The  Visa  Information  System  ('VIS')  is  a  system  for  the  exchange  of  visa  data  between Member  States. Its purpose is  to  facilitate  the  visa application  procedure,  prevent  visa  shopping  and  fraud,  facilitate  border  checks  as  well  as identity  checks  within  the  territory  of  the  Member  States  and  to  contribute  to  the prevention  of  threats  to  the  internal  security  of  the  Member  States.  To  this  end,  the  VIS provides a central repository of data on all short-stay Schengen visas.

Legal grounds for the creation and operation of the Visa Information System are:

• Regulation (EC) No 767/2008, hereinafter “VIS Regulation”^[1]
• Council Decision 2004/512/EC, hereinafter “VIS Decision”^[2]
• Council Decision 2008/633/JHA^[3]

What kind of personal data and for what purposes can be kept in the Visa Information System?

Pursuant to Article 9 of the VIS Regulation, the visa authority shall enter i.e the following data in the application file:

a)     surname, surname at birth (former surname(s)); first name(s); sex; date, place and country of birth;

b)     current nationality and nationality at birth;

c)     type and number of the travel document, the authority which issued it and the date of issue and of expiry;

d)     place and date of the application;

e)     type of visa requested;

f)      details of the person issuing an invitation and/or liable to pay the applicant's subsistence costs during the stay, being: in the case of a natural person, the surname and first name and address of the person or in the case of a company or other organisation, the name and address of the company/other organisation, surname and first name of the contact person in that company/organisation;

g)     main destination and duration of the intended stay;

h)     purpose of travel;

i)      intended date of arrival and departure;

j)      intended border of first entry or transit route;

k)     residence;

l)      current occupation and employer; for students: name of school;

m)   in the case of minors, surname and first name(s) of the applicant's father and mother;

n)     a photograph of the applicant

• o)     fingerprints of the applicant

Fingerprints are not required from children under the age of 12 or from people who physically cannot provide finger scans. Frequent travellers to the Schengen Area do not have to give new finger scans every time they apply for a new visa. Once finger scans are stored in VIS, they can be re-used for further visa applications over a 5-year period.

Who has the access to information kept in the Visa Information System?

Pursuant  to VIS Regulation, different types of authorities can have access to VIS data such as:

• visa authorities which are responsible for examining and for taking decisions on visa applications or for decisions whether to annul, revoke or extend visas, including the central visa authorities and the authorities responsible for issuing visas at the border,
• authorities responsible for carrying out checks at external border crossing points in accordance with the Schengen Borders Code,
• authorities competent for carrying out checks within the territory of the Member States
• competent asylum authorities

With regard to access to the VIS by law enforcement authorities, that besides the access of the Europol, according to Article 3  of  Council  Decision  2008/633/JHA,  Member  States  shall  designate  the  authorities  which are  authorized  to request access to VIS  data  for  the  purposes  of  the  prevention,  detection and  investigation  of  terrorist  offences  and  of  other  serious  criminal  offences.  Member States  shall notify  in  a  declaration  the  list  of  those  authorities  and of  the  chosen central access   point(s)to   the   Commission   and   the   General   Secretariat   of   the   Council.   The Commission  shall  publish  these  declarations  in  the  Official  Journal  of  the  European  Union.

The access to data processed in the VIS in the Republic of Poland

The access of competent authorities to data which is being processed in the VIS is stipulated in the Act on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System (Dz. U. Nr 165, poz. 1170 ze zm). Article 5, Article 6 and Article 7 enumerates national competent authorities which have access to the VIS in Poland. These are i.a.: Border Guard, consulates Head of the Office for Foreigners, courts, prosecutors’ offices, Police Internal Security Agency, Central Anti-Corruption Bureau, consulates.

How long can personal data be kept in the Visa Information System?

Pursuant to Article 23 of the VIS Regulation each application file shall be stored in the VIS for a maximum of five years, without prejudice to the deletion referred to in Articles 24 and 25 and to the keeping of records referred to in Article 34.

That 5-year period shall start: on the expiry date of the visa, if a visa has been issued, on the new expiry date of the visa, if a visa has been extended, on the date of the creation of the application file in the VIS, if the application has been withdrawn, closed or discontinued or on the date of the decision of the visa authority if a visa has been refused, annulled, shortened or revoked. However, if an applicant has acquired the nationality of a Member State, before expiry of that period, the application files and the links relating to him or her shall be deleted without delay from the VIS by the Member State which created the respective application file(s) and links.

What rights do individuals have with regard to the processing of their personal data in the Visa Information System?

Individuals, whose data is being processed in the VIS, have the following rights under the VIS Regulation:

• the right to access data relating to them;
• the right to correct inaccurate data or delete unlawfully stored data;
• the right to lodge a complaint with a data protection authority or a court.

Right of access

Each data subject on the basis of art. 38(1) of the VIS Regulation shall have the right of access to data relating to him, recorded in the VIS and of the Member State which transmitted them. Such access to data may be granted only by a Member State

The right to correct or delete data

According to art. 38(2) of the VIS Regulation any person may request that data relating to him which are inaccurate be corrected and that data recorded unlawfully be deleted. The correction and deletion shall be carried out without delay by the Member State responsible, in accordance with its laws, regulations and procedures.

According to art. 38(3) of the VIS Regulation if such request is made to a Member State other than the Member State responsible, the authorities of the Member State with which the request was lodged shall contact the authorities of the Member State responsible within a period of 14 days. The Member State responsible shall check the accuracy of the data and the lawfulness of their processing in the VIS within a period of one month.

The right to make a complaint with the data protection authority or initiate court proceedings

Article 40 of the VIS Regulation in each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to or the right of correction or deletion of data relating to him.

How can data subjects exercise their rights in the Republic of Poland?

Rights of data subjects rights are exercised in the Republic of Poland in accordance with provisions of the Regulation 2016/679 hereinafter “GDPR”^[4]

The right to access data

Pursuant to Article 15 of the GDPR he data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a)     the purposes of the processing;

b)     the categories of personal data concerned;

c)     the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d)     where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e)     the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f)      the right to lodge a complaint with a supervisory authority;

g)     where the personal data are not collected from the data subject, any available information as to their source;

h)     the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Refusal to provide information about the personal data being processed

Pursuant to Article 5 of the Act of 10 May 2018 on the Protection of Personal Data (Journal Laws 2019 item 1781) the controller performing a public task shall not convey information referred to in Article 15 para. 1-3 of the Regulation 2016/679 if this serves the performance of a public task and non-fulfilment of the obligations referred to in Article 15 para. 1-3 of the Regulation 2016/679 is necessary to fulfil the purposes referred to in Article 23 para. 1 of that Regulation, and fulfilment of those obligations:

1)     shall make it impossible or shall significantly hinder the performance of a public task, and the interest or fundamental rights or freedoms of the data subject are not superior with respect to the interest ensuing from the performance of that public task or

2)     shall infringe the protection of classified information.

The right to correct or delete data

Pursuant to Article 16 of the GPDR the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

In accordance with Article 17 of the GPDR the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a)     the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b)     the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

c)     the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d)     the personal data have been unlawfully processed;

e)     the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f)      the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

However, this provision shall not apply to the extent that processing is necessary:

a)     for exercising the right of freedom of expression and information;

b)     for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c)     for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

d)     for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e)     for the establishment, exercise or defence of legal claims.

VIS data controller in Poland

In Poland, the right of access shall be exercised directly. It means that data subjects have to send their requests to the data controller. Pursuant to Article 10 of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, in Poland the Commander-in-Chief of Police is the controller of the data processed in the Visa Information System.

Requests for access, correction or deletion of data should be addressed:

a) by post:

Centralny Organ Techniczny KSI

Komenda Główna Policji

ul. Puławska 148/150

02-624 Warszawa

Polska

b) via an electronic inbox available on the website

Please kindly note all requests for exercising rights of access, correction or deletion sent directly to the UODO will be forwarded to the Commander-in-Chief of the Police which will result in the extension of time required to reply them.

In order to exercise your rights you can use forms attached below.

Detailed information on formal requirements regarding the application and contact details is available on the website of the Police.

Complaint to UODO

In order to ensure an appropriate level of legal protection for persons whose data is stored in the Visa Information System, the Office of Personal Data Protection controls whether the use of data does not violate the rights of the persons concerned. These controls are carried out in accordance with the provisions on the protection of personal data. Each person whose data is processed in the Schengen Information System has the right to lodge a complaint to the President of the Office of Personal Data Protection for the implementation of personal data protection regulations.

Detailed information on the possibility to lodge a complaint can be found here.

2021-06-02