The Schengen Information System (called also the SIS) has been established as a tool compensating the abolition of checks on the internal borders of the Schengen Area states. Its nature consists in ensuring that each state being a party to the Convention Implementing the Schengen Agreement had the same set of information allowing for access, by the means of an automated search procedure, to alerts on persons and property for purposes of border checks and other police and custom checks carried out within the country and for the purposes of issuing visas, residence permits and the administration of legislation on aliens in context of the application of the provisions of the Convention Implementing the Schengen Agreement

More information relating to the Schengen Information System may be found on the website of the European Comission.

Current legal grounds for the creation and operation of the Schengen Information System are:

• Regulation (EC) No 1987/2006, hereinafter “SIS Regulation”^[1]
• Council Decision 2007/533/JHA, hereinafter “SIS Decision”^[2]

It must be also pointed out, that before 28 December 2021, the SIS will start to operate on the basis of new regulations:

• Regulation (EU) 2018/1860 (illegally staying third-country nationals)^[3]
• Regulation (EU) 2018/1861 (border control)^[4]
• Regulation (EU) 2018/1862 (police cooperation)^[5]

What kind of personal data and for what purposes can be kept in the Schengen Information System?

Pursuant to Article 20 of the SIS Regulation and Article 20 of the SIS Decision the information on persons in relation to whom an alert has been issued shall be no more than the following:

1. surname(s) and forename(s), name(s) at birth and previously used names and any aliases which may be entered separately;
2. any specific, objective, physical characteristics not subject to change;
3. place and date of birth;
4. sex;
5. photographs;
6. fingerprints;
7. nationality(ies);
8. whether the person concerned is armed, violent or has escaped;
9. reason for the alert;
10. authority issuing the alert;
11. a reference to the decision giving rise to the alert;  
12. action to be taken;
13. link(s) to other alerts issued in SIS II;
14. the type of offence.

This data is processed in order to enter into the SIS II alerts concerning persons or subjects that are categorized in the following way:

• Refusal of entry or stay (Art. 24 SIS Regulation) –  these alerts concern third country nationals who are not entitled to enter or stay in the Schengen Area
• Persons wanted for arrest (Art. 26 SIS Decision) – these alerts concern persons wanted for European Arrest Warrant or for extradition purposes
• Missing persons (Art. 32 SIS Decision) – the aim of these alerts is to find missing persons, including children, and place them under protection if necessary
• Persons sought to assist with a judicial procedure  (Art. 34 SIS Decision) –  the aim of these alerts is to communicate the place of residence or domicile of persons sought to assist with a judicial procedure i.e. witnesses or persons who are to be served with a summons to report in order to serve a penalty involving deprivation of liberty.
• Alerts on persons or objects for discreet checks or specific checks (Art. 36 SIS Decision) – the aim of these alerts is to gather information about persons or subjects for the purposes of prosecuting criminal offences and for the prevention of threats to public or national security;
• Objects sought for the purposes of seizure or use as evidence in criminal proceedings (Art. 38 SIS Decision) – these alerts concern subjects i.e. vehicles, travel documents, vehicle number plates which are sought for the purposes of seizure or use as evidence in criminal proceedings

Who has the access to information kept in the Schengen Information System?

Pursuant to Article 27 of the SIS Regulation and Article 40 of the SIS Decision access to data entered in the Schengen Information System and the right to search such data directly is restricted exclusively to the authorities responsible for border checks and other police and customs checks carried out within the country, and the coordination of such checks. However, it needs to be pointed out that the right to search data directly in the Schengen Information System was also granted to national judicial authorities, inter alia, those responsible for the initiation of public prosecutions in criminal proceedings and judicial inquiries prior to indictment, in the performance of their tasks. 

Furthermore, the authorities responsible for issuing visas, the central authorities responsible for examining visa applications and the authorities responsible for issuing residence permits as well as for the administration of legislation on aliens in the context of the application of the provisions of the Schengen Aquis relating to the movement of persons are legitimated to have the access to the data kept in the system and to search directly data referring to aliens who are refused the entry, and blank official documents which have been stolen, misappropriated or lost as well as issued identity papers (passports, identity cards, driving licences) which have been stolen, misappropriated or lost. 

What is more, the European Police Office (Europol) and the Eurojust within their mandate have the limited access to some data entered into SIS II i.e. persons wanted for the arrest, who are sought to assist with a judicial procedure or missing persons.

The access to data processed in the SIS II in the Republic of Poland

The access of competent authorities to data which is being processed in the SIS is stipulated in the Act on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System (Dz. U. Nr 165, poz. 1170 ze zm). Article 3 and Article 4 enumerates national competent authorities which have access to the SIS II in Poland. These are i.a.: Police, Border Guard, courts, prosecutors’ offices, Head of the Office for Foreigners, Internal Security Ageny, Central Anti-Corruption Bureau, consulates.

How long can personal data be kept in the Schengen Information System?

Pursuant to Article 29 of the SIS Regulation and Article 44 of the SIS Decision data entered into the Schengen Information System for the purposes of tracing persons should be kept only for the time required to achieve the purposes for which they were entered. Member State which issued the alert must review the need to keep it within three years of its entry. In case of the discreet surveillance carried out on the basis of Article 36 of the SIS Decision such period has been shortened to one year. It needs to be noted that both the three-year period as well as the year-lasting one do not indicate the legitimated period of processing but only impose the obligation of periodical assessment of the need for continued storage of such data. The actual period of processing in the Schengen Information System may be therefore shorter or longer than the three- or one-year period and is made conditional on the fact whether the purpose of processing has been realized.

What rights do individuals have with regard to the processing of their personal data in the Schengen Information System?

Individuals, whose data is being processed in the SIS II system have the following rights under the SIS II Regulation and the SIS II Decision:

• the right to access data relating to them;
• the right to correct inaccurate data or delete unlawfully stored data;
• the right to lodge a complaint with a data protection authority or a court.

Anyone who exercises any of these rights may apply to the competent authority in the country of his choice, irrespective of the Member State where the alert was entered into SIS II.

Right of access

Each data subject on the basis of art. 41(1) of the SIS II Regulation and Article 58(1) of the SIS II Decision shall have the right of access to data relating to him, processed in SIS II. The right of access shall be exercised in accordance with the rules of the Member State in which the application is made. Procedures vary from country to country and differ due to various rules concerning data transfer to applicants.

Where a Member State other than that which has issued an alert may communicate information concerning such data only if it first gives the Member State issuing the alert an opportunity to state its position. The individual concerned shall be informed as soon as possible and in any event not later than 60 days from the date on which he applies for access or sooner if national law so provides. Information shall not be communicated to the data subject if this is indispensable for the performance of a lawful task in connection with an alert or for the protection of the rights and freedoms of third parties.

The right to correct or delete data

According to art. 41(5) of the SIS II Regulation and 58(5) of SIS II Decisions, if the data being processed is factually inaccurate or has been unlawfully stored, the data subject has the right to request correction or deletion of such data.

According to art. 34(2) of the SIS II Regulation and art. 49 par. 2 of the SIS II Decision, only the Member State that issued the alert is authorized to modify, add to, correct, update or delete data which it has entered. Therefore, if the application is submitted in a Member State that has not made an entry, the Member States concerned shall cooperate with each other to find a solution by exchanging information and carrying out appropriate verifications. The individual shall be informed about the follow-up given to the exercise of his rights of correction and deletion as soon as possible and in any event not later than three months from the date on which he applies for correction or deletion or sooner if national law so provides.

The right to make a complaint with the data protection authority or initiate court proceedings

Article 43 of the SIS II Regulation and Article 59 of the SIS II Decision provides for remedies available to individuals in the event of their application being rejected. The data subject may bring an action before the courts or the authority competent under the law of any Member State to access, correct, delete or obtain information or to obtain compensation in connection with an alert relating to him.

How can data subjects exercise their rights in the Republic of Poland?

Rights of data subjects rights are exercised in the Republic of Poland in accordance with provisions of the Regulation 2016/679 hereinafter “GDPR”^[6] or in accordance with the Act of 14 December 2018^[7] hereinafter “The Act of 14 December 2018” (depending on the purpose for processing data, i.e. categories of the alert).

The right to access data

Pursuant to Article 23 of the Act of 14 December 2018 the data subject shall, at his or her request, be entitled to have access to his or her own personal data.  While replying to the request for access to personal data, the controller shall make available or provide to the applicant a copy of such data, or estreat in an accessible form.

Pursuant to Article 15 of the GDPR he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a)     the purposes of the processing;

b)     the categories of personal data concerned;

c)     the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d)     where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e)     the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f)      the right to lodge a complaint with a supervisory authority;

g)     where the personal data are not collected from the data subject, any available information as to their source;

h)     the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Refusal to provide information about the personal data being processed

Pursuant to Article 26 of the Act of 14 December 2018 information shall not be communicated and personal data shall not be made available if it would result in:

1)     disclosure of information obtained by covert surveillance;

2)     obstructing or avoiding the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

3)     obstructing criminal, executive, fiscal or fiscal criminal proceedings;

4)     a threat to life and health of individuals or to public security and public order;

5)     a threat to national security, including the defence or security, and the a vital economic or financial interest of the State;

6)     a significant breach of personal rights of the data of other persons.

Pursuant to Article 5 of the Act of 10 May 2018 on the Protection of Personal Data (Journal Laws 2019 item 1781) the controller performing a public task shall not convey information referred to in Article 15 para. 1-3 of the Regulation 2016/679 if this serves the performance of a public task and non-fulfilment of the obligations referred to in Article 15 para. 1-3 of the Regulation 2016/679 is necessary to fulfil the purposes referred to in Article 23 para. 1 of that Regulation, and fulfilment of those obligations:

1)     shall make it impossible or shall significantly hinder the performance of a public task, and the interest or fundamental rights or freedoms of the data subject are not superior with respect to the interest ensuing from the performance of that public task or

2)     shall infringe the protection of classified information.

The right to correct or delete data

Pursuant to Article 24 of the Act of 14 December 2018 the data subject may request the controller without undue delay to:

1)     to supplement, update or rectify personal data where such data are incomplete, out of date or inaccurate;

2)     delete personal data if such data has been collected or processed in violation of the Act.

The controller shall inform the applicant of the rectification or erasure of, or refusal of rectification or erasure of, data. In case of refusal of rectification or erasure of personal data, the controller shall instruct the data subject of the possibility to lodge a complaint if his or her personal data is unlawfully processed.

Pursuant to Article 16 of the GPDR the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

In accordance with Article 17 of the GPDR the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a)     the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b)     the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

c)     the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d)     the personal data have been unlawfully processed;

e)     the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f)      the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

However, this provision shall not apply to the extent that processing is necessary:

a)     for exercising the right of freedom of expression and information;

b)     for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c)     for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

d)     for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e)     for the establishment, exercise or defence of legal claims.

SIS data controller in Poland

The right of access is exercised in Poland directly. It means that data subjects have to send their requests to the data controller. Pursuant to Article 10 of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, in Poland the Commander-in-Chief of Police is the controller of the data processed in the Schengen Information System. Pursuant to Article 28 of the Act of 14 December 2018 the applicant shall provide at least the name and address. Where the controller has reasonable doubts as to the identity of the person who made the request, it may request the additional information necessary to enable the person to verify the identity of that person.

Requests for access, correction or deletion of data should be addressed:

a) by post:

Centralny Organ Techniczny KSI

Komenda Główna Policji

ul. Puławska 148/150

02-624 Warszawa

Polska

b) via an electronic inbox available on the website

Please kindly note all requests for exercising rights of access, correction or deletion sent directly to the UODO will be forwarded to the Commander-in-Chief of the Police which will result in the extension of time required to reply them.

In order to exercise your rights you can use forms attached below.

Detailed information on formal requirements regarding the application and contact details is available on the website of the Police.

Complaint to UODO

In order to ensure an appropriate level of legal protection for persons whose data is stored in the Schengen Information System, the Office of Personal Data Protection controls whether the use of data does not violate the rights of the persons concerned. These controls are carried out in accordance with the provisions on the protection of personal data. Each person whose data is processed in the Schengen Information System has the right to lodge a complaint to the President of the Office of Personal Data Protection for the implementation of personal data protection regulations.

Detailed information on the possibility to lodge a complaint can be found here.

2021-06-02