Step five: Departure

This report is available in PDF format here.

Anyone leaving the Schengen area is supposed to be subject to the same checks as upon entry. Visa and travel authorisation holders will, upon their departure, have their personal data whisked through various national, EU and international databases and information systems in order to ensure that they or their travel document have not become subject to a law enforcement alert during their stay.

Data on all visa and travel authorisation holders is stored for quite some time. In the case of visas, from the moment a file is created in the VIS, it will be held for five years. In the case of travel authorisations, once granted they will be valid for three years (unless the travel document they are attached to expires before that point) and the holder can give their consent to its storage for a further three years, to make repeat applications more straightforward. If an authorisation is refused, annulled, or revoked, it will be stored in the central ETIAS database for five years. Both visa and travel authorisation holders will also have files on them stored in the Entry/Exit System. These will be stored for three years (including on individuals refused entry), unless there is no record of exit, in which case the data will be held for five years while the authorities attempt to track down the ‘overstayer’.

These retention periods are likely to be particularly useful for the new profiling tools being introduced into the visa and travel authorisation systems, by ensuring an extensive set of data is held at any given moment. The profiling tools will be based in large part on the automated data-mining of statistics and information on visas, travel authorisations, entry/exit records and other EU and national sources. One critical assessment of the ETIAS argued that a profiling system was being introduced not because of any clear need for it, but “simply because the volume of data ETIAS will hold happens to allow such profiling.”[1] The longer the retention period, the greater the volume of data. Data held in the VIS, ETIAS and EES will also be accessible to Frontex, so that agency can conduct “risk analysis” and “vulnerability assessments”.

Data held in the VIS, ETIAS and EES will be accessible to law enforcement authorities conducting criminal investigations, under certain conditions, and lengthy retention periods are certainly useful for that purpose. Criminal investigators can access the VIS if it is necessary in a specific case and there are reasonable grounds to believe that access will “substantially contribute to the prevention, detection or investigation of any of the criminal offences in question.”[2] The most recent data available shows that law enforcement usage of the VIS increased by some 500% between 2013 and 2017, from 500 to over 2,500 searches annually.

Although the possibility of law enforcement agencies accessing the non-policing data held in the EU’s migration and asylum databases has become a standard feature of those systems, it has proven controversial in the past. The rules on access to the VIS were passed in 2008 by EU governments alone, as the European Parliament had no say on policing matters until the entry into force of the Lisbon Treaty in 2009.

When in May 2012 a proposal came before the Parliament to allow law enforcement access to the Eurodac database of asylum-seekers’ fingerprints, it provoked uproar amongst MEPs, refugee rights campaigners and data protection specialists. They argued that the proposals were neither necessary nor proportionate and that they “may result in the stigmatisation of asylum-seekers as a group by associating them with criminal activity.”[3]

Nevertheless, the measures were approved and law enforcement searches became possible as of July 2015. Since then, usage has increased somewhat, but the number of searches – 449 in 2019 – does little to support the claim made by proponents of the changes that there was an urgent need to give police access to the Eurodac database. Neither is there any way to know if access to this data is actually useful for policing purposes, due to a lack of data collection and empirical analysis.

Granting law enforcement agencies the possibility to access EU databases on non-EU citizens has thus become standard practice. The European Commission initially argued that there was no evidence to support the need for such access to the EES,[4] but it was overruled by the member states.[5] By the time the ETIAS legislation was proposed, it appeared that the European Commission had got the message, and the possibility of law enforcement access was included from the start.[6]

Previous section: Step four: In the Schengen area | Next section: Conclusions: Your personal data is going on a journey


[1] ‘European Travel Information and Authorisation System (ETIAS): Border management, fundamental rights and data protection’

[2] Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences,

[3] ‘European Parliament's Civil Liberties Committee adopts proposal giving law enforcement authorities and Europol access to Eurodac’, Statewatch News, 19 November 2012,

[4] ‘Smart borders: "no sufficient evidence" to justify law enforcement access to proposed Entry/Exit System travel database’, Statewatch News, September 2014,

[5] ‘Council of the European Union: Access for law enforcement purposes to the EES’, Statewatch News, October 2015,

[6] European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS)’, 16 November 2016,


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error