The Schengen Information System (SIS) is a digital information sharing system used by all the states that are members of the Schengen Agreement. SIS is used in connection with border control, criminal investigations and other police cooperation, among other things. We supervises the Norwegian authorities’ processing of personal data in the system.
The Schengen Information System (SIS) was established to compensate for the abolition of internal border controls between the Schengen Member States. Norway joined the Schengen Agreement and SIS in 2001.
SIS consists of a national system in each of the Member States and a central system that the national systems communicate with. The functionality of the system enables the authorities in the Schengen states to search data registered about persons and objects, including in connection with external border control, police investigations in criminal cases and to ensure public order and security. The authorities with access to SIS include border control authorities, immigration authorities and police authorities.
Since its establishment, SIS has undergone an extensive technical upgrade and its scope has also been expanded. It is now the largest information sharing system for security and border management in Europe.
You can read more about SIS on the European Commission’s website (home-affairs.ec.europa.eu).
The Norwegian authorities’ processing of personal data in SIS is regulated through a dedicated act, known as the SIS Act or the Act relating to the Schengen Information System Act (lovdata.no). More extensive provisions are provided in the Regulation relating to the Schengen Information System (lovdata.no).
The current SIS regulations are based on three EU Regulations dating from 2018. These regulations are implemented in Norwegian law through Section 1 of the SIS Act, and apply as law:
The entry into force of the regulations and amendments to the SIS Act of 7 March 2023 expanded the scope of SIS by allowing registration of more categories of data relating to persons and objects. The number of authorities that can access or obtain data from SIS has also increased.
At the same time, the regulations provide for strengthening personal data protection in connection with registration in and use of SIS. The registration and processing of personal data shall be limited to what is strictly necessary. The processing of personal data shall be carried out in accordance with EU data protection legislation and fundamental rights. The SIS Regulations also contain specific provisions on the categories of personal data that may be processed, which authorities may be granted access, the rights of data subjects and supervision.
Personal data can only be registered in SIS for specific purposes. Pursuant to Section 7 of the SIS Act, personal data as mentioned in Article 20 of the Police Cooperation Regulation, Article 20 of the Border Control Regulation and Article 4 of the Return Regulation may be processed.
In accordance with Article 20 of the Police Cooperation Regulation, SIS shall contain the categories of data on persons and objects supplied by each member state, and which are required for the purposes of Articles 26, 32, 34, 36, 38 and 40. This includes alerts for the purpose of arrest for surrender or extradition purposes, missing persons, vulnerable persons who must be prevented from travelling and persons wanted in connection with criminal proceedings.
Pursuant to Article 20 of the Police Cooperation Regulation, an alert may, inter alia, contain the following personal data:
In accordance with Article 20 of the Border Control Regulation, SIS shall contain the categories supplied by each member state and required for the purposes of Article 24 (alerts on refusal of entry and stay) and Article 25 (alerts on third-country nationals subject to restrictive measures to prevent entry into or transit through the territory of the member states).
Pursuant to Article 20 of the Border Control Regulation, an alert may, inter alia, contain the following personal data:
Alerts on return registered in SIS in accordance with the Return Regulation shall only contain data as mentioned in Article 4 of the Regulation. Information can, inter alia, be registered about
Pursuant to Section 8 of the SIS Act, personal data shall be processed under the conditions set out in Articles 26, 32, 34, 36 and 40 of the Police Cooperation Regulation, Articles 24, 25 and 26 of the Border Control Regulation and Article 3 of the Return Regulation.
National authorities decide whether to register data in each individual case. The registration of data in SIS must be decided by the competent authority.
The general rule is that data shall be processed only for as long as required to achieve the purposes for which they were entered in the system.
The legal acts contain rules on deadlines for erasure of data on persons and objects. Which deadline that applies depends on the basis for the registration:
For example, alerts on refusal of entry and stay pursuant to Article 24 of the Border Control Regulation shall be deleted when the decision on which the alert was entered has been withdrawn or annulled by the competent authority, where applicable following the consultation procedure referred to in Articles 27 and 29. Alerts on third-country nationals subject to a restrictive measure intended to prevent entry into or transit through the territory of the member states shall be deleted when the restrictive measure is lifted, suspended or annulled.
If you have been registered in SIS, you have certain rights under the SIS Act. As a general rule, you have the right to information about the data registered and the right to access data about yourself. However, there are several exceptions to the right to information and access:
As a data subject, you also have the right to have incorrect data corrected and unlawfully registered data erased.
The Coordinated Supervision Committee (CSC) has published a document containing guidance on rights in SIS. The guide describes how you can go about enforcing your rights in the various countries participating in the Schengen Agreement (edpb.euroa.eu). The CSC is a committee consisting of the data protection authorities of the Schengen member states.
Requests for access shall in principle be submitted to the data controller or the authority that made the decision to register the data. This also applies if you wish to request rectification or erasure of personal data in SIS.
Requests for access, rectification or erasure may always be submitted to the National Criminal Investigation Service (Kripos).
Kripos is the data controller for the processing of data under the Police Cooperation Regulation and the Border Control Regulation (with the exception of data on entry bans under Article 24 of the Border Control Regulation).
Contact information: Kripos, P.O. Box 2094 Vika, NO-0125 Oslo
For more information and a form for requesting access, go to Access to information in the Schengen Information system (politiet.no).
The immigration authorities are responsible for processing data on entry bans pursuant to Article 24 of the Border Control Regulation and pursuant to the Return Regulation. In this context, the immigration authorities arethe Directorate of Immigration (UDI), the Immigration Appeals Board (UNE) and the police represented by the National Police Directorate as the immigration authority.
Contact information:
You can find more information about SIS and how to enforce your rights vis-à-vis the Directorate of Immigration on its website (udi.no). You can also find more information about SIS and how to enforce your rights vis-à-vis the Immigration Appeals Board on its website (une.no).
As the national supervisory authority, we shall supervise the Norwegian authorities’ processing of personal data in SIS.
If you believe that your personal data have been processed in violation of the regulations, you can file a complaint with us.
If you file a complaint with us without first contacting the data controller, we will normally refer you to contact the relevant authority.
Our supervision and control of personal data processing is pursuant to the Border Control Regulation and the Return Regulation is governed by the General Data Protection Regulation (GDPR) Chapters VI to VIII and the Personal Data Act Chapters 6 and 7 (lovdata.no).
As regards personal data processing pursuant to the Police Cooperation Regulation, the Police Databases Act Section 58 first sentence and Sections 59, 60 and 61 apply to our supervision and control etc. (lovdata.no).
In some cases, exceptions apply to the right of access to personal data in SIS. In such case, you can contact us and request that we perform a verification on your behalf. The Data Protection Authority can control whether the data about you have been processed in accordance with the law and whether the rules on access have been followed.
Our decisions under the Personal Data Act can be appealed to the Privacy Appeals Board in accordance with the rules set out in Section 22 of the Personal Data Act and Chapter VI of the Public Administration Act.
Decisions under the Police Databases Act Section 60 first paragraph can be appealed to the Privacy Appeals Board.
Data subjects may bring civil proceedings to invoke rights under the Personal Data Act or the Police Databases Act.
For information about court proceedings, see the Courts of Norway website (domstol.no).