Visa and immigration

Information on the processing of personal data

The collection of personal data required for all visa applications, including photographs and fingerprints, is compulsory for the examination of a visa application. Failure to provide this information will result in the application being declared inadmissible.

The responsible authorities

Ministère des Affaires étrangères et européennes,
de la Défense, de la Coopération et du Commerce extérieur
Bureau des Passeports, Visas et Légalisations
6 Rue de l’Ancien Athenée
L-1144 Luxembourg
service.visas@mae.etat.lu

Data protection officer: dataprotection.mae@mae.etat.lu

The legal basis

The legal basis for the collection and the processing of personal data is set out in Regulation (EC) 767/2008 (VIS Regulation), Regulation (EU) 2019/1155 amending Regulation (EC) 810/2009 establishing a Community Code on Visas (Visa Code) and Council Decision 2008/633/JHA.

The processing of personal data

The data will be shared with the competent authorities of the Schengen Member States [1] and processed by these authorities for the purposes of decision-making on a visa application.

Data and information relating to the decision taken on an application, whether to annul, revoke or extend an existing visa, will be entered and stored in the Visa Information System (VIS) for a maximum period of five years, during the course of which they will be accessible to the visa authorities and to the authorities responsible for carrying out visa checks at the external borders and within the Member States, to immigration and asylum authorities in the Member States, in order to check whether the conditions for entry, stay and legal residence on the territory of the Member States are fulfilled, to identify persons who do not meet or no longer meet these conditions, to examine an asylum application and to determine responsibility for this examination.

Under certain conditions, the data will also be made available to the designated authorities of the Member States and to Europol for the purposes of the prevention, detection and investigation of terrorist offences and other serious criminal offences.

Third countries and international organisations

Personal data may also be transferred to third countries or international organizations in order to verify the identity of third-country nationals, including for return purposes. Such transfers only take place under certain conditions [2]. You can contact the authority responsible for data processing to obtain further information on these conditions and how they are met in your particular case.

Transparency and rights of the data subject

Under the General Data Protection Regulation [3] and the VIS Regulation [4], you have the right to obtain access to your personal data, including a copy thereof, as well as the identity of the Member State that transmitted it to the VIS. You also have the right to have inaccurate or incomplete personal data corrected or completed, to have the processing of your personal data restricted under certain conditions, and to have personal data that has been processed unlawfully deleted.

You may address your request for access, rectification, restriction or erasure directly to the authority responsible for processing the data. Further details on how you may exercise these rights, including the related remedies according to the national law of the State concerned, are available on its website and can be provided upon request.

You may also address your request to any other Member State. The list of competent authorities and their contact details is available at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-lu

Lodge a complaint

You are also entitled to lodge at any time a complaint with the national data protection authority of the Member State of the alleged infringement, or of any other member State, if you consider that your data have been unlawfully processed. 

The data protection authority of Luxembourg is:

National Commission for Data Protection (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux
Phone: (+352) 26 10 60 – 1

Web contact: https://cnpd.public.lu/en/support/contact.html
Website: https://cnpd.public.lu/en/commission-nationale.html

[1]  Austria, Belgium, Bulgaria, Croatia, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Rumania, Slovakia, Slovenia, Spain, Sweden and Switzerland.

[2] Article 31 of Regulation (EC) 767/2008 (VIS Regulation)

[3] Article 15 to 19 of Regulation (EU) 2016/679 (GDPR)

[4] Article 38 of Regulation (EC) 767/2008 (VIS Regulation)

The Visa Information System (VIS) is a system for exchanging data on short-stay visas between Schengen states. The main objectives of the VIS are to facilitate visa application procedures and external border controls, and to enhance the security of the Schengen area.

The aim of the global VIS introduction process is to provide applicants with greater protection against identity theft, and to prevent document fraud and the practice of "visa shopping". Fingerprints are widely used in the EU as one of the most secure means of identification. The use of biometric data to identify a visa holder is a faster and more precise way of identifying a visa holder by the border police.

The VIS incorporates a central database, a national interface in each Schengen state, and a communication infrastructure between the central database and the national interface. The VIS is linked to the national visa systems of all the Schengen States via the national interfaces, enabling the competent authorities in the Schengen States to process data on visa applications and on visas either issued, refused, annulled, revoked or extended.

The VIS consists of two systems: the VIS database, which conducts alphanumeric searches, and the Automated Fingerprint Identification System (AFIS), which compares fingerprints received with the database and returns a positive or negative response, including any matches.

The main central VIS is located in Strasbourg (France) and a back-up central VIS, capable of providing all the functions of the main central VIS, is located in Sankt Johann in Pongau (Austria).

The VIS is continually processing information gathered by the consulates of the Schengen states. For instance, information entered locally by visa authorities can be available in the VIS in a matter of minutes. The VIS offers rapid verification services for visa holders at border crossings, taking just a few seconds to conduct a visa check.

The Commission was responsible for developing the central database, the national interfaces and the communication infrastructure between the central VIS and the national interfaces. Individual Schengen States are responsible for the development, management and operation of their respective national systems.

The EU Agency for large-scale IT systems, eu-LISA, is responsible for the operational management of VIS.

What is the legal basis for the VIS?

The main acts constituting the legal framework of the VIS are the following:

·                  Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS), OJUE L 213, 15.6.2004, p. 5.

·                  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the VIS and the exchange of data between Member States on short-stay visas (VIS Regulation), OJUE L 218, 13.8.2008, p. 60.

·                  Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the VIS by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offence, OJUE L 218, 13.8.2008, p. 129.

·                  Regulation (EC) No 81/2009 of the European Parliament and of the Council of 14 January 2009 amending Regulation (EC) No 562/2006 as regards the use of the Visa Information System (VIS) under the Schengen Borders Code, OJUE L 35, 4.2.2009, p. 56.

·                  Regulation (EC) No 810/2009 of the European Parliament and the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code), OJUE L 243, 5.9.2009, p. 1.

What are the consequences of VIS in practice for visa applicants?

First-time visa applicants must always present themselves in person when submitting their application to provide their photograph and fingerprints.

The photograph is currently scanned from an existing paper photograph. At a later stage, the photograph will be taken digitally at the moment of the application.

For all new subsequent applications submitted within a period of 59 months, the fingerprints can be copied into the VIS from the previous application file.

Nevertheless, it should be stressed that in the event of reasonable doubt as to the applicant's identity, the consulate will collect fingerprints again within the 59 months referred to above. Moreover, the applicant may ask for fingerprints to be taken if, at the time the application is submitted, it is not immediately possible to confirm that the fingerprints were taken within the aforementioned period.

The biometric data of visa applicants may be collected by Schengen State consulates and external service providers (such as VFS, TLS and others), but not by commercial intermediaries (e.g. travel agencies).

Upon arrival at the Schengen external border, visa holders must provide their fingerprints for comparison with those registered in the VIS, at the request of the Schengen States' border control authorities. Searches in the VIS by Schengen border guards are based on the visa sticker number in combination with fingerprints.

Visa holders whose fingerprints have not been taken at the time of application, on the grounds that they have been exempted from this requirement, will not be asked to provide fingerprints at the border.

What happens to those who refuse to provide fingerprints for various reasons?

As a result, a Schengen visa will not be issued if biometric data is not provided. However, in accordance with Article 13(7) of the Visa Code, there are several categories of citizens who are not required to provide this data, as indicated in the FAQ under Question 18.

If I already have a biometric passport, do I also need to submit my fingerprints?

Yes, holders of biometric passports must also appear in person when applying for a short-stay Schengen visa for the first time to submit their fingerprints.

How is my biometric data protected in the VIS?

Strict data protection rules are defined in the VIS regulation and are subject to control by national and European data protection authorities.

Data is kept in the VIS for a maximum of five years from the visa expiry date, if a visa has been issued, or from the new visa expiry date, if a visa has been extended, or from the date on which a refusal decision is issued by the visa authorities.

All individuals have the right to obtain communication of the data recorded in the VIS concerning them from the Schengen State which entered the data in the system. Individuals may also request that inaccurate data concerning them be rectified, and that illegally recorded data be deleted.

In each Schengen State, the national supervisory authorities independently monitor the processing of personal data recorded in the VIS by the respective Schengen State.

The European Data Protection Supervisor monitors the data processing activities of the VIS Management Authority.

Which data are registered in the VIS?

The visa authorities in each Schengen state register data relating to short-stay visa applications (i.e. applications to stay in the Schengen area for 90 days or less) in the VIS. Data relating to national long-stay visas are not yet recorded in the VIS.

Upon reception of an application, the visa authorities of the relevant Schengen State create an application file in VIS and record the alphanumeric data contained in the Schengen visa application form, the applicant's digital photograph and the ten fingerprints collected.

If the applicant is traveling in a group, the travelers' application files will be linked in the VIS. If a previous application has been registered for the same applicant, the two applications will also be linked in the VIS.

Once a decision has been taken on the application (visa granted/refused) or post-decision (annulment, revocation, extension), the information is recorded in the VIS by the visa authorities of the relevant Schengen States. Once the visa has been issued and all applicant data - including fingerprints - have been recorded in the VIS, a code is inserted in the visa sticker.

Which authorities have access to the VIS?

The visa authorities of the Schengen States have access to the VIS for both data recording and consultation. Application and decision data are entered into the VIS by the visa authorities of the Schengen State responsible for examining the application or taking the decision. The data entered by one Schengen State can then be consulted by the visa authorities of all the other Schengen States, for example when examining another application from the same applicant.

Other authorities from the Schengen States have access to the VIS for consultation only.

National border authorities have access to the VIS in order to verify the identity of the visa holder, the authenticity of the visa and whether the conditions for entry into the territory of the Schengen states have been fulfilled. VIS checks at the Schengen area's external borders, with systematic fingerprint verification, are compulsory, except in a limited number of cases.

The national authorities responsible for carrying out identity checks on the territory of the Schengen states have access to the VIS in order to verify the identity of the visa holder, the authenticity of the visa and whether the conditions for entry, stay or residence on the territory of the Schengen states have been fulfilled.

National asylum authorities have access to the VIS to determine the Member State responsible for examining an asylum application in accordance with Regulation (EC) No 343/2003 and for processing the application.

Europol has access to the VIS for consultation purposes as part of the prevention, detection and investigation of terrorist offences and other serious criminal offences.

National law enforcement authorities have access to VIS data for the same purposes, provided certain legal conditions are respected: access to VIS data must be necessary in a particular case, and there must be reasonable grounds for considering that consultation of the data will make a substantial contribution to the prevention, detection and investigation of terrorism and other serious crimes.

As a general rule, VIS data may not be transferred or made available to a third country or international organization. By way of derogation, certain data recorded in the VIS (name, nationality, travel document number, residence) may be communicated to a third country or international organization when a specific case requires it to prove the identity of a third-country national, including for return purposes.

For detailed information on how to exercise your access rights, please visit the following site: 

https://cnpd.public.lu/en/particuliers/vos-droits/droit-acces.html

CITIZENS’ RIGHTS IN THE FIELD OF THE SCHENGEN INFORMATION SYSTEM

1. General presentation of the Schengen Information System

The Schengen Information System (SIS) was implemented as a search system for persons and objects by the Convention implementing the Schengen Agreement of 19 June 1990. The SIS was designed as a compensatory measure to the lifting of internal border controls with the aim of ensuring a high level of security in the European Union’s area of freedom, security and justice.

The system includes alerts

i. On persons, namely :

• Third-country nationals subject to a return decision,
• Third-country nationals subject to a refusal of entry and stay,
• Persons wanted for arrest for surrender or extradition purposes,
• Missing persons, including :
• Children at risk of abduction by a parent, a family member or a guardian, o Vulnerable persons who need to be prevented from travelling,
• Persons sought to assist with a judicial procedure,
• Persons for discreet, inquiry or specific checks,
• Unknown wanted persons for the purpose of identification under national law.

ii. On objects:

• For discreet, inquiry or specific checks,
• For seizure or use as evidence in criminal proceedings.

2. Legal framework applicable to SIS as well as to data protection

The SIS is established by the following legal instruments:

-        Regulation (EU) 2018/1860 of the European Parliament and of the Council, of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying thirdcountry nationals,

-        Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006,

-        Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU.

The following legal instruments are applicable in terms of data protection:

-        Loi du 1er août 2018 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel en matière pénale ainsi qu’en matière de sécurité nationale (Law of 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, transposing into national law the Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA) (hereafter « LPD »),

-        Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereafter « GDPR »)

-        Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et du régime général sur la protection des données » (Law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework).

3. Information to be made available to the individual on data processing in the SIS

i. The data controller

In Luxembourg, the data controller for the data processing in the context of the SIS is the Grand Ducal Police, represented by its General Director.

ii. The purposes of the processing

The purposes of the processing for which the personal data are intended are the following:

• Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security,
• External border control,
• Immigration control.

iii. The categories of personal data that may be processed

The personal data that may be included in a SIS alert are listed in article 20 of Regulation 2018/1861 and of Regulation 2018/1862 as well as in article 4 of Regulation 2018/1860.

iv. The recipients or categories of recipients

National competent authorities of the Schengen Member States that can access the SIS and are thus to be considered as recipients are listed in article 34 of Regulation 2018/1861 and articles 44 to 47 of Regulation 2018/1862. In addition to these national competent authorities, SIS can also be accessed by Europol, Frontex and Eurojust in accordance with articles 35 and 36 of Regulation 2018/1861 and articles 48 to 50 of Regulation 2018/1862.

v. The storage period

Alerts on persons and on objects shall be kept only for the time required to achieve the purposes for which they were entered.

The above-mentioned regulations foresee several time limits for a periodic review of the need for the storage of personal data with the possibility to renew the alerts.

Alerts on persons subject to a discrete, inquiry or specific check as well as certain categories of missing persons have in principle to be re-examined at the latest after one year.

Alerts on persons subject to a return decision, subject to a refusal of entry and stay, sought to assist with a judicial procedure as well as unknown wanted persons for the purpose of identification have in principle to be re-examined at the latest after three years.

Alerts on persons wanted for arrest for surrender or extradition purposes as well as certain categories of missing persons are in principle to be re-examined at the latest after five years.

Alerts on objects are in principle to be re-examined at the latest after ten years.

vi. The rights of individuals

Concerning the right for information provided under articles 13 and 14 of the GDPR, respectively article 12 of the LPD, the Grand-Ducal Police refers to the information on its website under the heading « Data protection » (Link https://police.public.lu/fr/support/protection-des-donnees-a-caractere-personnel.html).

As foreseen in article 53 of Regulation 2018/1861 and article 67 of Regulation 2018/1862, individuals have the right to introduce

-        A request for access to their data,

-        A request for correction of inaccurate data,

-        A request for deletion of unlawfully stored data,

In accordance with articles 15, 16 and 17 of the GDPR and 13 and 15 of the LPD.

These requests may be submitted to any Member State of the European Union operating the system and any of the four Schengen Associated States (Switzerland, Norway, Liechtenstein and Island). The receiving Member State will process the request according to their own national procedures in place as well as according to the European rules in force.

With regard to deadlines for processing such requests, it should be noted that both the requests for access and the requests for rectification and deletion must be answered within 1 month (article 53(4) of the Regulation 2018/1861 and article 67(4) of the Regulation 2018/1862, both referring to article 12(3) of the GDPR).

Regarding the form, Member States will have to strive to respect both the form (letter or email) of the requestor as well as the language used by them, this of course as far as possible. In general, the Grand Ducal Police processes access requests as well as correction or deletion requests if they are introduced in any of the administrative languages of the country (Luxembourgish, French, German) or in English.

In accordance with article 12(6) of the GDPR and article 11, paragraph 5 of the LPD, the Grand-Ducal Police must have sufficient guarantees to establish with certainty the identity of the person requesting information, so as not to prejudice the rights of others. The following documents have therefore to be enclosed to the requests:

For a request from an individual:

-        A signed letter,

-        A copy of an identity document (identity card or passport).

For a request from an individual on behalf of another individual:

-        A power of attorney duly signed by both parties,

-        A letter signed by the represented party,

-        A copy of an identity document of represented party (identity card or passport),

-        A copy of an identity document of the representing party (identity card or passport).

For a request from an attorney:

-        A power of attorney duly signed by the client and the attorney,

-        A copy of an identity document of the client (identity card or passport),

-        A copy of an identity document of the attorney (identity card or passport),

-        A copy of an attorney card or equivalent.

It goes without saying that the transmission of a copy of an identity card or passport via the Internet may present a certain risk in the event of possible abuse by a third party (for example, interception).

Finally, in exceptional circumstances and in accordance with article 53(3) of the Regulation 2018/1861, article 67(3) of the Regulation 2018/1862, and articles 14 and 15, paragraph 4 of the LPD, a Member State may take a decision not to provide information to the data subject, in whole or in part, in order to safeguard national security, defence and public security, or for the prevention, investigation, detection and prosecution of criminal offences, for as long as such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject concerned.

vii. Right to lodge a complaint or to seek judicial remedy

In case the reply which is provided by the Grand Ducal Police does not satisfy the requestor, the latter has the right to file a complaint with the national supervisory authority, namely the « Commission nationale pour la protection des données », in accordance with article 77 of the GDPR, respectively in accordance with article 44 of the LPD. The national supervisory authority may be contacted under the following contact details:

Commission nationale pour la protection des données (CNPD)

Service des réclamations

15, Boulevard du Jazz

L-4370 Belvaux

Luxembourg.

Furthermore, the requestor also has the right to seek judicial remedy within three months after the receipt of the final reply at the Administrative Court of Luxembourg (Tribunal administratif) with the assistance of an attorney.