly from the VIS into the EES in the event that a visa is annulled, revoked or extended.
Border authorities using the EES may consult the VIS from the EES in order to:
- retrieve the visa-related data directly from the VIS and import them into the EES;
- verify the authenticity and validity of the visa;
- check whether visa-exempt non-EU nationals for whom an individual file is not recorded in the EES were previously registered in the VIS;
- verify, where the identity of a visa holder is verified using fingerprints, the identity of a visa holder with fingerprints against the VIS.
Authorities competent for carrying out checks within the territory of the Member States may search data with the sole purpose of verifying the identity of the visa holder and/or the authenticity of the visa and/or whether the conditions for entry to, stay or residence are fulfilled.
National authorities responsible for asylum may have access to data for the sole purposes of:
- determining the Member State responsible for examining an asylum application; and
- examining an application for asylum.

Operation of the VIS

Since June 2018, the European Agency for the Operational Management of Large-Scale IT Systems (eu-LISA) has been responsible for the operational management of the Central VIS and the national interfaces which connect to Member States’ national systems.
Operational management of the VIS consists of all the tasks necessary to keep the VIS functioning 24 hours a day, 7 days a week. These include the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality.
Each EU Member State is responsible for:
- developing, organising, managing, operating and maintaining its national system;
- ensuring the security of data before and during transmission to its national interface and, to this end, adopting a security plan;
- managing access by duly authorised staff of its competent national authorities to the VIS;
- bearing the costs incurred by its national system.
Data in the VIS cannot be communicated to non-EU countries or international organisations unless it is vital for attesting a non-EU national’s identity in individual cases.

Data security, liability and protection

The Member State which has entered the data in the VIS must ensure its security before and during transmission to the national interface. Each country must ensure the security of data received from the VIS and adopt a security plan in relation to its national system.
Any person who, or country which, has suffered damage as a result of an unlawful processing operation or any act incompatible with Regulation (EC) No 767/2008 is entitled to receive compensation from the country responsible for the damage suffered.
Each country and the eu-LISA must keep records of all data processing operations within the VIS, as well as records of the staff duly authorised to enter or retrieve the data.
Each Member State must require a national supervisory authority, established in accordance with Regulation (EU) 2016/679 (see summary), to monitor the lawfulness of the processing of personal data by that country. The European Data Protection Supervisor monitors the activities of eu-LISA.

Application

As a Schengen instrument, this regulation applies to Member States with the exception of Ireland. Denmark has decided to implement the regulation, as have Iceland, Norway and Switzerland.

Recent amendments to Regulation (EC) No 767/2008

With a view to addressing security challenges as well as changing migration patterns, efforts are under way to make the EU’s various information systems interoperable. Regulation (EC) No 767/2008 has therefore been amended several times to take this work into account — although these changes will not apply until a date yet to be decided, which will not be before 2023. These amendments are the following.

Regulation (EU) 2019/817 concerning interoperability between EU information systems in the field of justice, freedom and security (see summary).
Regulation (EU) 2021/1134 amending Regulation (EC) No 767/2008, as well as two closely related texts, the Visa Code (Regulation (EC) No 810/2009 — see summary) and the Schengen Borders Code (Regulation (EU) 2016/399 — see summary). Among other things, it strengthens the background checks undertaken before a decision is taken on granting a visa.
Regulation (EU) 2021/1152 amending Regulation (EC) No 767/2008 in relation to the VIS’s interoperability with the European Travel Information and Authorisation System set up under Regulation (EU) 2018/1240 (see summary).

FROM WHEN DOES THE REGULATION APPLY?

Application of Regulation (EC) No 767/2008 was to be determined by the European Commission in accordance with its Article 48(3). The VIS came into operation on 11 October 2011.
The regulation’s Articles 26, 27, 32, 45, 48(1), (2) and (4) and Article 49 have applied since 2 September 2008.

BACKGROUND

For more information, see:

Visa information system (VIS) (European Commission)
IT systems in the area of freedom, security and justice (Council of the European Union).

MAIN DOCUMENT

Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, pp. 60–81).

Successive amendments to Regulation (EC) No 767/2008 have been incorporated in the original text. This consolidated version is of documentary value only.