Second generation Schengen Information System (SIS II)

SUMMARY OF:

Regulation (EC) No 1987/2006 — establishment, operation and use of the second-generation Schengen Information System (SIS II)

Decision 2007/533/JHA — establishment, operation and use of the second generation Schengen Information System (SIS II)

WHAT ARE THE AIMS OF THE REGULATION AND DECISION?

The regulation and the decision provide the legal basis for the SIS II which contains official alerts* on individuals and objects. They set out the system’s architecture and the responsibilities and rights of those involved.
The regulation covers the entry into the EU for and the processing of alerts on non-EU nationals.
The decision covers alerts on people and objects linked to police and judicial criminal cooperation.
Although SIS II has 2 legislative bases, it operates as a single information system. Many of the articles in the regulation and the decision are the same.

KEY POINTS

Architecture. SIS II consists of the following.

A central system (Central SIS II) with:
- a technical and administrative support function (CS-SIS) with a database (SIS II database) based in Strasbourg and a backup, in case of system failure, near Salzburg (Austria);
- a uniform national interface (NI-SIS).
A national system (N.SIS.II) in each Schengen area country in which data are entered, updated, deleted and searched and which communicates with Central SIS II.
A communication infrastructure between CS-SIS and NI-SIS providing an encrypted virtual network.

Costs

The EU budget covers the costs of establishing, operating and maintaining Central SIS II and the communication infrastructure.
Schengen area countries cover the costs of establishing, operating and maintaining each N.SIS II.

Procedural rules

Before issuing an alert, EU countries must determine whether the case is adequate, relevant and important enough to merit entry in SIS II.
SIS II contains only categories of data required to achieve the specific aim of the alert. These include items such as a person’s name, gender, place and date of birth, photographs, fingerprints and the reason for the alert.
Photographs and fingerprints must satisfy a special quality check to ensure they meet minimum data quality standards.
Alerts on people and objects should be kept only for the time required to achieve their purpose.
Alerts on people are automatically erased after 3 years unless the issuing country decides, after a review, to extend it.
Alerts on objects, such as vehicles, boats, aircraft and containers may be kept for up to 5 years and those on objects to be seized or used as evidence in criminal proceedings up to 10 years — both may be extended.
The measures to be taken to avoid confusion or to rectify cases of misused identity.
Data processed in SIS II may not be transferred or made available to third countries or international organisations.
If a country considers that the action to be taken in response to an alert is incompatible with its national law, it may indicate it will take no action on its territory by adding a flag to the alert.

Alert categories

Regulation (EC) No 1987/2006 covers alerts (and the conditions attached) on non-EU citizens to refuse them entry or stay on the grounds they pose a threat to public policy or national security. This is particularly the case where the individual:

has been convicted in a EU country of an offence that carries a minimum 1-year jail sentence;
is thought to have committed, or intends to commit, a serious criminal offence;
has been subject to an expulsion, refusal of entry or removal order that is still in force.

Decision 2007/533/JHA sets out the alerts used to support operational cooperation between police and judicial authorities in criminal matters and the relevant procedures to submit and act on them. They cover:

persons wanted for extradition, or for arrest for surrender purposes on the basis of a European arrest warrant;
missing persons who need to be placed under protection and/or whose whereabouts need to be ascertained;
persons, such as witnesses or someone being served with a summons or sought to assist with a judicial procedure;
persons or vehicles, boats, aircraft and containers sought for discreet or specific checks for prosecution of criminal offences or prevention of threats to public security and, in the case of the objects, where they are clearly connected with serious criminal offences;
objects (such as motor vehicles, trailers, firearms, blank official documents, identity papers and banknotes) sought for seizure or for use as evidence in criminal proceedings.

The decision specifically allows data (number, issuing country and type of document) on stolen, misappropriated, lost or invalidated passports to be exchanged with members of Interpol.

The following entities have access to data in SIS II.

National authorities responsible for:
- border controls;
- police and customs checks;
- public prosecutions in criminal proceedings and judicial inquiries prior to charge;
- visa and residence permit authorities.
The European Police Office (Europol) may search data directly, but use of the information found in that search requires the consent of the Schengen area country concerned.
National members of Eurojust and their assistants, but not Eurojust’s own staff. Users may only access the data they require to perform their tasks.

Responsibilities

Each Schengen area country does the following.

Set up, operate and maintain its N.SIS II and its connection to the central system.
Designate an authority the national SIS II office (N.SIS II office). This has central responsibility for its national SIS II project and for the smooth operation and security of its national system.
Appoint a national authority, the Sirene Bureau, to ensure the exchange of supplementary information * by using the communication infrastructure. The bureaux coordinate verification of the quality of the information entered in SIS II.
Apply the protocols and technical procedures ensuring compatibility of its N-SIS II with CS-SIS to ensure prompt and effective sending of data.
Is responsible for ensuring that the data are accurate, up to date and lawfully entered in SIS II. It may modify, add to, correct, update or delete only that data which it entered.
Adopt a security plan to protect data and prevent unauthorised access.
Apply its rules of professional secrecy and confidentiality.
Record in its N.SIS II all exchanges of personal data within CS-SIS when it is not using national copies.
Ensure that all authorities entitled to access SIS II data comply with the regulation and decision.
Provide staff with appropriate training on data security and protection rules.
Is liable for any harm done to an individual through the use of N.SIS II.
Ensure any misuse of data entered in SIS II, or any exchange of supplementary information is subject to effective, proportionate and dissuasive penalties.

A management authority (eu-LISA) is responsible for:

the operational management of Central SIS II so it functions 24 hours a day, 7 days a week;
the communication infrastructure (its supervision, security and coordination of relations with EU countries);
a security plan, including contingency measures, to protect data and critical infrastructure and prevent unauthorised access or use (the Commission does the same for the communication infrastructure);
applying appropriate rules of professional secrecy and confidentiality;
recording all access to, and exchanges of, personal data within CS-SIS;
procedures to monitor SIS II on output, cost-effectiveness, security and quality of service;
publishing annual statistics on the categories of alerts and the frequency with which EU countries access SIS II.

Data protection

Processing of sensitive categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life) is prohibited.
An individual has the right to have factually inaccurate data about them corrected or deleted if unlawfully stored and be informed of the action taken.
Information indispensable for legal action or for the protection of the rights and freedoms of third parties may not be communicated to the data subject*.
An individual may take legal action to access, correct, delete or obtain information or compensation for an alert concerning them.
National supervisory authorities monitor the lawfulness of the processing and transmission of SIS II personal data and supplementary information in their country. They carry out an audit at least every 4 years.
The European Data Protection Supervisor (EDPS) checks the management authority’s data processing activities and ensures an audit is carried out at least every 4 years. The report is sent to the European Parliament, the management authority, the Commission and national supervisory authorities.
The national supervisory authorities and the EDPS cooperate closely, exchange relevant information and meet at least twice a year.
Decision 2007/533/JHA stipulates that personal data processed within its framework is covered by the Council of Europe 1981 Convention on the protection of individuals with regard to automatic processing of personal data.

FROM WHEN DO THE REGULATION AND DECISION APPLY?

The regulation has applied since 17 January 2007.

The decision has applied since 28 August 2007.

BACKGROUND

Revision of the SIS II legal framework

On 19 November 2018 the Council adopted three regulations on the use of the Schengen Information System which gradually replace the current regulation and decision in order to address potential gaps in the system and introduce several essential changes on the types of alert entered (see summary on A strengthened Schengen Information System Schengen Information System). This will contribute to strengthening the fight against terrorism and serious crime, ensuring a high level of security across the EU, and help migration management.

The new legal framework consists of the regulations:

in the field of police and judicial cooperation in criminal matters (Reg. 2018/1862)
in the field of border checks (Reg. 2018/1861)
for the return of illegally staying third-country nationals (Reg. 2018/1860).

The new regulations, to be put into effect gradually until December 2021, introduce additional categories of alerts to the system, such as:

alerts issued for the purpose of inquiry checks, an intermediary step between discreet checks and specific checks, which allow for individuals to be interviewed,
alerts on unknown suspects or wanted persons, which provide for the introduction into the SIS of fingerprints or palm prints discovered at the scenes of serious crimes or terrorist incidents and which are considered to belong to a perpetrator,
preventive alerts for children at risk of parental abduction, as well as children and vulnerable persons who need to be prevented from travelling for their own protection (for example, where travel might lead to the risk of forced marriage, female genital mutilation or trafficking of human beings),
alerts for the purpose of return, an alert in relation to return decisions issued to illegally staying non-EU country nationals, thereby improving the exchange of information in relation to return decisions.

They also expand the list of objects for which alerts can be issued, including false documents and high-value identifiable objects, as well as IT equipment.

In addition, the introduction of alerts in the SIS as regards entry bans for third-country nationals becomes compulsory.

The regulations introduce the possibility of using facial images for identification purposes, in particular to ensure consistency in border control procedures. It also allows for the inclusion of a DNA profile to facilitate the identification of missing persons in cases where fingerprint data, photographs or facial images are not available or not suitable for identification.

Europol is able to access all categories of data in the SIS and to exchange supplementary information with EU national Sirene Bureaux. In addition, EU countries must inform Europol of any hits when a person is sought in relation to a terrorist offence. For the purposes set out in its mandate, the European Border and Coast Guard Agency (Frontex) will also have access to the alert categories in SIS.

Further information

For more information, see:

Schengen Information System (European Commission).

KEY TERMS

Alert: A set of data enabling authorities to identify a person or object and act accordingly.

Supplementary information: Information not forming part of the alert data in SIS, but connected to it.

Data subject: an identified or identifiable natural person.

MAIN DOCUMENTS

Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, pp. 4-23)

Successive amendments to Regulation (EC) No 1987/2006 have been incorporated into the original document. This consolidated version is of documentary value only.

Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, pp. 63-84)

See consolidated version.