Second generation Schengen Information System (SIS II) – former 1st pillar regulation
The second generation Schengen Information System (SIS II) will replace the current system, providing enhanced functionalities. It is currently undergoing extensive testing in close cooperation with European Union (EU) countries and associated countries participating in the Schengen area.
The SIS II Regulation lays down the technical aspects and the operation of SIS II, the conditions for issuing alerts on refusal of entry or stay for non-EU nationals, the processing of data relating to alerts, and conditions of data access and protection. It constitutes the legislative basis for governing SIS II with respect to matters falling under Title IV of the Treaty establishing the European Community (former first pillar).
Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II).
The second generation Schengen Information System (SIS II) will be a large-scale information system containing alerts * on persons and objects. It will be used by border guards, customs officers, visa- and law-enforcement authorities throughout the Schengen area, with a view to ensuring a high level of security. This new system is currently undergoing extensive testing in close cooperation with European Union (EU) countries and associated countries participating in the Schengen area (referred to below as the Member States *) and will replace the current system, providing enhanced functionalities.
The SIS II Regulation constitutes the necessary legislative basis for governing SIS II with respect to alert procedures falling under Title IV of the Treaty establishing the European Community (former first pillar). It is supplemented by a decision relating to procedures falling under Title VI of the Treaty on European Union (former third pillar).
Technical architecture and ways of operating SIS II
SIS II will be composed of:
- a central system ("Central SIS II");
- a national system (the "N.SIS II") in each Member State (the national data systems that will communicate with the Central SIS II);
- a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated to SIS II data and the exchange of data between the authorities responsible for the exchange of all supplementary information * (SIRENE Bureaux).
SIS II data will be entered, updated, deleted and searched via the various national systems. The central system, which will perform technical supervision and administration functions, is located in Strasbourg (France). It will provide the necessary services for the entry and processing of SIS II data. A backup central system, capable of ensuring all functionalities of the principal central system in the event of failure of this system, is located near Salzburg (Austria). Each Member State will be responsible for setting up, operating and maintaining its own national system and for connecting it to the central system. It designates an authority, the national SIS II office (N.SIS II office), which has central responsibility for its national SIS II project. This authority will be responsible for the smooth operation and security of its national system.
Each Member State designates its SIRENE Bureau. Supplementary information relating to SIS II alerts will be exchanged in accordance with the provisions of the “SIRENE Manual” and by using the communication infrastructure. Member States will keep a reference to the decisions giving rise to an alert at the SIRENE Bureau.
Member States will be liable for any damage caused to a person through the use of the national SIS II systems. They will also ensure that any potential misuse of data entered in SIS II or any exchange of supplementary information contrary to this regulation will be subject to effective, proportionate and dissuasive penalties.
Operational management of the Central SIS II will consist of all the necessary tasks for keeping it running 24 hours a day, 7 days a week, in accordance with this regulation.
After a transitional period, a management authority, funded from the general budget of the EU, shall be responsible for the operational management of the Central SIS II and for a number of tasks relating to the communication infrastructure (supervision, security and coordination of relations between Member States and the provider). The Commission will be responsible for all other tasks relating to the communication infrastructure.
During a transitional period before the management authority takes up its responsibilities, the Commission shall be responsible for the operational management of Central SIS II. In accordance with the Financial Regulation applicable to the general budget of the European Communities, the Commission may delegate the operational management and tasks relating to implementation of the budget to national public-sector bodies in two different countries that meet the specific criteria outlined in Article 15, paragraph 4 of the SIS II Regulation.
The regulation contains provisions to ensure adequate protection of personal data. In cooperation with the national supervisory authorities and the European Data Protection Supervisor, the Commission will accompany the start of the operation of SIS II with an information campaign informing the public about the objectives, the data stored, the authorities having access and the rights of individuals.
Alerts issued in respect of non-EU nationals for the purpose of refusing entry and stay
SIS II will only contain those categories of data supplied by each of the Member States, which are necessary for alerts for refusing entry or stay. Once the system is operational and alerts are included in it, the SIS II will only be possible to store the following information on persons for whom an alert has been issued: surname(s) and forename(s), name(s) at birth, aliases, specific physical characteristics, place and date of birth, sex, photographs, fingerprints, nationality(ies), whether the person concerned is armed, violent or has escaped, reason for the alert, authority issuing the alert, a reference to the decision giving rise to the alert and link(s) to other alerts issued in SIS II. It will also include the action to be taken in the event that there is a “hit” (i.e. if a competent national authority finds an alert in SIS II concerning a non-EU national on whom they have carried out a check). Should a Member State be unable to perform the requested action after obtaining a hit in SIS II, it will immediately inform the Member State that issued the alert.
Photographs and fingerprints will be used to confirm the identity of a non-EU national who has been located as a result of an alphanumeric search made in SIS II. As soon as this becomes technically possible, fingerprints may also be used to allow identification of a non-EU national on the basis of his/her biometric identifier. Before this functionality is implemented in SIS II, the Commission will present a report on the availability and readiness of the required technology.
Data on non-EU nationals, for whom an alert has been issued for refusing entry or stay, will be entered on the basis of a national alert based on a decision by the competent courts and administrative authorities taken on the basis of an individual assessment. An alert will be entered where the decision is based on a threat to public policy, to public security or to national security, which the presence of the non-EU national in question in the territory of a Member State may pose. It will also be possible to enter an alert when the decision is based on the fact that the non-EU national has been subject to a measure involving expulsion.
Access to and processing of data in SIS II
Authorities responsible for border control and other police and customs checks within the Member State concerned will have a right to access alerts. By extension, it will also be possible for national judicial authorities to access the system for the performance of their tasks. In any case, users will only be able to access data that is required for the performance of their tasks.
Before issuing an alert, Member States will determine whether the case is relevant enough to warrant the entry of the alert in SIS II. These alerts will only be kept for the time required to achieve the purposes for which they were entered. A Member State issuing an alert shall review the need to keep it within three years of its entry in SIS II.
It will only be possible to copy data for technical purposes. Such copies, which lead to off-line databases, may be retained for no more than 48 hours. It will not be possible to use data for administrative purposes.
A Member State issuing an alert will be responsible for ensuring that the data are accurate, up-to-date and lawfully entered in SIS II. Only the Member State issuing an alert will be authorised to modify, add to, correct, update or delete data that it has entered. If a Member State other than that issuing an alert obtains evidence suggesting that an item of data is incorrect, it will inform the Member State that issued the alert as soon as possible. The Member State that issued the alert will check the communication and, if necessary, correct or delete the item in question without delay. If the Member States are unable to reach an agreement within two months, the Member State that did not issue the alert will submit the matter to the European Data Protection Supervisor who will act as a mediator, jointly with the national supervisory authorities concerned.
It will be possible for a Member State to create a link between alerts it enters in SIS II, but this should only be done when there is a clear operational need.
Data processed in SIS II will not be transferred or made available to non-EU countries or to international organisations.
Processing of sensitive categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and data concerning health or sex life) will be prohibited.
Any person will have the right to request access to data relating to him/her (personal data *) that has been entered in SIS II, and to have factually inaccurate personal data corrected or unlawfully stored personal data deleted.
Information may not be communicated to the data subject if this is indispensable for the performance of a task in connection with an alert or for the protection of the rights and freedoms of third parties. Regarding the exercise of their rights of correction and deletion, individuals will be informed about the follow-up as soon as possible, and in any event no later than three months from the date of their application for correction or deletion.
It will be possible for any person to bring an action before the competent courts or authorities to access, correct, delete, or obtain information or compensation in connection with an alert relating to him/her.
The authority or authorities designated in each Member State, endowed with the powers referred to in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, will independently monitor the lawfulness of the processing of SIS II personal data on their territory and the transmission of this data from their territory. They will ensure that an audit of the data-processing operations in the N.SIS II is carried out at least every four years.
The European Data Protection Supervisor will check that the personal data-processing activities of the management authority are carried out in accordance with this regulation. S/he will also ensure that an audit of the personal data-processing activities is carried out at least every four years. A report of this audit will be sent to the European Parliament, the Council, the management authority, the Commission and the national supervisory authorities.
The national supervisory authorities and the European Data Protection Supervisor cooperate actively. They exchange relevant information, assist one another and meet at least twice a year.
The regulation will apply to the Member States participating in the current Schengen Information System (SIS 1+) from the date to be set by the Council (acting by unanimity of its members representing the governments of the Member States participating in SIS 1+) once all necessary technical preparations for SIS II have been completed at central and Member State level and once all implementing measures have been adopted. Precise information on this matter is given in Article 55 of the regulation and in the legal instruments governing migration from SIS 1+ to SIS II.
Three years after the SIS II is brought into operation, and then every four years, the Commission will produce an overall evaluation of the Central SIS II and the bilateral and multilateral exchanges of supplementary information between Member States. It will transmit the evaluation to the European Parliament and the Council.
|Act||Entry into force||Deadline for transposition in the Member States||Official Journal|
|Regulation No 1987/2006/EC||
OJ L 381 of 28.12.2006
- Texts relating to Schengen Information System (SIS II) on the website of the European Commission Directorate-General for Home Affairs
- Glossary entry “Area of freedom, security and justice” for information on changes brought by the Lisbon Treaty upon its entry into force in December 2009