Visa Information System (VIS)
The EU has set up a central database for visa applicants’ fingerprints and facial images to process applications for short-stay visas in Schengen countries. The Danish Data Protection Agency is a supervisory authority tasked with ensuring that the authorities comply with several rules relating to that, which you can read more about below.
In order to make it easier to identify visa holders and help prevent identity theft, the Schengen countries have set up a Visa Information System (VIS), which is administrated at the EU level. Essentially, the VIS is a central database with fingerprints and facial images (biometrics) of persons applying for a short-stay visa within the Schengen Area.
This system, which is used by the Member States’ consular offices around the world, allows authorities to exchange visa information for short-term stays in the Schengen countries.
The system consists of a central VIS database operated by the EU agency for large-scale IT systems, eu-LISA, which is connected to the Member States via sTesta (Secure Trans European Services for Telematics between Administrations). Member States are required to meet various mandatory security requirements relating to the connection.
The VIS is a Schengen instrument and applies to all Schengen states, including Denmark. The VIS was first put into use in 2011 at EU delegations in North Africa and is still in the process of being rolled out globally. On 29 February 2016, the VIS was put into use at the crossing points at the outer borders of the Schengen Area.
The following data is recorded about applicants in the VIS:
- alphanumeric data about the applicant and the visa they have applied for, been issued, been denied, had cancelled, had revoked or had extended, including the applicant’s name, nationality, application number, etc.
- previous applications
Data entered in the VIS is stored for a maximum of five years. Once this period expires, or if an applicant acquires citizenship in a Member State, the data is automatically erased.
The specific provisions relating to the use of the VIS can be found in the VIS Regulation.
What rights do registered persons have?
If you are registered in the VIS, you have certain rights. You generally have the right to know what data has been registered about you in the VIS, including which Member State has submitted this data to the VIS. You also have the right to have factually incorrect data rectified and demand the erasure of unlawfully registered data.
If you want:
- access to data about you that has been registered in the VIS
- to rectify data about you in the VIS which you believe is factually incorrect or incomplete
- to demand the erasure of data about you in the VIS which you believe has been illegally registered
you should contact the Danish Immigration Service, which is the authority responsible for the data (the data controller).
If you wish to request access to data about you that has been registered in the VIS, you can use the Danish Immigration Service’s form.
Supervision of the VIS
The European Data Protection Supervisor (EDPS) supervises, through investigative and corrective powers, the processing of data in the VIS at the EU level is done in accordance with the rules pertaining to the VIS.
The national data protection authorities function as supervisory authority tasked with ensuring that the processing of personal data in every Member State VIS, including the transmission of personal data to and from different VIS databases, is done in a lawful manner. The national data protection authorities derive their supervisory authority from article 41 of the VIS regulation.
The Danish Data Protection Agency is the national supervisory authority in relation to the processing of personal data in the Danish part of the VIS. This means that the Danish Data Protection Agency supervises, through investigative and corrective powers, the Danish authorities’ use of the VIS and ensures that the processing of personal data in the VIS is done legally.
This supervisory role mainly entails inspections and processing complaints such as those of registered persons who object to having been registered in the VIS or having been denied access to the data that has been registered about them in the system.
If you are dissatisfied with a decision reached by the Danish Immigration Service concerning your request to access, rectify or erase data about you in the VIS, you can submit a complaint to the Danish Data Protection Agency.
For complaints concerning (denial of) access to personal data in the VIS, the Danish Data Protection Authority considers whether the Danish Immigration Service’s denial of access is justified. At the same time, the Danish Data Protection Agency checks for any registrations that would be in breach of the provisions governing the VIS.
For complaints concerning rectification or erasure of data in the VIS, the Danish Data Protection Agency considers whether the Danish Immigration Service’s refusal to rectify or erase data in the VIS is justified. The Danish Data Protection Agency also checks to make sure that none of the data recorded in the VIS about the person constitutes a violation of the rules, including any information that ought to have been erased according to the rules.
If you wish to submit a complaint to the Danish Data Protection Agency
In order to process your complaint concerning a decision made by the Danish Immigration Service about your right to access, rectify or erase data in the VIS, the agency requires the following information:
- a description of the nature of your complaint
- a copy of the decision or response that you received from the Danish Immigration Service
- any other material that you think is relevant to your complaint
If you submit a complaint to the Danish Data Protection Agency concerning the processing of your personal data in the VIS before you have contacted the Danish Immigration Service, the agency will generally refer your complaint to the Danish Immigration Service, as the Danish Immigration Service is the formal data controller of the VIS.
If you are dissatisfied with the Danish Data Protection Agency’s decision, you may bring the matter before a court of law. You cannot submit a complaint to other authorities about the Danish Data Protection Agency’s decision.
Denmark’s Justice and Home Affairs opt-out
Due to its Justice and Home Affairs opt-out, Denmark did not participate in the adoption of the VIS regulation. The VIS regulation is a legislative act which builds on the Schengen acquis. Denmark has a special arrangement with the other EU countries which means that Denmark is included in Schengen, even though the country does not cooperate with other Schengen members in the field of justice and home affairs. Once the other countries have adopted new Schengen measures, Denmark is free to choose whether or not to opt in to these. If Denmark chooses to opt in to new provisions, the Danish Parliament must implement them into Danish legislation within six months. The rules laid down in the VIS regulation apply in Denmark, as they have been implemented into Danish law.
Read more about the VIS
You can read more about the Visa Information System on the following websites:
• The EU Commission's website
• The Danish Immigration Service’s website, New to Denmark