Visa Information System (Vis)
(Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)
1.Purpose of data processing
The Visa Information System (VIS), established by Council Decision 2004/512/EC of 8 June 2004, is a system for the exchange of data on visa to enter the Schengen Area between the Member States that are parties to the Schengen Agreement. The establishment of the VIS represents one of the key initiatives in the framework of the EU policies aimed at creating an area of freedom, security and justice without internal borders.
Operation of the VIS is set out in Regulation (EC) 767/2008 of the European Parliament and of the Council of 9 July 2008. The system consists of a central European database connected to the national interfaces of the visa authorities in Schengen States. For the purpose of implementation of the VIS, consular posts at external borders of the Schengen States are also connected to the VIS through their national interfaces.
Moreover, the VIS may be accessed by the duly authorized staff of the State Police and of the other Police Forces, both at external borders and within the Member States’ territory in order to check the identity of a visa holder and/or the authenticity of the visa and to check whether conditions of entry, stay and residence are met. Furthermore, the Border Police can issue visas at the external borders in the cases and under the conditions set out in articles 35 and 36 of Regulation (EC) 810/2009. These procedures aim at strengthening security within the Schengen Area.
Subject to certain conditions, access to the VIS can be requested by the European Police Office (Europol) and by the police authorities for the purpose of prevention, detection and investigation of terrorist offences and other serious criminal offences (see Decision 2008/633/JHA of the Council of 23 June 2008).
The main objectives of the VIS are to facilitate visa application procedures, facilitate checks at the external borders and within the national territories and to strengthen security in EU countries. The VIS also prevents the so-called visa shopping and assists Member States in the fight against fraud.
Pursuant to Art. 4, point 7 of Regulation (EU) 2016/679, the controller is the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Pursuant to Inter-Ministerial Decree No. 4516/495 of 6 October 2011, the Italian controllers for the processing of personal data collected at national level and transmitted to the central VIS database are the following authorities, with regard to the activities falling under their respective scope of competence:
- The Ministry of Foreign Affairs and International Cooperation (Piazzale della Farnesina 1, 00135 Roma, www.esteri.it);
- The Ministry of Interior (Piazza del Viminale, 1, 00184 Roma, www.interno.gov.it/it)
The European Data Protection Supervisor monitors the processing of personal data at European level in the central VIS database (https://europa.eu/european-union/about-eu/institutions-bodies/european-data-protection-supervisor_it)
The supervisory authority competent at national level to monitor the lawfulness of the processing of the personal data recorded in the VIS is, pursuant to Legislative Decree of 30 June 2003 No. 196 and subsequent amendments, the Data Protection Authority (www.garanteprivacy.it).
4. Exercise of the rights of access, correction or deletion of personal data in the VIS
The visa applicant has the right to obtain, in any Member State, the communication of his/her personal data recorded in the VIS and of the Member State that transmitted them. Moreover, the applicant has the right to request that data relating to him/her which are inaccurate be corrected and that data unlawfully recorded be deleted. (art. 38, Regulation (EC) 767/2008).
In Italy, the rights of access, correction or deletion of personal data recorded in the VIS can be exercised by applying directly to:
- With regard to visa applications submitted abroad, the head of the Visa Office that examined the application;
- With regard to visa applications submitted at external borders, the director of the Border Police Office that examined the application.
No particular formalities are required to exercise the above rights (whether by a registered letter, or a fax or an e-mail). However, the copy of an identity document shall be provided or attached if the data subject’s identity cannot be established otherwise.
The access request shall be immediately acknowledged without undue delay and, in any case, within one month from its receipt.
Similarly, in case of a request for correction of inaccurate data or for deletion of data unlawfully recorded in the VIS, said operations shall be conducted within the same time limits. If the data have been entered by another Member State, the Italian authority receiving the request (MAECI, Ministry of Interior) shall, within 14 days, contact the competent Member State that verifies the accuracy of the data and the lawfulness of their processing in the VIS within a period of one month, providing feedback to the data subject (art. 38, Regulation (EC) 767/2008; art. 12 of Regulation (EU) 2016/679).
In case of refusal or failure to provide acknowledgment or, in any case, in case a reply to the exercise of the subject’s rights is deemed to be unsatisfactory, the data subject may take legal action before the ordinary judicial authority (art. 152 of legislative decree No. 196/2003 and subsequent amendments), or, alternatively, lodge a complaint with the Data Protection Authority (art. 77, Regulation (EU) 2016/679).
5. Personal data retention period
The data retention period shall be regulated by art. 23 of Regulation (EC) 767/2008. Each application file shall be stored in the VIS for a maximum of five years, without prejudice to the deletion referred to in Articles 24 and 25 and to the keeping of records referred to in Article 34. That period shall start:
- on the expiry date of the visa, if a visa has been issued;
- on the new expiry date of the visa, if a visa has been extended;
- on the date of the creation of the application file in the VIS, if the application has been withdrawn, closed or discontinued;
- on the date of the decision of the visa authority, if a visa has been refused, annulled, shortened or revoked.
Upon expiry of the period referred to in paragraph 1, the VIS shall automatically delete the application file and the links to this file as referred to in Article 8, paragraphs 3 and 4.
6. Data Protection Officer (DPO)
The Data Protection Officer (art. 37 of Regulation (EU) 2016/679) shall be identified in the Ministry of Interior.
The Data Protection Officer can be contacted at the following addresses:
(modificato il 08/09/2021)