3. Frontex and interoperable databases

Increasing efforts to digitise the EU’s borders have come at the same time as Frontex has been granted extended powers and tasks, including through access to databases. This access comes in two forms: operational and statistical.

Its operational access to data concerns the access needed by the agency to carry out operational tasks. Access to large-scale EU databases makes it possible for members of Frontex “teams” (see further below) to carry out border control or deportation tasks: for example, checking the validity of a person’s visa at a border crossing (the Visa Information System), or establishing whether a removal notice has been handed down against an individual by national authorities (the Schengen Information System).

The law governing the agency has long included general provisions that require member states hosting operations to ensure Frontex team members have access to EU and national databases. In recent years, with the adoption of a swathe of new laws to create and upgrade EU policing and immigration systems, some specific legal provisions have been introduced governing Frontex’s operational access to data. The agency is also responsible for operating the Central Unit of the European Travel Information and Authorisation System (ETIAS), giving it a key role in the EU’s emerging “travel intelligence” architecture. 

While the potential effects of the agency’s operational use of data are fairly obvious (approval or denial of entry, enactment of deportation, and so on), the effects of the use of statistical data are more obscured, yet at the same time potentially further-reaching. Since its very inception, one of Frontex’s key tasks has been “risk analysis”.[1] In the words of the agency itself:

“Risk analysis is the starting point for all Frontex activities, from high level strategic decision-making to planning and implementation of operational activities… The agency’s risk analysis is used to advise high level decision-making as well for daily coordination of joint operations.”[2]

This is presented as a relatively scientific, neutral activity. A “wide range of data” is collected to help identify “risks” to EU border security,[3] including on border crossings, visa applications, asylum proceedings and so on. This data is subsequently analysed in order to decide upon an appropriate response to different migratory dynamics. This response may come from Frontex itself, or the agency may make recommendations to national or EU policy-makers and officials. It is therefore important to understand what is considered a risk (and what is not), and the ways those risks are then analysed and understood. In recent years, a growing critical academic literature has pointed to the gendered, racialized and militarised underpinnings of Frontex’s risk analysis process.[4] Through access to statistical data from large-scale EU databases, the agency will have access to vast new pools of information to be used in this process.

It should be noted that EU rules on data protection apply to Frontex,[5] and the law governing the agency includes a number of more specific measures.[6] Evidently, Frontex’s desire to be seen as a crime-fighting agency has led it to try to circumvent those rules, making clear the need for stringent internal and external supervision of the agency’s personal data processing.[7] The increasingly extensive use of data handed over by travellers, and received from national authorities, Europol and potentially non-EU states raises serious issues in relation to privacy, data protection, the right to claim asylum and a host other rights, in particular in light of the declared aim to deploy AI ‘solutions’ at the EU’s borders. At the same time, many of the data processing powers granted to the agency in recent years clearly fit squarely within the law. The issue in that case, then, is not what the law forbids, but what it permits.

3.1. Operational data

Frontex is able to deploy three types of “team” that have access, through various means, to information held in the EU’s large-scale policing and immigration databases. These are made up of staff that are part of its “standing corps” of border guards:

  • Border management teams are “deployed during joint operations at the external borders and rapid border interventions in Member States and third countries”;[8]
  • Migration management support teams are “teams of experts which provide technical and operational reinforcement to Member States, including at hotspot areas, composed of operational staff, experts from the European Asylum Support Office (EASO) [now the EU Agency for Asylum, EUAA] and Europol and, where relevant, experts from the European Union Agency for Fundamental Rights (FRA), other Union bodies, offices and agencies and Member States”;[9]
  • Return teams are “deployed during return operations, return interventions in Member States or other operational activities linked to the implementation of return-related tasks”.[10]

As well as the activities specified in the legislation (such as “return interventions”), teams can also be deployed in “any other relevant operational activities in the Member States or in third countries.”[11] Wherever and however they are deployed, they may be given access to EU and national databases.

3.1.1. Entry/Exit System

The Entry/Exit System (EES) will be used to monitor the dates, places and times at which temporary visitors (e.g. tourists or businesspeople) enter and exit the Schengen area. The system will automatically calculate the amount of time an individual is allowed to stay in the Schengen area and issue automatic alerts to national authorities on individuals who stay longer than permitted, with the aim of having them removed from the Schengen area (whether via deportation or “voluntary return”).

The EES legislation does not specifically regulate operational access to data by Frontex teams. However, the Frontex Regulation stipulates that those teams may be granted access to national and EU databases as deemed necessary:

"...the host Member State shall authorise members of the teams to consult Union databases, the consultation of which is necessary for fulfilling operational aims specified in the operational plan on border checks, border surveillance and return, through their national interfaces or another form of access provided in the Union legal acts establishing such databases, as applicable. The host Member State may also authorise members of the teams to consult its national databases where necessary for the same purpose."[12]

3.1.2. Eurodac

Eurodac was established as a database of asylum-seekers’ fingerprints, used for determining the state responsible for an asylum application. For example, if an individual had their fingerprints taken in Italy, but then left the country and was later apprehended by the French authorities, they could face removal to Italy to have their asylum application processed.

A proposal currently under negotiation will expand the system's purpose and thus the number of individuals whose data is stored, turning Eurodac into “a common European database to support EU policies on asylum, resettlement and irregular migration.”[13] More specifically, the revamped Eurodac will be used to store data on undocumented individuals apprehended by the authorities, with the aim of facilitating their deportation. The age limit for data storage will also be lowered (from 14 to six) and the amount of data to be stored will be increased massively: whereas at the moment the system only holds an individual’s fingerprints, in the future it will also be used to store facial images, names, nationality, travel document information (where available) and more.

Eurodac is used to process data on the following groups:

  • individuals who have lodged an application for international protection in the member states (data is stored in the database);
  • individuals apprehended in connection with irregular border-crossings (data is stored in the database);
  • third-country nationals or stateless persons found irregularly staying in a Member State (currently, data is compared against the database, but not stored – under the new proposal, this data will be stored); and
  • individuals disembarked following a search and rescue operation (a new category introduced by the 2020 proposal).

Currently, the legislation governing Eurodac does not specifically mention access by Frontex or members of its teams, although they may be granted access via a host member state in accordance with the Frontex Regulation. The 2020 Eurodac proposal, which is still under negotiation, contains specific provisions allowing members of Frontex teams to take biometric data from applicants for international protection[14] and “individuals apprehended in connection with the irregular crossing of an external border,”[15] and to transmit that data to the Eurodac Central System.

3.1.3. European Travel Information and Authorisation System (ETIAS)

Once the ETIAS enters into operation, citizens of countries who do not currently require a visa to enter the Schengen area - for example the UK, USA, Canada, Japan, multiple Latin American states, Ukraine and others - will have to pay a fee and file a digital "travel authorisation" application to do so. That application will be stored at the ETIAS Central Unit, operated by Frontex, and may also be viewed by officials in one of the member states, each of which will operate an ETIAS National Unit.

Frontex has a key role in the functioning of ETIAS, through responsibility for the Central Unit (see section 4), but the legislation does not specifically govern access by the agency for use in border checks or other tasks carried out by Frontex teams. However, as with Eurodac, access may be granted by a host member state in accordance with a given operational plan.

3.1.4. Schengen Information System

The SIS contains millions of alerts on missing and stolen objects, wanted persons, individuals subject to discreet surveillance and checks, and individuals barred from entering the Schengen area.[16] It is the world’s largest law enforcement database and under legislation agreed in 2018 it is set to get even larger.

The 2018 rules expand the types of information that will be held in the system (to include all deportation decisions issued by national authorities), the types of check that can be carried out by officials (new “inquiry checks” provide a basis for the questioning of individuals) as well as the types of data to be held in the system (for example, DNA profiles on “missing persons who need to be placed under protection” can now be stored[17]). Europol also now has the power to propose that member states add “information alerts” to the system, based on data received from non-EU states’ police or intelligence agencies.[18]

Data stored in the SIS can be accessed by Frontex teams “insofar it is necessary for the performance of their task and as required by the operational plan for a specific operation. Access to data in SIS shall not be extended to any other team members.”[19] Due to the EU’s convoluted legal architecture, the legislation on the database is governed by three separate sets of rules, covering border checks, return, and police and judicial cooperation. Access by Frontex teams is regulated by provisions in each of the three regulations. Alerts for police and judicial cooperation purposes are checked at the EU’s borders along with those on refusal of entry and stay (covered by the border checks rules) and deportation (return).

To access the SIS, Frontex is obliged to establish a “technical interface” that “shall allow direct connection to Central SIS.” In April 2021, the agency awarded a €5 million contract to establish the interface, known as ‘A2SISII’, to two companies that have had extensive dealings with the EU’s digital infrastructure for policing and immigration: Sopra Steria and Idemia Identity and Security.[20] The contract award notice foresees access to the SIS for Frontex team members via a web or mobile application, and notes that the contractors should “provide changes to its [A2SISII’s] functionalities and to the underlying technical infrastructure in response to changing legal, political, organizational or technical environments.”[21]

Any search in the SIS by a member of a team that “reveals the existence of an alert” should be notified to the member state that issued the alert, and team members “shall only act in response to an alert in SIS under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks of the host Member State in which they are operating.” However, team members can be authorised to act on behalf of the host member state.

The legislation also includes specific data protection and security provisions that apply to Frontex. The agency is obliged to ensure logging of every access to and search of the SIS by team members, has to apply measures for data security, confidentiality and self-monitoring, and its use of the SIS should be monitored by the European Data Protection Supervisor. The Frontex Regulation also includes an explicit provision prohibiting the connection of any part of SIS:

“…to any system for data collection and processing operated by the teams referred to in paragraph 1 or by the European Border and Coast Guard Agency, nor shall the data in SIS to which those teams have access be transferred to such a system. No part of SIS shall be downloaded or copied.”[22]

3.1.5. Visa Information System

The Visa Information System (VIS) allows the storage and exchange of visa data between EU and Schengen member states. It holds data and decisions relating to applications for visas (short-stay and long-term) and residence permits for the Schengen Area. The system can perform biometric matching, (currently only of fingerprints) for identification and verification purposes.

Long-stay visas and residence permits were added to the system by amendments agreed in July 2021, which also introduced various other changes:

  • the age limits for collecting biometric data from children have been lowered from 12 to six years of age;
  • Visa applications will be automatically cross-checked against all other EU information systems, Europol data and Interpol data;
  • an automated profiling system will be used for “screening” visa applicants to determine if they may pose a security, health or irregular immigration risk;
  • visa applicants will be checked against the “watchlist” established via the ETIAS legislation;
  • copies of the photo page of travel documents will be stored in the system; and
  • law enforcement authorities will have more “structured” access to the VIS.

VIS is used to process data on the follow groups of people:

  • individuals who have lodged an application for a short term visa;
  • individuals who have lodged an application for a long-stay visa; and
  • individuals who have lodged an application for a residence permit.

Applications may also hold data on individuals related to the applicant (either by family, business or other ties) whose names are mentioned in the application form.

The most recent amendments to the VIS Regulation, approved in July 2021, add specific powers for members of Frontex teams to make use of the VIS for the purposes of:

  • border checks, for the purposes of “verification at the external border crossing points”;
  • “verifying whether the conditions for entry to, stay or residence on the territory of the Member States are fulfilled”; and
  • return, for “identifying any person that does not or no longer fulfils the conditions for the entry to, stay or residence on the territory of the Member States”.[23]

The agency is required to “designate a specialised unit with duly empowered European Border and Coast Guard officials as the central access point” through which members of the teams can access VIS data. The central access point is responsible for ensuring that the conditions for access are fulfilled. Unlike with the SIS, it does not appear that any contractors have been brought in to establish a technical interface between Frontex and the VIS, although it may simply be that this process has not yet begun.

To access VIS data, members of the teams must submit a request to the central access point and cite the relevant operational plan. The member state hosting the team in question must have authorised members to consult the VIS “in order to fulfil the operational aims specified in the operational plan,” and consultation of the VIS must be “necessary for performing the specific tasks entrusted to the team by the host Member State.” As with other large-scale EU databases, members of the teams must only “act in response to information obtained from the VIS… under instructions from and, as a general rule, in the presence of border guards or staff involved in return-related tasks” of the host member state. However, team members can be authorised to act on behalf of the host member state.[24]

There is one particular type of data in the VIS that Frontex teams are prohibited from accessing: that concerning “persons who have held valid residence permits recorded in the VIS… for a period of 10 years or more without interruption.”[25]

Provisions equivalent to those concerning the SIS are included with regard to informing the host member state when searches “reveal the existence of data recorded in the VIS”; the logging of data processing operations, access and searches; data security; and the requirement for Frontex not to connect the VIS to any other system that it operates, or to download data.[26] The European Data Protection Supervisor is responsible for external supervision of Frontex’s use of the VIS.[27]

3.2. Statistical data

Statistics is the fundamental science of the state: the word ‘statistics’ comes from the word ‘state’, and was brought into popular usage in the mid-1700s by German political scientist Gottfried Aschenwall. By the 1770s it was considered to mean “science dealing with data about the condition of a state or community,” before today’s more general interpretation became popularised in the 1820s.[28]

At root, then, statistics is about the collection of data by public authorities in order to better understand a given situation and, in response, to formulate or influence policies to better exercise control. The nature of statistical work also relies on the continuous production of categories and constituencies of people who are often hierarchically ordered, giving rise to the possibility of various discriminatory practices and effects. Alongside the operational data that is to be made available through the EU’s interoperable databases, there will also be a vast increase in the amount of statistics that are generated.

In its proposal to expand the Eurodac database, the European Commission gave an explicit example of what new statistical powers could be used for. Knowing how many people holding a short-stay Schengen visa “proceeded to enter legally (and where) and then proceeded to apply for international protection (and where)” would make it possible to assess “the appropriate policy response.”[29] It would not be unreasonable to assume that the “appropriate” response here would be restrictions on the issuance of visas to citizens of the country in question.

As for Frontex, its risk analysis work (like that of other EU agencies[30]) relies heavily upon the statistics and data. As noted above, the border agency describes risk analysis as “the starting point for all Frontex activities, from high level strategic decision-making to planning and implementation of operational activities.”[31] One critical analysis of the process argues that it casts migrants as both “a security risk” seeking to exploit European welfare systems, at the same time as being in need of humanitarian assistance. However, this latter framing allows “Western authorities to present themselves as saviors [sic] of racialized women and children.”[32] It may also be observed that its analyses serve to promote increases in the agency’s own influence, resources, structures, competences and powers. Access to these vast troves of new statistical data is intended to reinforce the reach and influence of Frontex’s risk analyses.  There are, however, no plans in place to alter the biases underlying that work.

Statistical data is also used to inform the “vulnerability assessments” that Frontex is obliged to carry out. These are used “to assess the capacity and readiness of the Member States to face challenges at their external borders and to contribute to the [Frontex] standing corps and technical equipment pool.” Where a member state does not meet recommendations made in a vulnerability assessment, they face the prospect of a disciplinary process launched by the Frontex executive director and potentially involving the Council of the EU and the European Commission.[33]

3.2.1. From data warehouse to central repository

One less-discussed aspect of the interoperability proposals is the establishment of a new Central Repository for Reporting and Statistics (CRRS). This was originally proposed as a “data warehouse” by the High-level expert group on information systems and interoperability, which said it would:

“…help Member States to make better use of the systems, including by taking informed decisions on EU policies in the area of migration and security. It would also provide valuable statistics for relevant agencies in these areas, to perform analytical reviews.”[34]

The High-Level Group provided examples of the kind of information that might be generated: the ability to profile Schengen visa “overstayers” by nationality and the EU state they first entered; the ability to work out “nationalities that enter in a different Member State than the one indicated in the visa application”; and “the distribution of fingerprint quality by Member State, authority and parent system.”[35]

The EU’s agency for large-scale justice and home affairs IT systems, eu-Lisa, had in fact already been working to develop a data warehouse. In April 2016, it published a call for contractors to develop a new “Common Shared Infrastructure” that would include a data warehouse to “centralize all data from the different Core Business Systems”[36] (at that time, Eurodac, the SIS and the VIS). The aim was to implement the system from 2017 onwards.[37] A “Central Repository for Reporting and Statistics focus group,” hosted by eu-Lisa, started meeting in April 2018 after “the JHA Agencies group on Interoperability expressed particular interest in the future possibilities for improved statistical analysis that could be offered through interoperability.”[38]

The Commission’s initial interoperability proposals were published in December 2017. These called for “the establishment of a data warehouse (here presented as the central repository for reporting and statistics (CRRS)).” It was described as:

“…necessary to enable the creation and sharing of reports with (anonymous) statistical data for policy, operational and data quality purposes. The current practice of gathering statistical data only on the individual information systems is detrimental to data security and performance and it does not enable the correlating of data across systems.”[39]

The plan duly made it into the final legislation, which was approved in May 2019.[40]

EU agencies are clearly excited about the opportunities that will be provided by the CRRS. The final report of the Europol-Frontex Future Group on travel intelligence[41] noted that Europol, Frontex and what is now the EU Asylum Agency[42] had “stressed repeatedly the importance of the future CRRS as a critical source of high-quality data for risk management.”[43] Looking ahead, the report proposed the possibility of a “joint analysis capability” that:

“…could leverage the full potential of the CRRS as a data source for analytical purposes and develop appropriate analytical tools for risk assessment with the support of AI. The perspectives and information from other authorities such as customs, as well as public health authorities… could be taken into account and cooperation with analytical teams in Third Countries’ National Targeting Centres would also be facilitated.”[44]

Furthermore, the report noted, the future collection of Passenger Name Record (PNR) and Advance Passenger Information (API) data through a single “EU Gateway” would generate further statistics “on travel to or from the Schengen area or the EU, which has an invaluable analytical potential.”[45] Under current plans to expand the Prüm system[46] and the collection of API data,[47] eu-LISA will establish a “router” to serve as a one-stop interface for the collection and exchange of data, facilitating the future integration of other forms of data into the interoperability architecture and, thus, into the CRRS. 

3.2.2. Content of and access to the CRRS

Implementing decisions approved in 2021 state that the data stored in the CRRS shall be “extracted from the underlying EU information systems and interoperability components” using a bespoke “technical solution”.[48] Extraction will take place at least once a day and certain data items[49] must be automatically, irreversibly anonymised prior to storage in the CRRS.[50]

Alongside general reports on system availability, incidents, performance, biometric accuracy and data quality, a substantial set of more specific statistics and reports are to be produced using the CRRS with the aim of increasing the EU and member state authorities’ ability to govern and control the Schengen area. While the lists detailing those statistics and reports are lengthy, they are included here to demonstrate the fine-tuned information that officials in the European Commission, EU agencies and national authorities are seeking.

The legislation also gives EU agencies and national authorities the power to generate or request specific reports tailored to their own requirements. For example, Frontex will have direct access to data held in the CRRS that has been extracted from the SIS,[51] the EES[52] and the VIS.[53] The ETIAS Central Unit, which is operated by Frontex, will have access to data drawn from across the different databases, “to improve the assessment of the security, illegal immigration and high epidemic risks,” enhance border checks and inform the processing of travel authorisation applications.[54] Frontex will also have access to data on the use of the European Search Portal, Common Identity Repository, and Multiple Identity Detector, “for the purpose of carrying out risk analyses and vulnerability assessments”.[55] Thus, the statistics and reports listed below are far from exhaustive.

Entry/Exit System

Statistics and reports on the EES will include:

  • customisable reports and statistics on entries and exits, refusals of entry and overstays of third-country nationals;
  • daily statistics on overstayers, third-country nationals who were refused entry, third-country nationals whose authorisation for stay was revoked or extended and third country nationals exempt from the requirement to give fingerprints;
  • reports indicating abnormal rates of overstaying and refusals of entry for a specific group of travellers; and
  • customisable reports and statistics on data quality and regular statistics to ensure monitoring by eu-LISA.


In keeping with the plan to repurpose Eurodac as a broader, more general “migration management” database, the 2020 proposal[56] sets out a vast set of statistics and reports to be drawn from Eurodac, covering:

  • the number of applicants and the number of first-time applicants whose data is stored in linked datasets (datasets are to be “linked in a sequence” when a search with fingerprints leads to a ‘hit’ against another dataset(s), enabling the creation of timelines of individuals’ movements and thus providing investigative capabilities);
  • the number of applicants rejected due to the linking process;
  • the number of data sets transmitted on applicants for international protection, third-country nationals or stateless persons apprehended in connection with irregular border crossing, “illegally” staying third-country nationals or stateless persons, and third-country nationals or stateless people disembarked following search and rescue operations;
  • in relation to each of those groups, the number of hits related to persons:
    • for whom an application for international protection was registered who have subsequently lodged an application for international protection in the same or another member state;
    • who were apprehended in connection with the irregular crossing of an external border;
    • who were found illegally staying in a member state; and
    • who were disembarked following a search and rescue operation;
  • the number of fingerprint datasets that did not meet quality requirements and so had to be submitted to the Central System more than once;
  • the number of data sets marked, unmarked, blocked and unblocked (e.g. when an individual has been granted international protection);
  • the number of hits for persons granted international protection or who were “illegally” staying but subsequently granted a residence permit for whom hits have been recorded regarding:
    • rejection on the basis of linked datasets;
    • who lodged an application for international protection after being apprehended in connection with an irregular border crossing;
    • who were apprehended in connection with an irregular border crossing and had previously lodged an application for international protection;
  • the number of national law enforcement agency access requests and hits;
  • the number of Europol access requests and hits;
  • the number of requests made for access to, rectification and erasure of personal data; and
  • the number of false fingerprint matches generated by the Central System.

European Travel Information and Authorisation System

The CRRS will produce statistics and reports on:

  • daily statistics on the number and nationality of applicants whose travel authorisation was issued or refused, including the grounds for refusal, and of third-country nationals whose travel authorisation was annulled or revoked;
  • customisable reports and statistics to improve the assessment of security, illegal immigration and high epidemic risks, to enhance the efficiency of border checks, to help the ETIAS Central Unit and the ETIAS National Units process travel authorisation applications and to support evidence-based Union migration policy-making;
  • statistical data concerning the ETIAS watchlist;
  • abnormal rates of refusal of travel authorisations due to a security, illegal immigration, or high epidemic risk associated with a specific group of travellers;
  • reports indicating correlations between information collected through the ETIAS application form and overstaying by travellers or refusals of entry; and
  • regular statistics to ensure monitoring by eu-LISA.

European Criminal Records Information System for Third Country-Nationals

Frontex currently has no access to the ECRIS-TCN, but its officers would do so were they tasked with carrying out security checks under the forthcoming Screening Regulation.[57] The CRRS will produce statistics and reports on:

  • the recording, storage and exchange of information extracted from criminal records; and
  • reports and statistics for the purposes of technical maintenance, data quality reporting and statistics.

Schengen Information System

Deportations (“returns”), border checks and police and judicial cooperation:

  • daily, monthly and annual statistics showing the number of records per category of alerts, both for each Member State and in aggregate.

Border checks and police and judicial cooperation:

  • annual reports on the number of hits per category of alert, how many times the Schengen Information System was searched and how many times it was accessed for the purpose of entering, updating or deleting an alert, both for each member state and in aggregate;
  • at the request of the Commission, additional specific statistical reports, either on a regular or ad hoc basis, on the performance and the use of the Schengen Information System and on the exchange of supplementary information;
  • at the request of the European Border and Coast Guard Agency, additional specific statistical reports, either on a regular or ad hoc basis, for the purpose of carrying out risk analyses and vulnerability assessments;
  • reports and statistics for the purposes of technical maintenance, reporting, data quality reporting and statistics; and
  • data quality reports.

Visa Information System

The CRRS is to store data extracted from the VIS on the following:

  • status information;
  • the authority with which the application has been lodged, including its location;
  • sex, age and nationality or nationalities of the applicant;
  • applicant country and city of residence (visas only);
  • applicant occupation (visas only);
  • member state of first entry and destination (visas only);
  • date and place of the application and the decision concerning the application (issued, withdrawn, refused, annulled, revoked, renewed or extended);
  • type of visa or residence permit applied for or issued;
  • type of the travel document and the country of issue (visas only);
  • decision on application and for the decision in case of refusal, withdrawal, annulment or revocation;
  • hits resulting from queries of EU information systems, Europol data, Interpol databases, or the specific risk indicators and refusal decisions based on those hits;
  • the competent authority that decided on the application and the date of the decision (visas only);
  • the cases in which the same applicant applied for a visa from more than one visa authority;
  • main purposes of the journey (visas only);
  • visa applications processed in representation;
  • the data entered in respect of any document withdrawn, annulled, revoked, renewed or extended;
  • expiry date of the long-stay visa or residence permit;
  • the number of persons exempt from the requirement to give fingerprints;
  • the cases in which fingerprints could not be provided for legal or factual reasons, and the number of cases in which a person who could not provide fingerprints was refused a visa; and
  • links to the previous application file on that applicant as well as links of the application files of the persons travelling together, only as regards visas.

There is also an obligation for eu-LISA to produce quarterly and annual reports on visas and residence permits applied for and the decisions on those applications.[58]


[1] Article 2(1)(c), Regulation 2007/2004, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32004R2007

[2] ‘Situational awareness and monitoring’, Frontex, undated, https://frontex.europa.eu/we-know/situational-awareness-and-monitoring/monitoring-risk-analysis/

[3] Ibid.

[4] Saskia Stachowitsch and Julia Sachseder, 'The gendered and racialized politics of risk analysis. The case of Frontex', Critical Studies on Security, 7(2), 31 July 2019, https://www.tandfonline.com/doi/full/10.1080/21624887.2019.1644050

[5] Regulation (EU) 2018/1725, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32018R1725

[6] ‘SECTION 2 – Processing of personal data by the European Border and Coast Guard’, Regulation (EU) 2019/1896, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32019R1896#d1e6181-1-1

[7] ‘Document collection: Frontex and "operational personal data"’, Statewatch, https://www.statewatch.org/observatories/frontex/document-collection-frontex-and-operational-personal-data/

[8] Article 2(18), Regulation 2019/1986

[9] Article 2(19), Regulation 2019/1896

[10] Article 2(29), Regulation 2019/1896

[11] Article 54(2), Regulation 2019/1896

[12] Article 82, Regulation 2019/1896

[13] ‘Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of 'Eurodac' for the comparison of biometric data’, COM(2020) 614 final, 23 September 2020, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0614

[14] COM(2020) 614 final, Article 10

[15] COM(2020) 614 final, Article 13

[16] eu-LISA, ‘SIS II 2021 annual statistics’, March 2022, https://www.eulisa.europa.eu/Publications/Reports/SIS%20II%20-%202021%20Statistics.pdf

[17] Article 32(1)(a), Regulation (EU) 2018/1862, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1862

[18] ‘New Europol rules massively expand police powers and reduce rights protections’, Statewatch, 10 November 2022, https://www.statewatch.org/news/2022/november/new-europol-rules-massively-expand-police-powers-and-reduce-rights-protections/

[19] Article 50(1), Regulation (EU) 2018/1862, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1862

[20] ‘Funds for Fortress Europe: spending by Frontex and eu-Lisa’, Statewatch, 28 January 2022, https://www.statewatch.org/analyses/2022/funds-for-fortress-europe-spending-by-frontex-and-eu-lisa/

[21] ‘Poland-Warsaw: Framework Contract for the Development of ICT Software Solution for EBCG Team Members Access to Schengen Information System (A2SISII)’, TED, 14 June 2021, https://ted.europa.eu/udl?uri=TED:NOTICE:295695-2021:TEXT:EN:HTML&src=0

[22] Article 40(7), Regulation 2019/1896

[23] Article 45f(5), Regulation 2021/1152

[24] Article 45f, Regulation 2021/1152

[25] Article 6(2f), Regulation 2021/1152

[26] Article 45f(6)-(10), Regulation 2021/1152, on logs see also Article 34.

[27] Article 42, Regulation 2021/1152

[28] ‘Statistics’, Online Etymology Dictionary, https://www.etymonline.com/word/statistics#etymonline_v_22020

[29] COM(2020) 614 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0614

[30] Joanna Parkin, ‘EU Home Affairs Agencies and the Construction of EU Internal Security’, CEPS, 21 December 2012, https://www.ceps.eu/ceps-publications/eu-home-affairs-agencies-and-construction-eu-internal-security/

[31] Frontex, ‘Situational awareness and monitoring’, undated, https://frontex.europa.eu/we-know/situational-awareness-and-monitoring/monitoring-risk-analysis/

[32] Saskia Stachowitsch and Julia Sachseder, ‘The gendered and racialized politics of risk analysis. The case of Frontex’, Critical Studies on Security, 7(2), 31 July 2019, https://www.tandfonline.com/doi/full/10.1080/21624887.2019.1644050

[33] Article 32, Regulation (EU) 2019/1896, https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32019R1896

[34] High-level expert group on information systems and interoperability, ‘Final report’, May 2017, p.12, https://www.statewatch.org/media/documents/news/2017/may/eu-com-hleg-info-systems-interoperability-final-report-5-17.pdf

[35] Ibid.

[36] eu-LISA, ‘Common Shared Infrastructure – CSI (Restricted Call for tender No. LISA/2016/RP/01)’, 6 April 2016, https://www.eulisa.europa.eu/Procurement/Tenders/LISA%202016%20RP%2001%20CSI/Invitation%20to%20submit%20candidatures%20LISA-2016-RP-01.pdf

[37] ‘eu-LISA, ‘Single Programming Document 2017-2019’, undated, 2016-110 REV 2, p.103, https://www.statewatch.org/media/documents/news/2017/mar/eu-lisa-single-programming-document-2017-2019.pdf

[38] eu-Lisa, ‘First meeting of the Central Repository for Reporting and Statistics focus group’, 24 April 2018, https://www.eulisa.europa.eu/Newsroom/News/Pages/Central-Repository-for-Reporting-and-Statistics.aspx

[39] European Commission, ‘Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on establishing a framework for interoperability between EU information systems (police and judicial cooperation, asylum and migration)’, COM(2017) 794 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52017PC0794

[40] Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32019R0817;  Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32019R0818

[41] ‘Final Report Future Group on Travel Intelligence and Border Management’, 3 March 2022, https://www.statewatch.org/news/2022/august/eu-police-plans-for-the-future-of-travel-are-for-a-future-with-even-more-surveillance/

[42] At the time, it was the European Asylum Support Office.

[43] ‘Final Report Future Group on Travel Intelligence and Border Management’, Council document 6767/22, 3 March 2022, p.59, https://www.statewatch.org/news/2022/may/eu-agencies-propose-a-european-system-for-traveller-screening-that-could-include-ai-technology/

[44] Ibid., p.65

[45] Ibid., p.69

[46] ‘European police facial recognition system must be halted, warns new paper’, Statewatch, 7 September 2022, https://www.statewatch.org/news/2022/september/european-police-facial-recognition-system-must-be-halted-warns-new-paper/

[47] COM(2022) 719 final, 13 December 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0729; COM(2022) 731 final, 13 December 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0731

[48] Article 5, Commission Delegated Regulation (EU) 2021/2223 of 30 September 2021 supplementing Regulation (EU) 2019/817 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021R2223

[49] Those items are referred to as being “critical identity data”, which “means any of the following data or a combination thereof, from which individuals can be identified: (a) name, first name, surname, family name, given names, alias of any person whose data may be stored in any EU information system; (b) number of travel document; (c) address (street name, house number); (d) telephone, IP address; (e) email addresses; (f) biometric data.”

[50] Article 5, Commission Delegated Regulation (EU) 2021/2223

[51] Article 16 of Regulation (EU) 2018/1860 (deportations); Article 60, Regulation (EU) 2018/1861 (border checks); and Article 74 of Regulation (EU) 2018/1862 (police and judicial cooperation).

[52] Article 63, Regulation (EU) 2017/2226, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32017R2226

[53] Article 45a, Regulation (EU) 2021/1134, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021R1134

[54] Article 84, Regulation (EU) 2018/1240, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32018R1240

[55] Article 62, Regulation (EU) 2019/818, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32019R0818

[56] Due to ongoing negotiations on the Eurodac Regulation at the time the interoperability rules were under negotiation, the interoperability rules do not yet cover the Eurodac database. The Eurodac proposal: Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of 'Eurodac', https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0614

[57] ‘EU: Tracking the Pact: Access to criminal records for “screening” of migrants’, Statewatch, 26 July 2022, https://www.statewatch.org/news/2022/july/eu-tracking-the-pact-access-to-criminal-records-for-screening-of-migrants/

[58] Article 45a(4) and (5), Regulation (EU) 2021/1134, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R1134


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error