Processing personal data in Schengen Information System

Personal data – any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing –  any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processing genetic, biometric or health-related data, in order to perform an automated decision-making process or with a view to create profiles is allowed only based on explicit consent of the data subject or if the processing is based on explicit legal provisions, while adequate measures for protecting rights, liberties and legitimate interests of he data subject are established.



Schengen Information System (SIS) is an IT European system for police use protecting your liberty and security. The access to SIS data is limited to national competent authorities and some EU agencies and allows checking alerts with regards to persons or objects.

SIS offers the authorities information about:

  • persons concerned by a return decision;
  • persons not having the right to entry or stay on the territories of the Member States;
  • persons wanted for arrest;
  • missing persons (adults, minors, vulnerable persons);
  • persons concerned by judicial procedures;
  • persons to be subjected to discreet, specific or inquiry checks;
  • persons with misused identity;
  • unknown wanted persons.

SIS contains also data about objects that have been stolen or lost, such as: vehicles, firearms, aircrafts, boats, industrial equipment, identity documents, credit cards, banknotes, non-cash means of payment etc., which might have a connection with persons as well, in their capacity of holders or owners of that object.


SIS supports the activities of:

  • national or border police forces;
  • judicial authorities and of those responsible for prevention, detection, investigation or prosecution of terrorist offences or other serious criminal offences, or the execution of criminal penalties;
  • visa or immigration authorities;
  • customs authorities;
  • authorities responsible for vehicle registration, issuing documents, registration of firearms or other types of objects.


Personal data are processed when a person is checked against SIS. This happens, for example, when you are crossing the external border or when you are stopped by the police for a verification.

The types of data that can be processed in SIS are indicated in EU Regulations no. 2018/1860, 1861 and 1862 on the establishment, operation and use of the Schengen Information System.

Authorities having access to SIS collect data strictly provided for in Regulations (stipulated by article 20 of Regulations no. 2018/1861 and 1862 / article 4 of Regulation no. 2018/1860), including biometric data (photographs, facial images, fingerprints and palm prints and the DNA profile).

Any alert in SIS which includes information on persons shall contain only the following data:

  • surnames;
  • forenames;
  • names at birth;
  • previously used names and aliases;
  • any specific, objective, physical characteristics not subject to change;
  • place of birth;
  • date of birth;
  • gender;
  • any nationalities held;
  • whether the person concerned:
  • is armed;
  • is violent;
  • has absconded or escaped;
  • poses a risk of suicide;
  • poses a threat to public health; or
  • is involved in an activity referred to in Articles 3 to 14 of Directive (EU) 2017/541;
  • the reason for the alert;
  • the authority which created the alert;
  • a reference to the decision giving rise to the alert;
  • the action to be taken in the case of a hit;
  • links to other alerts;
  • the type of offence;
  • the person’s registration number in a national register;
  • a categorisation of the type of case;
  • the category of the person’s identification documents;
  • the country of issue of the person’s identification documents;
  • the number(s) of the person’s identification documents;
  • the date of issue of the person’s identification documents;
  • photographs and facial images;
  • relevant DNA profiles;
  • dactyloscopic data;
  • a copy of the identification documents, in colour wherever possible;
  • whether the return decision is accompanied by an entry ban constituting the basis for an alert for refusal of entry and stay.



Processing data in SIS is done according to European and national data protection rules.

The rights to access, correct and delete personal data during the processing of personal data in SIS are to be exercised according to:

  • Law on the organization and operation of the National Information System on Alerts and for the participation of Romania to the Schengen Information System;
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Law no. 190/2018 on some measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), with latest amendments;
  • Law no. 363/2018 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purpose of preventing, detecting, criminal investigation or prosecution or the execution of criminal, educational and safety measures, as well as their free movement, as the case may be.

SIS guarantees your right:

  • to have access to the data concerning you: you may see if your data are registered in SIS or not;
  • to ask for correcting inaccurate data: you may request correcting erroneous data in SIS;
  • to request erasing illegally stored data: you may request deleting data, if this is allowed by law.


The requests for correction and/or erasure must mandatorily contain the personal data the erasure of what is requested to correct and/or erase.

The requests must be drafted, dated and signed by the person whose data have been processed and are to be considered valid only if you prove your identity  (with a copy of an identity document).





The requests for personal data processing in SIS ( ​) may be transmitted to the Data Protection Office within the National Police, the only one entitled to answer to such requests, or to any national authority having access to SIS.


You will receive an answer within 30 or 60* days at most from submitting the request, taking into account the complexity and the number of requests.

* The deadline  is different depending on the legislation applicable to the content of the request, respectively if EU Regulation no. 679/2016 or Law no. 363/2018 is relevant.

Following a request for access, correction or erasure, you will be informed about the measures that have been approved for you to exercise them.

More information about your rights is available at section Public information, subsection Processing of personal data – processing of personal data in SIS and exercising the rights of data subjects (​).


In Romania, the National Data Protection Supervisory Authority ( watches over the way the national law enforcement authorities are processing personal data and ensures, in the same time, that the rights of data subjects are observed.

You have the possibility to file a complaint to the data protection supervisory authority or to address a court of law, according to Law no. 554/2004 on the administrative law, if you are not satisfied with the answer received to your access, correction or erasure request, or for obtaining compensations for an alert concerning you.