WHAT RIGHTS ARE GRANTED TO INDIVIDUALS WHOSE DATA ARE PROCESSED IN SIS
WHAT RIGHTS ARE GRANTED TO INDIVIDUALS WHOSE DATA ARE PROCESSED IN SIS
Data subjects shall be able to exercise the rights in relation to their personal data processed in SIS, as laid down in Articles 15, 16 and 17 of the GDPR[1] and in Articles 14 and 16 (1) and (2) of the Directive (EU) 2016/680[2] , and in accordance with SIS Regulations19[3] . In addition, data subjects are entitled to seek remedies to enforce such rights[4] .
Therefore, data subjects have the following rights:
• right of access to data relating to them processed in SIS;
• right to rectification of inaccurate data;
• right to erasure when data have been unlawfully stored;
• right to bring an action before the courts or competent supervisory authorities to access, rectify, erase, obtain information or obtain compensation in connection to an alert concerning them.
Anyone exercising any of these rights can apply to the competent authorities in a Schengen State of his or her choice. This option is possible because all national databases (N.SIS) are identical to the central system database (CS.SIS)[5] . Consequently, these rights can be exercised in any Schengen State regardless of the State that issued the alert.
However, the Member State receiving the request from the data subject has to consult previously the Member State issuing the alert before providing any information to the data subject about the data processed in SIS.
In order to assist data subjects in exercising their rights, the Coordinated Supervision Committee has published a Guide that lists the national authorities competent to handle data subjects' requests, how to handle them, including any national requirements, and the means made available to do so.
Regardless of specific national procedures to handle the application for access, rectification or erasure of data processed in SIS, the reply to the data subject is due within a strict common time limit. The data subject shall be informed as soon as possible, and, in any event, within one month of receipt of the request, about the follow-up given to the exercise of the right. This period may be extended by two further months where necessary and in such case, the data subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay[6] .
Right of Access
The right of access is the possibility for anyone who so requests to have knowledge of whether or not data relating to him or her are processed by a public or private organisation, and to receive information on these data. This is a fundamental right, enshrined in Article 8 (2) of the EU Charter of Fundamental Rights, and its exercise is instrumental to put into effect other data protection rights and to protect in general the freedoms and rights of individuals.
The right of access to the data processed in SIS is provided for in Article 53(1) of Regulation (EU) 2018/1861 and in Article 67(1) of Regulation (EU) 2018/1862[7], which refer to the right of access laid down in Article 15 of the GDPR and Article 14 of the Directive (EU) 2016/680 .
This means that data subjects have the right to obtain confirmation as to whether or not personal data concerning them are being processed in SIS and, where that is the case, access to the personal data and the following information:
• The purpose of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data have been disclosed, in particular in third countries or international organisations;
• The envisaged period for which the personal data will be stored;
• The existence of the right to request rectification of inaccurate data or erasure of unlawfully stored data;
• The right to lodge a complaint
• Communication of the source of the information when data is collected from a third party.
However, the right of access is exercised in accordance with the law of the Member State where the request is submitted, and there could be restrictions to access the data, i.e. a decision not to provide information, wholly or in part, to the data subject. This is possible to the extent that such limitation constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned, in order to:
• avoid obstructing official or legal inquiries, investigations or procedures;
• avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
• protect public security;
• protect national security; or
• protect the rights and freedoms of others[8] .
Where that is the case, the applicant shall be informed in writing, without undue delay, of any refusal or restriction, unless the provision of such justification undermines one of the above-mentioned objectives. The authority receiving the request for access shall inform the applicant that he or she can lodge a complaint with the data protection authority or seek judicial remedy.
If there is a complete or partial refusal of access, data subjects can exercise their rights vis-à-vis SIS through the national data protection supervisory authority.
Right to rectification and erasure of data
Besides the right of access, there is also the right to obtain the rectification of personal data factually inaccurate or incomplete or the right to ask for erasure of personal data processed unlawfully[9].
Under the Schengen legal framework, only the Member State responsible for issuing an alert in SIS may alter or delete it[10].
If the request is submitted in a Member State that did not issue the alert, the competent authorities of the Members States concerned cooperate to handle the case, by exchanging information and making the necessary verifications. The applicant should provide the grounds for the request to rectify or erase the data and gather any relevant information supporting it.
Remedies: the right to complain to the data protection authority or to initiate a judicial proceeding
Article 54 of Regulation (EU) 2018/1861 and Article 68 of Regulation (EU) 2018/1862 presents the remedies accessible to individuals when their request has not been satisfied. Any person may bring an action before the courts or the authority competent under the law of any Member State to access, rectify, erase, obtain information or to obtain compensation in connection with an alert relating to him or her.
In case they have to deal with a complaint with a cross-border element, supervisory authorities should cooperate with each other to guarantee the rights of the data subjects.
"Detailed information on how to file a complaint can be found here.”
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, as amended)
[2] Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offenses and the execution of penalties, on the free movement of such data and repealing Council Framework Decision 2008/977/JHA (Official Journal of the EU. L 119 of 4.05.2016, p. 89, as amended).
[3] See Article 53 of Regulation (EU) 2018/1861 and Article 67 of Regulation (EU) 2018/1862.
[4] See Article 54 of Regulation (EU) 2018/1861 and Article 68 of Regulation (EU) 2018/1862.
[5] See Article 4(1)(b) of Regulation (EU) 2018/1861 and of Regulation (EU) 2018/1862.
[6] See Article 53(4) of Regulation (EU) 2018/1861 and 67(4) of Regulation (EU) 2018/1862, which refers to the deadlines provided in Article 12(3) of the GDPR.
[7] Both Articles state : ‘Data subjects shall be able to exercise the rights laid down in Article 15 (…)of Regulation (EU) 2016/679 and in Article 14 (…) of Directive (EU) 2016/680.[…]'
[8] See Articles 53(3) of Regulation (EU) 2018/1861 and Art. 67(3) of Regulation (EU) 2018/1862.
[9] See Art. 53(1) of Regulation (EU) 2018/1861 and Art. 67(1) of Regulation (EU) 2018/1862.
[10] See Art. 44(3) of Regulation (EU) 2018/1861 and Art. 59(3) of Regulation (EU) 2018/1862.