This document is an excerpt from the EUR-Lex website
Document 02008R0767-20230803
Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)
Consolidated text: Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)
Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)
This consolidated text may not include the following amendments:
Amending act | Amendment type | Subdivision concerned | Date of effect |
---|---|---|---|
32024R1356 | Modified by | article 6 paragraph 2 | 12/06/2026 |
32024R1356 | Modified by | article 6 paragraph 2a | 12/06/2026 |
32023R2667 | Modified by | article 45 paragraph 2 point (o) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (l) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (r) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (i) | 27/12/2023 |
32023R2667 | Modified by | article 48a paragraph 6 Text | 27/12/2023 |
32023R2667 | Modified by | article 48a paragraph 2 Text | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (h) | 27/12/2023 |
32023R2667 | Modified by | article 48a paragraph 3 Text | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (g) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (p) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (m) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (j) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (q) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (n) | 27/12/2023 |
32023R2667 | Modified by | article 45 paragraph 2 point (k) | 27/12/2023 |
02008R0767 — EN — 03.08.2023 — 007.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 9 July 2008 (OJ L 218 13.8.2008, p. 60) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
REGULATION (EC) No 810/2009 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 July 2009 |
L 243 |
1 |
15.9.2009 |
|
REGULATION (EU) No 610/2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 |
L 182 |
1 |
29.6.2013 |
|
REGULATION (EU) 2017/2226 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 30 November 2017 |
L 327 |
20 |
9.12.2017 |
|
REGULATION (EU) 2019/817 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2019 |
L 135 |
27 |
22.5.2019 |
|
REGULATION (EU) 2021/1134 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 July 2021 |
L 248 |
11 |
13.7.2021 |
|
REGULATION (EU) 2021/1152 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 7 July 2021 |
L 249 |
15 |
14.7.2021 |
Corrected by:
REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 9 July 2008
concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter and scope
This Regulation defines the purpose of, the functionalities of and the responsibilities for the Visa Information System (VIS), as established by Article 1 of Decision 2004/512/EC. It sets up the conditions and procedures for the exchange of data between Member States on applications for short-stay visas and on the decisions taken in relation thereto, including the decision whether to annul, revoke or extend the visa, to facilitate the examination of such applications and the related decisions.
By storing identity data, travel document data and biometric data in the common identity repository (CIR) established by Article 17(1) of Regulation (EU) 2019/817 of the European Parliament and of the Council ( 1 ), the VIS contributes to facilitating and assisting in the correct identification of persons registered in the VIS under the conditions and for the purposes of Article 20 of that Regulation.
Article 2
Purpose
The VIS shall have the purpose of improving the implementation of the common visa policy, consular cooperation and consultation between central visa authorities by facilitating the exchange of data between Member States on applications and on the decisions relating thereto, in order:
to facilitate the visa application procedure;
to prevent the bypassing of the criteria for the determination of the Member State responsible for examining the application;
to facilitate the fight against fraud;
to facilitate checks at external border crossing points and within the territory of the Member States;
to assist in the identification of any person who may not, or may no longer, fulfil the conditions for entry to, stay or residence on the territory of the Member States;
to facilitate the application of Regulation (EC) No 343/2003;
to contribute to the prevention of threats to the internal security of any of the Member States.
Article 3
Availability of data for the prevention, detection and investigation of terrorist offences and other serious criminal offences
Article 4
Definitions
For the purposes of this Regulation, the following definitions shall apply:
‘visa’ means:
‘uniform visa’ as defined in Article 2(3) of Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community code on Visas (Visa Code) ( 3 );
▼M1 —————
‘airport transit visa’ as defined in Article 2(5) of Regulation (EC) No 810/2009;
‘visa with limited territorial validity’ as defined in Article 2(4) of Regulation (EC) No 810/2009;
▼M1 —————
‘visa sticker’ means the uniform format for visas as defined by Regulation (EC) No 1683/95;
‘visa authorities’ means the authorities which in each Member State are responsible for examining and for taking decisions on visa applications or for decisions whether to annul, revoke or extend visas, including the central visa authorities and the authorities responsible for issuing visas at the border in accordance with Council Regulation (EC) No 415/2003 of 27 February 2003 on the issue of visas at the border, including the issue of such visas to seamen in transit ( 4 );
‘application form’ means the uniform application form for visas in Annex 16 to the Common Consular Instructions;
‘applicant’ means any person subject to the visa requirement pursuant to Council Regulation (EC) No 539/2001 of 15 March 2001 listing the third countries whose nationals must be in possession of visas when crossing the external borders and those whose nationals are exempt from that requirement ( 5 ), who has lodged an application for a visa;
‘group members’ means applicants who are obliged for legal reasons to enter and leave the territory of the Member States together;
‘travel document’ means a passport or other equivalent document entitling the holder to cross the external borders and to which a visa may be affixed;
‘Member State responsible’ means the Member State which has entered the data in the VIS;
‘verification’ means the process of comparison of sets of data to establish the validity of a claimed identity (one-to-one check);
‘identification’ means the process of determining a person's identity through a database search against multiple sets of data (one-to-many check);
‘alphanumeric data’ means data represented by letters, digits, special characters, spaces and punctuation marks;
‘VIS data’ means all data stored in the VIS Central System and in the CIR in accordance with Articles 9 to 14;
‘identity data’ means the data referred to in Article 9(4)(a) and (aa);
‘fingerprint data’ means the data relating to the five fingerprints of the index, middle finger, ring finger, little finger and the thumb from the right hand and, where present, from the left hand.
Article 5
Categories of data
Only the following categories of data shall be recorded in the VIS:
alphanumeric data on the applicant and on visas requested, issued, refused, annulled, revoked or extended referred to in points (1) to (4) of Article 9 and Articles 10 to 14;
photographs referred to in point (5) of Article 9;
fingerprint data referred to in point (6) of Article 9;
links to other applications referred to in Article 8(3) and (4).
Article 5a
List of recognised travel documents
Article 6
Access for entering, amending, deleting and consulting data
Access to the VIS for consulting the data shall be reserved exclusively for the duly authorised staff of:
the national authorities of each Member State and of the Union bodies which are competent for the purposes of Articles 15 to 22, Articles 22g to 22m and Article 45e of this Regulation;
the ETIAS Central Unit and the ETIAS National Units, designated pursuant to Articles 7 and 8 of Regulation (EU) 2018/1240, for the purposes of Articles 18c and 18d of this Regulation and for the purposes of Regulation (EU) 2018/1240; and
the national authorities of each Member State and of the Union bodies which are competent for the purposes of Articles 20 and 21 of Regulation (EU) 2019/817.
Such access shall be limited to the extent to which the data are required for the performance of the tasks of those authorities and Union bodies in accordance with those purposes and proportionate to the objectives pursued.
Each Member State shall designate the competent authorities, the duly authorised staff of which shall have access to enter, amend, delete or consult data in the VIS. Each Member State shall without delay communicate to the Commission a list of these authorities, including those referred to in Article 41(4), and any amendments thereto. That list shall specify for what purpose each authority may process data in the VIS.
Within 3 months after the VIS has become operational in accordance with Article 48(1), the Commission shall publish a consolidated list in the Official Journal of the European Union. Where there are amendments thereto, the Commission shall publish once a year an updated consolidated list.
Article 7
General principles
CHAPTER II
ENTRY AND USE OF DATA BY VISA AUTHORITIES
Article 8
Procedures for entering data upon the application
Article 9
Data to be entered on application
The visa authority shall enter the following data in the application file:
the application number;
status information, indicating that a visa has been requested;
the authority with which the application has been lodged, including its location, and whether the application has been lodged with that authority representing another Member State;
the following data to be taken from the application form:
surname (family name); first name or names (given names); date of birth; sex;
surname at birth (former surname(s)); place and country of birth; current nationality and nationality at birth;
the type and number of the travel document or documents and the three-letter code of the issuing country of the travel document or documents;
the date of expiry of the validity of the travel document or documents;
the authority which issued the travel document and its date of issue;
place and date of the application;
▼M1 —————
details of the person issuing an invitation and/or liable to pay the applicant's subsistence costs during the stay, being:
in the case of a natural person, the surname and first name and address of the person;
in the case of a company or other organisation, the name and address of the company/other organisation, surname and first name of the contact person in that company/organisation;
Member State(s) of destination and duration of the intended stay or transit;
main purpose(s) of the journey;
intended date of arrival in the Schengen area and intended date of departure from the Schengen area;
Member State of first entry;
the applicant’s home address;
current occupation and employer; for students: name of ►M1 educational establishment ◄ ;
in the case of minors, surname and first name(s) of the applicant's ►M1 parental authority or legal guardian ◄ ;
a photograph of the applicant, in accordance with Regulation (EC) No 1683/95;
fingerprints of the applicant, in accordance with the relevant provisions of the Common Consular Instructions.
The applicant shall indicate his or her current occupation (job group) on a predetermined list.
The Commission shall adopt delegated acts in accordance with Article 48a to lay down the predetermined list of occupations (job groups).
Article 9h
Implementation and manual
Article 9j
Specific risk indicators
The Commission shall adopt a delegated act in accordance with Article 48a to further define the risks related to security or illegal immigration or a high epidemic risk on the basis of:
statistics generated by the EES indicating abnormal rates of overstaying and refusals of entry for a specific group of visa holders;
statistics generated by the VIS in accordance with Article 45a indicating abnormal rates of refusals of visa applications due to a security, illegal immigration or high epidemic risk associated with a specific group of visa holders;
statistics generated by the VIS in accordance with Article 45a and the EES indicating correlations between information collected through the application form and overstaying by visa holders or refusals of entry;
information substantiated by factual and evidence-based elements provided by Member States concerning specific security risk indicators or threats identified by a Member State;
information substantiated by factual and evidence-based elements provided by Member States concerning abnormal rates of overstaying and refusals of entry for a specific group of visa holders for a Member State;
information concerning specific high epidemic risks provided by Member States as well as epidemiological surveillance information and risk assessments provided by the European Centre for Disease Prevention and Control and disease outbreaks reported by the World Health Organization.
The specific risks referred to in the first subparagraph of this paragraph shall be reviewed at least every six months and, where necessary, a new implementing act shall be adopted by the Commission in accordance with the examination procedure referred to in Article 49(2).
Article 10
Data to be added for a visa issued
Where a decision has been taken to issue a visa, the visa authority that issued the visa shall add the following data to the application file:
status information indicating that the visa has been issued;
the authority that issued the visa, including its location, and whether that authority issued it on behalf of another Member State;
place and date of the decision to issue the visa;
the type of visa;
if applicable, the information indicating that the visa has been issued with limited territorial validity pursuant to Article 25(1)(b) of Regulation (EC) No 810/2009;
the number of the visa sticker;
the territory in which the visa holder is entitled to travel, in accordance with the relevant provisions of the Common Consular Instructions;
the commencement and expiry dates of the validity period of the visa;
the number of entries authorised by the visa in the territory for which the visa is valid;
the duration of the stay as authorised by the visa;
if applicable, the information indicating that the visa has been issued on a separate sheet in accordance with Council Regulation (EC) No 333/2002 of 18 February 2002 on a uniform format for forms for affixing the visa issued by Member States to persons holding travel documents not recognised by the Member State drawing up the form ( 6 );
if applicable, the information indicating that the visa sticker has been filled in manually;
if applicable, the status of the person indicating that the third-country national is a member of the family of a Union citizen to whom Directive 2004/38/EC of the European Parliament and of the Council ( 7 ) applies or of a third-country national enjoying the right of free movement equivalent to that of Union citizens under an agreement between the Union and its Member States, on the one hand, and a third country, on the other.
Article 11
Data to be added where the examination of the application is discontinued
Where the visa authority representing another Member State discontinues the examination of the application, it shall add the following data to the application file:
status information indicating that the examination of the application has been discontinued;
the authority that discontinued the examination of the application, including its location;
place and date of the decision to discontinue the examination;
the Member State competent to examine the application.
Article 12
Data to be added for a visa refusal
Where a decision has been taken to refuse a visa, the visa authority which refused the visa shall add the following data to the application file:
status information indicating that the visa has been refused and whether that authority refused it on behalf of another Member State;
the authority that refused the visa, including its location;
place and date of the decision to refuse the visa.
The application file shall also indicate the ground(s) for refusal of the visa, which shall be one or more of the following:
the applicant:
presents a travel document which is false, counterfeit or forged;
does not provide justification for the purpose and conditions of the intended stay;
does not provide proof of sufficient means of subsistence, both for the duration of the intended stay and for the return to his country of origin or residence, or for the transit to a third country into which he is certain to be admitted, or is not in a position to acquire such means lawfully;
has already stayed for 90 days during the current 180-day period on the territory of the Member States on the basis of a uniform visa or a visa with limited territorial validity;
is a person for whom an alert has been issued in the SIS for the purpose of refusing entry;
is considered to be a threat to public policy, internal security or public health as defined in Article 2(19) of the Schengen Borders Code or to the international relations of any of the Member States, in particular where an alert has been issued in Member States’ national databases for the purpose of refusing entry on the same grounds;
does not provide proof of holding adequate and valid travel medical insurance, where applicable;
the information submitted regarding the justification for the purpose and conditions of the intended stay was not reliable;
the applicant’s intention to leave the territory of the Member States before the expiry of the visa could not be ascertained;
sufficient proof that the applicant has not been in a position to apply for a visa in advance justifying application for a visa at the border was not provided.
Article 13
Data to be added for a visa annulled or revoked
Where a decision has been taken to annul or to revoke a visa, the visa authority that has taken the decision shall add the following data to the application file:
status information indicating that the visa has been annulled or revoked;
authority that annulled or revoked the visa, including its location;
place and date of the decision.
The application file shall also indicate the ground(s) for annulment or revocation, which shall be:
one or more of the ground(s) listed in Article 12(2);
the request of the visa holder to revoke the visa.
Article 14
Data to be added for a visa extended
Where a decision has been taken to extend the period of validity and/or the duration of stay of an issued visa, the visa authority which extended the visa shall add the following data to the application file:
status information indicating that the visa has been extended;
the authority that extended the visa, including its location;
place and date of the decision;
the number of the visa sticker of the extended visa;
the commencement and expiry dates of the extended period;
period of the extension of the authorised duration of the stay;
the territory in which the visa holder is entitled to travel, if the territorial validity of the extended visa differs from that of the original visa;
the type of the visa extended.
Article 15
Use of the VIS for examining applications
For the purposes referred to in paragraph 1, the competent visa authority shall be given access to search with one or several of the following data:
the application number;
surname (family name), first name or names (given names); date of birth; nationality or nationalities; sex;
the type and number of the travel document; three letter code of the issuing country of the travel document; and the date of expiry of the validity of the travel document;
the surname, first name and address of the natural person or the name and address of the company/other organisation, referred to in point (4)(f) of Article 9;
fingerprints;
the number of the visa sticker and date of issue of any previous visa.
Article 16
Use of the VIS for consultation and requests for documents
The Member State which is responsible for examining the application shall transmit the consultation request with the application number to the VIS, indicating the Member State or the Member States to be consulted.
The VIS shall transmit the request to the Member State or the Member States indicated.
The Member State or the Member States consulted shall transmit their response to the VIS, which shall transmit that response to the Member State which initiated the request.
Article 17
Use of data for reporting and statistics
The competent visa authorities shall have access to consult the following data, solely for the purposes of reporting and statistics without allowing the identification of individual applicants:
status information;
the competent visa authority, including its location;
current nationality of the applicant;
Member State of first entry;
date and place of the application or the decision concerning the visa;
the type of visa issued;
the type of the travel document;
the grounds indicated for any decision concerning the visa or visa application;
the competent visa authority, including its location, which refused the visa application and the date of the refusal;
the cases in which the same applicant applied for a visa from more than one visa authority, indicating these visa authorities, their location and the dates of refusals;
main purpose(s) of the journey;
the cases in which the data referred to in point (6) of Article 9 could factually not be provided, in accordance with the second sentence of Article 8(5);
the cases in which the data referred to in point (6) of Article 9 was not required to be provided for legal reasons, in accordance with the second sentence of Article 8 (5);
the cases in which a person who could factually not provide the data referred to in point (6) of Article 9 was refused a visa, in accordance with the second sentence of Article 8(5).
CHAPTER III
ACCESS TO DATA BY OTHER AUTHORITIES
Article 17a
Interoperability with the EES
Interoperability shall enable the visa authorities using the VIS to consult the EES from the VIS:
when examining and deciding on visa applications as referred to in Article 24 of Regulation (EU) 2017/2226 and Article 15(4) of this Regulation;
in order to retrieve and export the visa-related data directly from the VIS into the EES in the event that a visa is annulled, revoked or extended in accordance with Article 19 of Regulation (EU) 2017/2226 and Articles 13 and 14 of this Regulation.
Interoperability shall enable the border authorities using the EES to consult the VIS from the EES in order to:
retrieve the visa-related data directly from the VIS and import them into the EES so that an entry/exit record or refusal of entry record of a visa holder may be created or updated in the EES in accordance with Articles 14, 16 and 18 of Regulation (EU) 2017/2226 and Article 18a of this Regulation;
retrieve the visa-related data directly from the VIS and import them into the EES in the event that a visa is annulled, revoked or extended in accordance with Article 19 of Regulation (EU) 2017/2226 and Articles 13 and 14 of this Regulation;
verify the authenticity and validity of the visa, whether the conditions for entry to the territory of the Member States in accordance with Article 6 of Regulation (EU) 2016/399 of the European Parliament and of the Council ( 9 ) are fulfilled, or both, as referred to in Article 18(2) of this Regulation;
check whether visa-exempt third-country nationals for whom an individual file is not recorded in the EES were previously registered in the VIS in accordance with Article 23 of Regulation (EU) 2017/2226 and Article 19a of this Regulation;
verify, where the identity of a visa holder is verified using fingerprints, the identity of a visa holder with fingerprints against the VIS in accordance with Articles 23(2) and 23(4) of Regulation (EU) 2017/2226 and Article 18(6) of this Regulation.
Article 18
Access to data for verification at borders at which the EES is operated
For the sole purpose of verifying the identity of the visa holders, the authenticity, temporal and territorial validity and status of the visa or whether the conditions for entry to the territory of the Member States in accordance with Article 6 of Regulation (EU) 2016/399 are fulfilled, or both, the competent authorities for carrying out checks at borders at which the EES is operated shall have access to the VIS to search using the following data:
surname (family name), first name or names (given names); date of birth; nationality or nationalities; sex; type and number of the travel document or documents; three letter code of the issuing country of the travel document or documents; and the date of expiry of the validity of the travel document or documents; or
the number of the visa sticker.
If the search with the data listed in paragraph 1 indicates that data are stored in the VIS on one or more issued or extended visas which are within their validity period and are under their territorial validity for the border crossing, the competent authority for carrying out checks at borders at which the EES is operated shall be given access to consult the following data contained in the application file concerned as well as in an application file or files linked pursuant to Article 8(4), solely for the purposes referred to in paragraph 1 of this Article:
the status information and the data taken from the application form, ►C3 referred to in points (2) and (4) of Article 9; ◄
photographs;
the data referred to in Articles 10, 13 and 14 and entered in respect of the visa(s) issued, annulled or revoked or of the visa or visas whose validity is extended.
In addition, for those visa holders for whom certain data are not required to be provided for legal reasons or factually cannot be provided, the competent authority for carrying out checks at borders at which the EES is operated shall receive a notification related to the specific data field or fields concerned which shall be marked as ‘not applicable’.
If the search with the data listed in paragraph 1 of this Article indicates that data on the person are recorded in the VIS but no valid visa is recorded, the competent authority for carrying out checks at borders at which the EES is operated shall be given access to consult the following data contained in the application file or files as well as in an application file or files linked pursuant to Article 8(4), solely for the purposes referred to in paragraph 1 of this Article:
the status information and the data taken from the application form, ►C3 referred to in points (2) and (4) of Article 9; ◄
photographs;
the data referred to in Articles 10, 13 and 14 and entered in respect of the visa(s) issued, annulled or revoked or of the visa or visas whose validity is extended.
In addition to the consultation carried out under paragraph 1 of this Article, the competent authority for carrying out checks at borders at which the EES is operated shall verify the identity of a person against the VIS if the search with the data listed in paragraph 1 of this Article indicates that data on the person are recorded in the VIS and one of the following conditions is met:
the identity of the person cannot be verified against the EES in accordance with Article 23(2) of Regulation (EU) 2017/2226, because:
the visa holder is not yet registered into the EES;
the identity is verified, at the border crossing point concerned, using fingerprints in accordance with Article 23(2) of Regulation (EU) 2017/2226;
there are doubts as to the identity of the visa holder;
of any other reason;
the identity of the person can be verified against the EES but Article 23(5) of Regulation (EU) 2017/2226 applies.
The competent authorities for carrying out checks at borders at which the EES is operated shall verify the fingerprints of the visa holder against the fingerprints recorded in the VIS. For visa holders whose fingerprints cannot be used, the search referred to in paragraph 1 shall be carried out only with the alphanumeric data provided for in paragraph 1.
Article 18a
Retrieval of VIS data for creating or updating an entry/exit record or a refusal of entry record of a visa holder in the EES
Solely for the purpose of creating or updating an entry/exit record or a refusal of entry record of a visa holder in the EES in accordance with Article 14(2) and Articles 16 and 18 of Regulation (EU) 2017/2226, the competent authority for carrying out checks at borders at which the EES is operated shall be given access to retrieve from the VIS and import into the EES the data stored in the VIS and listed in points (c) to (f) of Article 16(2) of that Regulation.
Article 18b
Interoperability with ETIAS
For the purpose of proceeding with the verifications referred to in point (i) of Article 20(2) of Regulation (EU) 2018/1240, the ETIAS Central System shall use the ESP to compare the data stored in ETIAS with the data stored in the VIS, in accordance with Article 11(8) of that Regulation, using the data listed in the correspondence table set out in Annex II to this Regulation.
Article 18c
Access to VIS data by the ETIAS Central Unit
Article 18d
Use of the VIS for the manual processing of applications by the ETIAS National Units
Article 19
Access to data for verification within the territory of the Member States
For the sole purpose of verifying the identity of the visa holder and/or the authenticity of the visa and/or whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, the authorities competent for carrying out checks within the territory of the Member States as to whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, shall have access to search with the number of the visa sticker in combination with verification of fingerprints of the visa holder, or the number of the visa sticker.
For visa holders whose fingerprints cannot be used, the search shall be carried out only with the number of the visa sticker.
If the search with the data listed in paragraph 1 indicates that data on the visa holder are recorded in the VIS, the competent authority shall be given access to consult the following data of the application file as well as of linked application file(s) pursuant to Article 8(4), solely for the purposes referred to in paragraph 1:
the status information and the data taken from the application form, referred to in points (2) and (4) of Article 9;
photographs;
the data entered in respect of the visa(s) issued, annulled, revoked or whose validity is extended ►M1 or shortened ◄ , referred to in Articles 10, 13 and 14.
Article 19a
Use of the VIS before creating in the EES the individual files of visa-exempt third-country nationals
If the search with the data listed in paragraph 2 of this Article and the verification carried out under paragraph 4 of this Article indicate that data on the person are recorded in the VIS, the competent authority for carrying out checks at borders at which the EES is operated shall be given access to consult the following data contained in the application file concerned as well as in an application file or files linked pursuant to Article 8(4), solely for the purpose referred to in paragraph 1 of this Article:
the status information and the data taken from the application form, ►C3 referred to in points (2) and (4) of Article 9; ◄
photographs;
the data referred to in Articles 10, 13 and 14 and entered in respect of the visa or visas issued, annulled or revoked or of the visa or visas whose validity is extended.
Article 20
Access to data for identification
Solely for the purposes of the identification of any person who may have been registered previously in the VIS or who may not, or may no longer, fulfil the conditions for the entry to, or stay or residence on, the territory of the Member States, the authorities competent for carrying out checks at borders at which the EES is operated or within the territory of the Member States as to whether the conditions for entry to, or stay or residence on, the territory of the Member States are fulfilled, shall have access to search in the VIS with the fingerprints of that person.
Where the fingerprints of that person cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a) and/or (c) of Article 9; this search may be carried out in combination with the data referred to in point (4)(b) of Article 9.
If the search with the data listed in paragraph 1 indicates that data on the applicant are recorded in the VIS, the competent authority shall be given access to consult the following data of the application file and the linked application file(s), pursuant to Article 8(3) and (4), solely for the purposes referred to in paragraph 1:
the application number, the status information and the authority to which the application was lodged;
the data taken from the application form, referred to in Article 9(4);
photographs;
the data entered in respect of any visa issued, refused, annulled, revoked or whose validity is extended ►M1 or shortened ◄ , or of applications where examination has been discontinued, referred to in Articles 10 to 14.
Article 21
Access to data for determining the responsibility for asylum applications
Where the fingerprints of the asylum seeker cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a) and/or (c) of Article 9; this search may be carried out in combination with the data referred to in point (4)(b) of Article 9.
If the search with the data listed in paragraph 1 indicates that a visa issued with an expiry date of no more than six months before the date of the asylum application, and/or a visa extended to an expiry date of no more than six months before the date of the asylum application, is recorded in the VIS, the competent asylum authority shall be given access to consult the following data of the application file, and as regards the data listed in point (g) of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1:
the application number and the authority that issued or extended the visa, and whether the authority issued it on behalf of another Member State;
the data taken from the application form referred to in point (4)(a) and (b) of Article 9;
the type of visa;
the period of validity of the visa;
the duration of the intended stay;
photographs;
the data referred to in point (4)(a) and (b) of Article 9 of the linked application file(s) on the spouse and children.
Article 22
Access to data for examining the application for asylum
For the sole purpose of examining an application for asylum, the competent asylum authorities shall have access in accordance with Article 21 of Regulation (EC) No 343/2003 to search with the fingerprints of the asylum seeker.
Where the fingerprints of the asylum seeker cannot be used or the search with the fingerprints fails, the search shall be carried out with the data referred to in point (4)(a) and/or (c) of Article 9; this search may be carried out in combination with the data referred to in point (4)(b) of Article 9.
If the search with the data listed in paragraph 1 indicates that a visa issued is recorded in the VIS, the competent asylum authority shall have access to consult the following data of the application file and linked application file(s) of the applicant pursuant to Article 8(3), and, as regards the data listed in point (e) of the spouse and children, pursuant to Article 8(4), for the sole purpose referred to in paragraph 1:
the application number;
the data taken from the application form, referred to in point (4)(a), (b) and (c) of Article 9;
photographs;
the data entered in respect of any visa issued, annulled, revoked, or whose validity is extended ►M1 or shortened ◄ , referred to in Articles 10, 13 and 14;
the data referred to in point (4)(a) and (b) of Article 9 of the linked application file(s) on the spouse and children.
CHAPTER IIIa
ENTRY AND USE OF DATA ON LONG-STAY VISAS AND RESIDENCE PERMITS
Article 22b
Queries of information systems and databases
CHAPTER IV
RETENTION AND AMENDMENT OF THE DATA
Article 23
Retention period for data storage
Each application file shall be stored in the VIS for a maximum of five years, without prejudice to the deletion referred to in Articles 24 and 25 and to the keeping of records referred to in Article 34.
That period shall start:
on the expiry date of the visa, if a visa has been issued;
on the new expiry date of the visa, if a visa has been extended;
on the date of the creation of the application file in the VIS, if the application has been withdrawn, closed or discontinued;
on the date of the decision of the visa authority if a visa has been refused, annulled ►M1 , shortened ◄ or revoked.
Article 24
Amendment of data
Article 25
Advance data deletion
CHAPTER V
OPERATION AND RESPONSIBILITIES
Article 26
Operational management
The Management Authority shall also be responsible for the following tasks relating to the communication infrastructure between the central VIS and the national interfaces:
supervision;
security;
the coordination of relations between the Member States and the provider.
The Commission shall be responsible for all other tasks relating to the Communication Infrastructure between the central VIS and the national interfaces, in particular:
tasks relating to implementation of the budget;
acquisition and renewal;
contractual matters.
Each national public-sector body referred to in paragraph 4 shall meet the following selection criteria:
it must demonstrate that it has extensive experience in operating a large-scale information system;
it must have considerable expertise in the service and security requirements of a large-scale information system;
it must have sufficient and experienced staff with the appropriate professional expertise and linguistic skills to work in an international cooperation environment such as that required by the VIS;
it must have a secure and custom-built facility infrastructure able, in particular, to back up and guarantee the continuous functioning of large-scale IT systems; and
its administrative environment must allow it to implement its tasks properly and avoid any conflict of interests.
Article 27
Location of the central Visa Information System
The principal central VIS, which performs technical supervision and administration functions, shall be located in Strasbourg (France) and a back-up central VIS, capable of ensuring all functionalities of the principal central VIS in the event of failure of the system, shall be located in Sankt Johann im Pongau (Austria).
Article 28
Relation to the national systems
Each Member State shall be responsible for:
the development of the national system and/or its adaptation to the VIS according to Article 2(2) of Decision 2004/512/EC;
the organisation, management, operation and maintenance of its national system;
the management and arrangements for access of the duly authorised staff of the competent national authorities to the VIS in accordance with this Regulation and to establish and regularly update a list of such staff and their profiles;
bearing the costs incurred by the national system and the costs of their connection to the national interface, including the investment and operational costs of the communication infrastructure between the national interface and the national system.
Article 29
Responsibility for the use of data
Each Member State shall ensure that the data are processed lawfully, and in particular that only duly authorised staff have access to data processed in the VIS for the performance of their tasks in accordance with this Regulation. The Member State responsible shall ensure in particular that:
the data are collected lawfully;
the data are transmitted lawfully to the VIS;
the data are accurate and up-to-date when they are transmitted to the VIS.
The management authority shall ensure that the VIS is operated in accordance with this Regulation and its implementing rules referred to in Article 45(2). In particular, the management authority shall:
take the necessary measures to ensure the security of the central VIS and the communication infrastructure between the central VIS and the national interfaces, without prejudice to the responsibilities of each Member State;
ensure that only duly authorised staff have access to data processed in the VIS for the performance of the tasks of the management authority in accordance with this Regulation.
Article 29a
Specific rules for entering data
Article 30
Keeping of VIS data in national files
Article 31
Communication of data to third countries or international organisations
By way of derogation from paragraph 1, the data referred to in point (4)(a), (b), (c), (k) and (m) of Article 9 may be transferred or made available to a third country or to an international organisation listed in the Annex if necessary in individual cases for the purpose of proving the identity of third-country nationals, including for the purpose of return, only where the following conditions are satisfied:
the Commission has adopted a decision on the adequate protection of personal data in that third country in accordance with Article 25(6) of Directive 95/46/EC, or a readmission agreement is in force between the Community and that third country, or the provisions of Article 26(1)(d) of Directive 95/46/EC apply;
the third country or international organisation agrees to use the data only for the purpose for which they were provided;
the data are transferred or made available in accordance with the relevant provisions of Community law, in particular readmission agreements, and the national law of the Member State which transferred or made the data available, including the legal provisions relevant to data security and data protection; and
the Member State(s) which entered the data in the VIS has given its consent.
Article 32
Data security
Each Member State shall, in relation to its national system, adopt the necessary measures, including a security plan, in order to:
physically protect data, including by making contingency plans for the protection of critical infrastructure;
deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purposes of the VIS (checks at entrance to the installation);
prevent the unauthorised reading, copying, modification or removal of data media (data media control);
prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);
prevent the unauthorised processing of data in the VIS and any unauthorised modification or deletion of data processed in the VIS (control of data entry);
ensure that persons authorised to access the VIS have access only to the data covered by their access authorisation, by means of individual and unique user identities and confidential access modes only (data access control);
ensure that all authorities with a right of access to the VIS create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make these profiles available to the National Supervisory Authorities referred to in Article 41 without delay at their request (personnel profiles);
ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);
ensure that it is possible to verify and establish what data have been processed in the VIS, when, by whom and for what purpose (control of data recording);
prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data to or from the VIS or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);
monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing).
Article 33
Liability
Article 34
Keeping of records
Each Member State and the Management Authority shall keep records of all data processing operations within the VIS. Those records shall indicate:
the purpose of access referred to in Article 6(1) and in Articles 15 to 22;
the date and time;
the type of data transmitted as referred to in Articles 9 to 14;
the type of data used for interrogation as referred to in Article 15(2), Article 17 and Articles 18(1) and (6), 19(1), 19a(2) and (4), 20(1), 21(1) and 22(1); and
the name of the authority entering or retrieving the data.
In addition, each Member State shall keep records of the staff duly authorised to enter or retrieve the data.
Article 34a
Keeping of logs for the purposes of interoperability with ETIAS
Logs of each data processing operation carried out within the VIS and ETIAS pursuant to Article 20, point (c)(ii) of Article 24(6), and point (b) of Article 54(1) of Regulation (EU) 2018/1240 shall be kept in accordance with Article 34 of this Regulation and Article 69 of Regulation (EU) 2018/1240.
Article 35
Self-monitoring
Member States shall ensure that each authority entitled to access VIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the National Supervisory Authority.
Article 36
Penalties
Member States shall take the necessary measures to ensure that any misuse of data entered in the VIS is punishable by penalties, including administrative and/or criminal penalties in accordance with national law, that are effective, proportionate and dissuasive.
CHAPTER VI
RIGHTS AND SUPERVISION ON DATA PROTECTION
Article 36a
Data protection
Article 37
Right of information
Without prejudice to the right to information referred to in Articles 15 and 16 of Regulation (EU) 2018/1725, Articles 13 and 14 of Regulation (EU) 2016/679 and Article 13 of Directive (EU) 2016/680, applicants and the persons referred to in point (4)(f) of Article 9 of this Regulation shall be informed of the following by the Member State responsible:
the identity of the controller referred to in Article 29(4), including the controller’s contact details;
the purposes for which the data will be processed within the VIS;
the categories of recipients of the data, including the authorities referred to in Article 22l and Europol;
the fact that the VIS may be accessed by the Member States and Europol for law enforcement purposes;
the data retention period;
that the collection of the data is mandatory for the examination of the application;
the fact that personal data stored in the VIS may be transferred to a third country or an international organisation in accordance with Article 31 of this Regulation and to Member States in accordance with Council Decision (EU) 2017/1908 ( 12 );
the existence of the right to request access to data relating to them, the right to request that inaccurate data relating to them be rectified, that incomplete personal data relating to them be completed, that unlawfully processed personal data concerning them be erased or that the processing thereof be restricted, as well as the right to receive information on the procedures for exercising those rights, including the contact details of the supervisory authorities, or of the European Data Protection Supervisor if applicable, which shall hear complaints concerning the protection of personal data.
In the absence of such a form signed by those persons this information shall be provided in accordance with Article 14 of Regulation (EU) 2016/679.
Article 38
Right of access to, rectification, completion, erasure of personal data and restriction of processing
Where the request is addressed to the Member State responsible and where it is found that VIS data are factually inaccurate or have been recorded unlawfully, the Member State responsible shall, in accordance with Article 24(3), rectify or erase those data in the VIS without delay and at the latest within one month of receipt of the request. The Member State responsible shall confirm in writing to the person concerned without delay that it has taken action to rectify or erase data relating to him or her.
Where the request is addressed to a Member State other than the Member State responsible, the authorities of the Member State to which the request was addressed shall contact the authorities of the Member State responsible within a period of seven days. The Member State responsible shall proceed in accordance with the second subparagraph of this paragraph. The Member State which contacted the authority of the Member State responsible shall inform the person concerned that his or her request was forwarded, to which Member State and about the further procedure.
By way of derogation from paragraphs 1 to 6 of this Article, and only as regards data contained in the reasoned opinions that are recorded in the VIS in accordance with Article 9e(6), Article 9g(6) and Article 22b(14) and (16) as a result of the queries pursuant to Articles 9a and 22b, a Member State shall take a decision not to provide information to the person concerned, in whole or in part, in accordance with national or Union law, to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned, in order to:
avoid obstructing official or legal inquiries, investigations or procedures;
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
protect public security;
protect national security; or
protect the rights and freedoms of others.
In the cases referred to in the first subparagraph, the Member State shall inform the person concerned in writing, without undue delay, of any refusal or restriction of access and of the reasons for the refusal or restriction. Such information may be omitted where its provision would undermine any of the reasons set out in points (a) to (e) of the first subparagraph. The Member State shall inform the person concerned of the possibility of lodging a complaint with a supervisory authority or of seeking a judicial remedy.
The Member State shall document the factual or legal reasons on which the decision not to provide information to the person concerned is based. That information shall be made available to the supervisory authorities.
For such cases, the person concerned shall also be able to exercise his or her rights through the competent supervisory authorities.
Article 39
Cooperation to ensure the rights on data protection
In order to achieve the aims referred to in the first subparagraph, the supervisory authority of the Member State responsible and the supervisory authority of the Member State to which the request has been made shall cooperate with each other.
Article 40
Remedies
Article 41
Supervision by the supervisory authorities
Article 42
Supervision by the European Data Protection Supervisor
Article 43
Cooperation between supervisory authorities and the European Data Protection Supervisor
▼M5 —————
CHAPTER VII
FINAL PROVISIONS
Article 45
Implementation by the Commission
The Commission shall adopt implementing acts to lay down the measures necessary for the development of the VIS Central System, the NUIs in each Member State and the communication infrastructure between the VIS Central System and the NUIs concerning the following:
the design of the physical architecture of the VIS Central System including its communication network;
technical aspects which have a bearing on the protection of personal data;
technical aspects which have serious financial implications for the budgets of the Member States or which have serious technical implications for the national systems;
the development of security requirements, including biometric aspects.
The Commission shall adopt implementing acts to lay down measures necessary for the technical implementation of the functionalities of the VIS Central System, in particular:
for entering the data and linking applications in accordance with Article 8, Articles 10 to 14, Article 22a and Articles 22c to 22f;
for accessing the data in accordance with Article 15, Articles 18 to 22, Articles 22g to 22k, Articles 22n to 22r and Articles 45e and 45f;
for rectification, erasure and advance erasure of data in accordance with Articles 23, 24 and 25;
for keeping and accessing the logs in accordance with Article 34;
for the consultation mechanism and the procedures referred to in Article 16;
for accessing the data for the purposes of reporting and statistics in accordance with Article 45a.
Article 45c
Access to data for verification by carriers
Article 45d
Fall-back procedures in the case of technical impossibility to access data by carriers
Article 45e
Access to VIS data by European Border and Coast Guard teams
Article 45f
Conditions and procedure for access to VIS data by European Border and Coast Guard teams
For the access to be granted, the following conditions shall apply:
the host Member State authorises the members of the European Border and Coast Guard team to consult the VIS in order to fulfil the operational aims specified in the operational plan on border checks, border surveillance and return; and
consultation of the VIS is necessary for performing the specific tasks entrusted to the team by the host Member State.
Consultation of VIS data by members of the teams shall take place as follows:
when exercising tasks related to border checks pursuant to Regulation (EU) 2016/399, the members of the European Border and Coast Guard teams shall have access to VIS data for verification at external border crossing points in accordance with Article 18 or 22g of this Regulation respectively;
when verifying whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled, the members of the teams shall have access to the VIS data for verification within the territory of third-country nationals in accordance with Article 19 or 22h of this Regulation respectively;
when identifying any person that does not or no longer fulfils the conditions for the entry to, stay or residence on the territory of the Member States, the members of the teams shall have access to VIS data for identification in accordance with Articles 20 and 22i of this Regulation.
Article 46
Integration of the technical functionalities of the Schengen Consultation Network
The consultation mechanism referred to in Article 16 shall replace the Schengen Consultation Network from the date determined in accordance with the procedure referred to in Article 49(3) when all those Member States which use the Schengen Consultation Network at the date of entry into force of this Regulation have notified the legal and technical arrangements for the use of the VIS for the purpose of consultation between central visa authorities on visa applications according to Article 17(2) of the Schengen Convention.
Article 47
Start of transmission
Each Member State shall notify the Commission that it has made the necessary technical and legal arrangements to transmit the data referred to in Article 5(1) to the central VIS via the national interface.
Article 48
Start of operations
The Commission shall determine the date from which the VIS is to start operations, when:
the measures referred to in Article 45(2) have been adopted;
the Commission has declared the successful completion of a comprehensive test of the VIS, which shall be conducted by the Commission together with Member States;
following validation of technical arrangements, the Member States have notified the Commission that they have made the necessary technical and legal arrangements to collect and transmit the data referred to in Article 5(1) to the VIS for all applications in the first region determined according to paragraph 4, including arrangements for the collection and/or transmission of the data on behalf of another Member State.
Article 48a
Exercise of delegation
Article 49
Committee procedure
Article 50
Monitoring and evaluation
A technical solution shall be made available to Member States in order to facilitate the collection of those data pursuant to Chapter IIIb for the purpose of generating statistics referred to in this paragraph. The Commission shall, by means of implementing acts, adopt the specifications of the technical solution. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 49(2).
Article 51
Entry into force and application
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaty establishing the European Community.
ANNEX
List of international organisations referred to in Article 31(2)
1. UN organisations (such as UNHCR);
2. International Organization for Migration (IOM);
3. The International Committee of the Red Cross.
ANNEX II
Correspondence table
Data as referred to in Article 17(2) of Regulation (EU) 2018/1240 sent by the ETIAS Central System |
The corresponding VIS data referred to in Article 9(4) of this Regulation with which data in ETIAS are to be compared |
surname (family name) |
surnames |
surname at birth |
surname at birth (former family name(s)) |
first name(s) (given name(s)) |
first name(s) |
date of birth |
date of birth |
place of birth |
place of birth |
country of birth |
country of birth |
sex |
sex |
current nationality |
current nationality or nationalities and nationality at birth |
other nationalities (if any) |
current nationality or nationalities and nationality at birth |
type of the travel document |
type of the travel document |
number of the travel document |
number of the travel document |
country of issue of the travel document |
the country which issued the travel document |
( 1 ) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
( 2 ) See page 129 of this Official Journal.
( 3 ) OJ L 243, 15.9.2009, p. 1.
( 4 ) OJ L 64, 7.3.2003, p. 1.
( 5 ) OJ L 81, 21.3.2001, p. 1. Regulation as last amended by Regulation (EC) No 1932/2006 (OJ L 405, 30.12.2006, p. 23).
( 6 ) OJ L 53, 23.2.2002, p. 4.
( 7 ) Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).
( 8 ) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).
( 9 ) Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, p. 1).
( 10 ) OJ L 248, 16.9.2002, p. 1. Regulation as last amended by Regulation (EC) No 1525/2007 (OJ L 343, 27.12.2007, p. 9).
( 11 ) OJ L 56, 4.3.1968, p. 1. Regulation as last amended by Regulation (EC, Euratom) No 337/2007 (OJ L 90, 30.3.2007, p. 1).
( 12 ) Council Decision (EU) 2017/1908 of 12 October 2017 on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania (OJ L 269, 19.10.2017, p. 39).
( 13 ) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, p. 27).
( 14 ) Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (OJ L 295, 14.11.2019, p. 1).
( 15 ) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).