Second generation Schengen Information System (SIS II) - 1st pillar regulation20 December 2009
by Ina Dimireva -- last modified 21 December 2009
The SIS II Regulation lays down the technical aspects and the operation of the second generation Schengen Information System (SIS II), the conditions for issuing alerts on refusal of entry or stay for non-EU nationals, the processing of data relating to the alerts, and conditions of data access and protection. It constitutes the legislative basis for governing SIS II with respect to matters falling under Title IV of the EC Treaty (first pillar).
Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II).
The second generation Schengen Information System (SIS II) will be a large-scale information system containing alerts on persons and objects. It will be used by border guards, customs officers, visa and law-enforcement authorities throughout the Schengen area, with a view to ensuring a high level of security. This new system is currently undergoing extensive testing in close cooperation with Member States and will replace the current system, providing enhanced functionalities.
The SIS II Regulation constitutes the necessary legislative basis for governing SIS II with respect to alert procedures falling under Title IV of the EC Treaty (first pillar). It is supplemented by a decision relating to alert procedures falling under Title VI of the EU Treaty (third pillar).
Technical architecture and ways of operating SIS II
SIS II will be composed of:
- a central system ("Central SIS II");
- a national system (the "N.SIS II") in each Member State (the national data systems that will communicate with the Central SIS II);
- a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated to SIS II data and the exchange of data between the authorities responsible for the exchange of all supplementary information (SIRENE Bureaux).
SIS II data will be entered, updated, deleted and searched via the various national systems. The central system, which will perform technical supervision and administration functions, is located in Strasbourg (France). It will provide the necessary services for the entry and processing of SIS II data. A backup central system, capable of ensuring all functionalities of the principal central system in the event of failure of this system, is located near Salzburg (Austria). Each Member State will be responsible for setting up, operating and maintaining its own national system and for connecting it to the central system. It designates an authority, the national SIS II office (N.SIS II office), which has central responsibility for its national SIS II project. This authority will be responsible for the smooth operation and security of its national system. Each Member State designates its SIRENE Bureau. Supplementary information relating to SIS II alerts will be exchanged in accordance with the provisions of the “SIRENE Manual” and by using the communication infrastructure. Member States will keep a reference to the decisions giving rise to an alert at the SIRENE Bureau.
Member States will be liable for any damage caused to a person through the use of the national SIS II systems. They will also ensure that any potential misuse of data entered in SIS II or any exchange of supplementary information contrary to this regulation will be subject to effective, proportionate and dissuasive penalties.
Operational management of the Central SIS II will consist of all the necessary tasks for keeping it running 24 hours a day, 7 days a week, in accordance with this regulation.
After a transitional period, a management authority, funded from the general budget of the European Union, shall be responsible for the operational management of the Central SIS II and for a number of tasks relating to the communication infrastructure (supervision, security and coordination of relations between the Member States and the provider). The Commission will be responsible for all other tasks relating to the communication infrastructure.
During a transitional period before the management authority takes up its responsibilities, the Commission shall be responsible for the operational management of Central SIS II. In accordance with the Financial Regulation applicable to the general budget of the European Communities, the Commission may delegate the operational management and tasks relating to implementation of the budget to national public-sector bodies in two different countries that meet the specific criteria outlined in Article 15, paragraph 4 of the SIS II Regulation.
The regulation contains provisions to ensure adequate protection of personal data. In cooperation with the national supervisory authorities and the European Data Protection Supervisor, the Commission will accompany the start of the operation of SIS II with an information campaign informing the public about the objectives, the data stored, the authorities having access and the rights of individuals.
Alerts issued in respect of non-EU nationals for the purpose of refusing entry and stay
SIS II will only contain those categories of data supplied by each of the Member States, which are necessary for alerts for refusing entry or stay. Once the system is operational and alerts are included in it, it will only be possible to store the following information on persons for whom an alert has been issued: surname(s) and forename(s), name(s) at birth, aliases, specific physical characteristics, place and date of birth, sex, photographs, fingerprints, nationality(ies), whether the person concerned is armed, violent or has escaped, reason for the alert, authority issuing the alert, a reference to the decision giving rise to the alert and link(s) to other alerts issued in SIS II. It will also include the action to be taken in the event that there is a “hit” (i.e. if a competent national authority finds an alert in SIS II concerning a non-EU national on whom they have carried out a check). Should a Member State be unable to perform the requested action after obtaining a hit in SIS II, it will immediately inform the Member State that issued the alert.
Photographs and fingerprints will be used to confirm the identity of a non-EU national who has been located as a result of an alphanumeric search made in SIS II. As soon as this becomes technically possible, fingerprints may also be used to allow identification of a non-EU national on the basis of his/her biometric identifier. Before this functionality is implemented in SIS II, the Commission will present a report on the availability and readiness of the required technology.
Data on non-EU nationals, for whom an alert has been issued for refusing entry or stay, will be entered on the basis of a national alert based on a decision by the competent courts and administrative authorities taken on the basis of an individual assessment. An alert will be entered where the decision is based on a threat to public policy, to public security or to national security, which the presence of the non-EU national in question in the territory of a Member State may pose. It will also be possible to enter an alert when the decision is based on the fact that the non-EU national has been subject to a measure involving expulsion.
Access to and processing of data in SIS II
Authorities responsible for border control and other police and customs checks within the Member State concerned will have a right to access alerts. By extension, it will also be possible for national judicial authorities to access the system for the performance of their tasks. In any case, users will only be able to access data that is required for the performance of their tasks.
Before issuing an alert, Member States will determine whether the case is relevant enough to warrant the entry of the alert in SIS II. These alerts will only be kept for the time required to achieve the purposes for which they were entered. A Member State issuing an alert shall review the need to keep it within three years of its entry in SIS II.
It will only be possible to copy data for technical purposes. Such copies, which lead to off-line databases, may be retained for no more than 48 hours. It will not be possible to use data for administrative purposes.
A Member State issuing an alert will be responsible for ensuring that the data are accurate, up-to-date and lawfully entered in SIS II. Only the Member State issuing an alert will be authorised to modify, add to, correct, update or delete data that it has entered. If a Member State other than that issuing an alert obtains evidence suggesting that an item of data is incorrect, it will inform the Member State that issued the alert as soon as possible. The Member State that issued the alert will check the communication and, if necessary, correct or delete the item in question without delay. If the Member States are unable to reach an agreement within two months, the Member State that did not issue the alert will submit the matter to the European Data Protection Supervisor who will act as a mediator, jointly with the national supervisory authorities concerned.
It will be possible for a Member State to create a link between alerts it enters in SIS II, but this should only be done when there is a clear operational need.
Data processed in SIS II will not be transferred or made available to third countries or to international organisations.
Processing of sensitive categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life) will be prohibited.
Any person will have the right to request access to data relating to him/her (personal data) that has been entered in SIS II, and to have factually inaccurate personal data corrected or unlawfully stored personal data deleted.
Information may not be communicated to the data subject if this is indispensable for the performance of a task in connection with an alert or for the protection of the rights and freedoms of third parties. Regarding the exercise of their rights of correction and deletion, individuals will be informed about the follow-up as soon as possible, and in any event no later than three months from the date of their application for correction or deletion.
It will be possible for any person to bring an action before the competent courts or authorities to access, correct, delete, or obtain information or compensation in connection with an alert relating to him/her.
The authority or authorities designated in each Member State, endowed with the powers referred to in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, will independently monitor the lawfulness of the processing of SIS II personal data on their territory and the transmission of this data from their territory. They will ensure that an audit of the data-processing operations in the N.SIS II is carried out at least every four years.
The European Data Protection Supervisor will check that the personal data-processing activities of the management authority are carried out in accordance with this regulation. S/he will also ensure that an audit of the personal data-processing activities is carried out at least every four years. A report of this audit will be sent to the European Parliament, the Council, the management authority, the Commission and the national supervisory authorities.
The national supervisory authorities and the European Data Protection Supervisor cooperate actively. They exchange relevant information, assist one another and meet at least twice a year.
The regulation will apply to the Member States participating in the current Schengen Information System from the date to be set by the Council (acting by unanimity of its members representing the governments of the Member States participating in the first generation Schengen Information System) once all necessary technical preparations for SIS II have been completed at central and Member State level and once all implementing measures have been adopted. Precise information on this matter is given in Article 55 of the regulation and in the legal instruments governing migration from SIS 1+ to SIS II.
28 Three years after the SIS II is brought into operation, and then every four years, the Commission will produce an overall evaluation of the Central SIS II and the bilateral and multilateral exchanges of supplementary information between Member States. It will transmit the evaluation to the European Parliament and the Council.
Regulation No 1987/2006/EC
Entry into force: 17.1.2007
Deadline for transposition in the Member States: -
Official Journal: OJ L 381 of 28.12.2006
Commission Decision 2008/333/EC of 4 March 2008 adopting the SIRENE Manual and other implementing measures for the second generation Schengen Information System (SIS II) [Official Journal L 123 of 08.05.2008].
The alerts in SIS II will contain a set of data that is absolutely necessary for identification of a person or object sought. In cases where the future end-users (officers from the competent national authorities) need to take action after obtaining a matching alert, they will require supplementary information on this alert (information that will not be contained in SIS II, but that will be connected to SIS II alerts).
National offices known as SIRENE Bureaux (Supplementary Information Request at the National Entries) have been set up in all Schengen countries to assist with obtaining supplementary information for SIS by acting as the contact points between a Member State creating an alert and one achieving the match. The same offices will be used for SIS II.
The SIRENE Manual is a set of instructions indicating both the general and specific procedures that competent authorities will have to follow for exchanging supplementary information on the following categories of alerts:
- alerts for refusal of entry or stay (first pillar);
- alerts for arrest for surrender or extradition purposes (this and the following categories fall under the third pillar);
- alerts on missing persons;
- alerts sought for a judicial procedure;
- alerts for discreet and specific checks;
- alerts on objects for seizure or use as evidence.
The purpose will be to assure communication among Member States, in particular when entering an alert, acting on an alert, handling multiple alerts, and dealing with the quality of SIS II data or with rights of access. The implementing measures cover SIS II aspects that, due to their technical nature, level of detail and need for regular updating, are not covered exhaustively by the SIS II legal instruments.
As is the case for other instruments related to SIS II, there are two legal instruments (Commission decisions) for the SIRENE Manual and implementing measures: one for the first pillar (Annex of Decision 2008/333/JHA) and one for the third pillar (Annex of Decision 2008/334/JHA). The Annexes to both decisions are identical.