PURPOSE: to establish the legal framework for the Visa Information System and the procedures and conditions for the exchange of visa data between Member States on short-stay visa applications.
LEGISLATIVE ACT: Regulation (EC) No 767/2008 of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation).
BACKGROUND: the establishment of the Visa Information System (VIS) represents one of the key initiatives within the policies of the European Union aimed at establishing an area of freedom, security and justice. In 2004, the Council adopted Council Decision 2004/512/EC establishing the Visa Information System (VIS) (CNS/2004/0029) established the VIS as a system for the exchange of visa data between Member States. This Decision gave to the Commission the mandate to prepare the technical development of VIS and to provide the required legislative basis to allow for the inclusion in the Community budget of the necessary appropriations for the technical development of VIS and the execution of that part of the budget.
It is now necessary to define the purpose, the functionalities and responsibilities for the VIS, and to establish the conditions and procedures for the exchange of visa data between Member States. This is the purpose of the present Regulation. It shall be complemented by a separate legal instrument adopted under Title VI of the Treaty on European Union concerning access for the consultation of the VIS by authorities responsible for internal security (CNS/2005/0232).
CONTENT: the VIS shall improve the implementation of the common visa policy, consular cooperation and consultation between central visa authorities by facilitating the exchange of data between Member States on applications and on the decisions relating thereto, in order to facilitate the visa application procedure, to prevent ‘visa shopping’, to facilitate the fight against fraud and to facilitate checks at external border crossing points and within the territory of the Member States.
The VIS should also assist in the identification of any person who may not, or may no longer, fulfil the conditions for entry to, stay or residence on the territory of the Member States, and facilitate the application of Council Regulation (EC) No 343/2003 (Dublin II) establishing the criteria and mechanism for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national and contribute to the prevention of threats to the internal security of any of the Member States.
Subject matter and scope: this Regulation defines the purpose of, the functionalities of and the responsibilities for the Visa Information System (VIS), as established Decision 2004/512/EC. It sets up the conditions and procedures for the exchange of data between Member States on applications for short-stay visas and on the decisions taken in relation thereto, including the decision whether to annul, revoke or extend the visa, to facilitate the examination of such applications and the related decisions.
Categories of data:the Regulation governing the VIS allows the competent authorities (in particular visa, border and immigration agencies) to store in a central European database alphanumeric and biometric data on visa applicants and visas which have been issued, denied or revoked, and retrieve the data concerned. This enables them to prevent what is referred to as visa shopping, and to identify applications by the same person under different names.
Onlythe following categories of data shall be recorded in the VIS:
a) alphanumeric data on the applicant and on visas requested, issued, refused, annulled, revoked or extended;
b) photographs;
c) fingerprint data;
d) links to other applications as set out in this Regulation.
Access for entering, amending, deleting and consulting data: access to the VIS for entering, amending or deleting the data shall be reserved exclusively to the duly authorised staff of the visa authorities. Access to the VIS for consulting the data shall be reserved exclusively to the duly authorised staff of the authorities of each Member State which are competent for the purposes laid down in the Regulation, limited to the extent that the data are required for the performance of their tasks.
Each Member State shall designate the competent authorities, the duly authorised staff of which shall have access to enter, amend, delete or consult data in the VIS. Each Member State shall without delay communicate to the Commission a list of these authorities. That list shall specify for what purpose each authority may process data in the VIS.
Availability of data for the prevention, detection and investigation of terrorist offences and other serious criminal offences: the designated authorities of the Member States may in a specific case and following a reasoned written or electronic request access the data kept in the VIS if there are reasonable grounds to consider that consultation of VIS data will substantially contribute to the prevention, detection or investigation of terrorist offences and of other serious criminal offences. Europol may access the VIS within the limits of its mandate and when necessary for the performance of its tasks.
The consultation shall be carried out through central access point(s) which shall be responsible for ensuring strict compliance with the conditions for access and the procedures established in Council Decision 2008/633/JHA concerning access for consultation of the Visa Information System (VIS) by the designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences.
Before being authorised to process data stored in the VIS, the staff of the authorities having a right to access the VIS shall receive appropriate training about data security and data protection rules and shall be informed of any relevant criminal offences and penalties.
General principles applicable to the VIS: each competent authority authorised to access the VIS in accordance with this Regulation shall ensure that the use of the VIS is necessary, appropriate and proportionate to the performance of the tasks of the competent authorities. They shall ensure that in using the VIS, it does not discriminate against applicants and visa holders on grounds of sex, racial or ethnic origin, religion or belief, disability, age or sexual orientation and that it fully respects the human dignity and the integrity of the applicant or of the visa holder.
The Regulation also defines the rules applicable to:
1) The entry and use of data by visa authorities: provisions are set out as regards procedures to be respected by the competent authorities as regards entering data upon the application; data upon lodging the application; data to be added for a visa issued; data to be added where the examination of the application is discontinued; data to be added for a visa refusal; data to be added for a visa annulled or revoked or with a shortened validity period; data to be added for a visa extended, etc.
2) The access to data by other authorities: the Regulation lays down the procedures to be respected as regards the access to for verification at external border crossing points; within the Member States; access to data for determining the responsibility for asylum applications and examining the application for asylum; etc.
3) Retention and amendment of the data: each application file shall be stored in the VIS for a maximum of five years. Upon expiry of this, the VIS shall automatically delete the application file and the links to this file.
4) Operation and responsibilities: after a transitional period, which should not exceed 5 years from the date of entry into force, the Commission shall be responsible for the operational management of the central VIS and the national interfaces and shall ensure, in cooperation with the Member States, that at all times the best available technology, subject to a cost-benefit analysis, is used for the central VIS and the national interfaces. The Commission may delegate that task and tasks relating to implementation of the budget, to national public-sector bodies in two different Member States. Prior to any delegation and at regular intervals thereafter, the Commission shall inform the European Parliament and the Council of the terms of the delegation, its precise scope, and the bodies to which tasks are delegated. The principal central VIS, which performs technical supervision and administration functions, shall be located in Strasbourg (France) and a back-up central VIS, capable of ensuring all functionalities of the principal central VIS in the event of failure of the system, shall be located in Sankt Johann im Pongau (Austria). The VIS shall be connected to the national system of each Member State via the national interface in the Member State concerned. Each Member State shall designate a national authority, which shall provide the access of the competent authorities to the VIS, and connect that national authority to the national interface. They shall observe automated procedures for processing the data and shall be responsible for the development of the national system and/or its adaptation to the VIS; the organisation, management, operation and maintenance of its national system; the management and arrangements for access of the duly authorised staff of the competent national authorities to the VIS in accordance with this Regulation and to establish and regularly update a list of such staff and their profiles; bearing the costs incurred by the national system and the costs of their connection to the national interface, including the investment and operational costs of the communication infrastructure between the national interface and the national system. Appropriate training shall be given to staff about data security and data protection rules and shall be informed of any relevant criminal offences and penalties. Each Member State shall ensure that the data are processed lawfully, and in particular that only duly authorised staff have access to data processed in the VIS for the performance of their tasks. Data processed in the VIS pursuant to this Regulation shall not be transferred or made available to a third country or to an international organisation (except in the case of urgent situations an under certain conditions).
5) Rights and supervision on data protection: a number of measures aim to protect individuals with regards to the processing of data. Member States shall cooperate actively to enforce the rights laid down in this Regulation. Any person may request that data relating to him which are inaccurate be corrected and that data recorded unlawfully be deleted. The correction and deletion shall be carried out without delay by the Member State responsible, in accordance with its laws, regulations and procedures. In each Member State, the national supervisory authority shall, upon request, assist and advise the person concerned in exercising his right to correct or delete data relating to him in accordance with Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The National Supervisory Authority of the Member State responsible which transmitted the data and the National Supervisory Authorities of the Member States with which the request was lodged shall cooperate to this end.
Remedies: it is provided that in each Member State any person shall have the right to bring an action or a complaint before the competent authorities or courts of that Member State which refused the right of access to or the right of correction or deletion of data relating to him.
Regulation (EC) No 45/2001 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data applies to the activities of the Community institutions or bodies when carrying out their tasks as responsible for the operational management of the VIS.
Territorial application: the Regulation sets out conditions for the participation to the VIS by certain Member States which do not normally participate in the common visa policy (United Kingdom and Ireland which will not be associated with the implementation of the VIS) or for countries associated with the implementation of Schengen (Iceland, Norway and Switzerland). Denmark does not take part in the adoption of this Regulation and is therefore not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark should decide within a period of six months after the adoption of this Regulation whether it will implement it in its national law.
Start of operations: the Commission shall determine the date from which the VIS is to start operations, when specific measures have been adopted; the Commission has declared the successful completion of a comprehensive test of the VIS, which shall be conducted by the Commission together with Member States; following validation of technical arrangements, the Member States have notified the Commission that they have made the necessary technical and legal arrangements.
Monitoring and evaluation: the Management Authority shall ensure that procedures are in place to monitor the functioning of the VIS against objectives relating to output, cost-effectiveness, security and quality of service. Reports shall be submitted every 2 years after the VIS is brought into operation on the technical functioning of the VIS, including the security thereof. 3 years after the VIS is brought into operation and every 4 years thereafter, the Commission shall produce an overall evaluation of the VIS.
ENTRY INTO FORCE: 2 September 2008. The Regulation shall apply from the date determined by the Commission from which the VIS is to start operations.