What is the Schengen Information System (SIS)

SIS is a large-scale IT system, set up as a compensatory measure for the abolition of internal border checks, and intends to ensure a high level of security within the area of freedom, security and justice of the European Union, including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States. SIS is already implemented in all EU Member States, with the exception of Cyprus[1] , and in four Associated States: Iceland, Liechtenstein, Norway and Switzerland.

SIS is an information system that allows national law enforcement, judicial and administrative authorities to perform their legal tasks by sharing relevant data. With regard to the European agencies, they have read-only access; i.e. the possibility to search and consult SIS but not to update or delete the data or the alerts. EUROPOL has access to all categories of alerts stored in SIS[2] , while EUROJUST[3] has access to specific alerts in the field of police and judicial cooperation, and the European Border and Coast Guard (FRONTEX)[4] has limited access to SIS for certain teams and for specific purposes.

Legal basis

In 2018, SIS legal framework went through a significant revision primarily to enlarge its purposes, to add certain categories of alerts, and to expand the authorities with granted access to SIS data. The new legal framework was adopted on 28 November 2018 and published on 7 December 2018[5].

It consists of three new regulations, covering three areas of competence:

• Regulation (EU) 2018/1860[6] (“SIS Regulation on the use of SIS for the return of illegally staying third-country nationals”)[7] ,

• Regulation (EU) 2018/1861[8] (“SIS Regulation in the field of border checks”)[9] ,

 • Regulation (EU) 2018/1862[10](“SIS Regulation in the field of police and judicial cooperation”), as amended by Regulation (EU) 2022/1190[11].

 SIS will become, in the near future, interoperable with five other EU-large scale systems[12] , pursuant to the full application of the Interoperability Regulations[13]. This fact, among other things, will have an impact on the exercise of data subjects’ rights in this context.

Categories of information processed (alerts)

SIS contains two broad categories of information: alerts on persons and alerts on objects. With regard to alerts on persons, SIS covers the following categories of data subjects:

• third country nationals subject to refusal of entry or stay in the Schengen area or subject to return procedures,

• persons wanted for arrest for surrender or extradition purposes (in the case of associated countries),

• missing persons (including vulnerable persons who need to be prevented from travelling, e.g., children at high risk of parental abduction, children at risk of becoming victims of trafficking in human beings, and children at risk of being recruited as foreign terrorist fighters),

• persons sought to assist with a criminal judicial procedure,

• persons subject to discreet, inquiry or specific checks,

• unknown wanted persons who are connected to a crime (e.g. persons whose fingerprints are found on a weapon used in a crime),

• information on third-country nationals of interest to the Union (so-called "information alerts").

 These last two alerts are brand new in SIS, introduced by SIS Recast. While other alerts have been considerably modified by the new legal framework, such as the alert on missing persons or the alert on discreet or specific checks.

With regard to the alerts on objects, SIS stores data on objects sought for the purpose of seizure or use as evidence in criminal proceedings, or subject to discreet or specific checks. Such objects include vehicles, boats, firearms, identity documents stolen, misappropriated, lost or invalidated, bank notes, credit cards, blank documents, and as a new category “objects of high value” (e.g., items of information technology, which can be identified and searched with a unique identification number).

The categories of personal data processed

When the alert concerns a person (with the exception of unknown wanted person), the information must always include: surname, date of birth, reason for the alert, gender, a reference to the decision giving rise to the alert, basis for the decision for refusal of entry and stay (when applicable), the action to be taken, last date of the period for voluntary departure if applicable, whether return is accompanied by an entry ban. If available, the alert may also contain information such as, any specific, objective, physical characteristics not subject to change; the place of birth; photographs; fingerprints; nationality(ies); whether the person concerned is armed, violent or has escaped; the authority issuing the alert; links to other alerts issued in SIS in accordance with Article 48 of Regulation (EU) 2018/1861 or Article 63 of Regulation (EU) 2018/1862.

When the alert concerns unknown wanted persons, only dactyloscopic data may be processed, either complete or incomplete sets of fingerprints or palm prints, which due to their unique character and the reference points contained therein should enable accurate and conclusive comparisons on a person's identity[14].