EU: Visa Information System: private companies gathering data, insufficient funding for data protection

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

The first data protection report on the EU's Visa Information System, which holds the personal information (including biometrics) of all EU visa applicants and holders, was adopted last month by the system's 'Supervision Coordination Group', made up of national data protection authorities and coordinated by the European Data Protection Supervisor's office. Issues noted in the report, which covers the period from 2012 to 2014, include the use of private contractors to process personal information collected for visa applications, a lack of financial resources for data protection authorities, and various infringements of data protection law and principles by the authorities.

The report: Visa Information System Coordinated Supervision Group, Activity Report 2012-2014 (pdf)

The Visa Information System

The VIS is an extensive system, and will further increase its reach in coming years:

"The VIS first became operational in October 2011. The system was rolled out on a regional basis and is to date implemented in and stores the data of 16 out of the 23 world regions set out in three Commission decisions4, which represents around 30% of the visa applications worldwide. Further roll outs are ongoing and foreseen in the remaining regions.

"The VIS is currently used by 30 countries, i.e. all Schengen States, all four European Free Trade Association ('EFTA') member states - Iceland, Liechtenstein, Norway, and Switzerland - and Bulgaria, Croatia, Cyprus and Romania that are not yet part of the Schengen Area but nonetheless have a visa policy based on the Schengen acquis. Ireland and the United Kingdom do not take part in the VIS (recitals 28-29)."

As the report notes:

"One of the main risks of the VIS from a data protection perspective is that it is a much bigger database than Eurodac, with many more authorities having access to the system for specific purposes and quite often outside of EU territory (e.g. consular posts)."

The report: key points

One issue that receives particular attention in the report is the use of private contractors at consulates, which "becomes more common as consulates of the Member States do not have the capacities to handle the collection of high volumes of applications... themselves."

Thus, the German, Italian, Maltese, Swiss and Swedish data protection authorities worked together to "explored the data protection implications of the use of [contractors] by the Member States," concluding that a "model contract to facilitate contractual agreements between Member States and [contractors]" should be drafted.

Some further points from the report are highlighted below:

  • CROATIA: "In 2014, no direct controls in diplomatic missions and consular offices were performed by the Croatian DPA due to budgetary constraints. In 2015, control activities are planned to be performed as prescribed by the Regulation on the CVIS."
  • CZECH REPUBLIC: "Although the Czech DPA did not uncover any breach of obligations under the Czech Data Protection Act by the Ministry of Foreign Affairs, it pointed out some problematic aspects with regard to the processing of personal data, such as the outsourcing of services to private companies."
  • DENMARK: Danish embassies were using a so-called "local restriction list", containing a list of names of persons to be refused visas. The Danish Ministry of Justice subsequently stated "that Member States cannot establish such local visa ban lists as it was never the intention of the Visa Code. Visas can only be refused on the basis of the refusal grounds set out in the Visa Code. A Member State who wants to impose a travel ban on a given person has to insert an alert in the SIS to that end."
  • FRANCE: "A particular focus [during inspections] was put on the outsourcing of some of the missions normally carried out by the consular posts to subconcontractors."
  • GERMANY: "The subcontractor issue... was discussed with the Ministry of Foreign Affairs in Germany in order to maintian data protection friendly solutions and to stress the necessity of strong privacy safeguards. It appeared that there was an increasing demand for the use of [subcontractors], given the rising numbers of visa applications in specific applications."
  • GREECE: Austerity affects data protection: "due to financial restraits no in situ audits were performed with regard to the Hellenic embassies and consular offices."
  • ITALY: "Apparently the system is running as planned and no specific problems are reported either by the Ministry of Interior or the Ministry of Foreign Affairs. No complaints have been received so far from data subjects."
  • POLAND: "In general the results of the inspections were satisfactory, but in some cases the following shortcomings were found: incomplete documentation on data processing and access to the VIS by persons without valid authorization."
  • ROMANIA: "With regard to the deficiencies, the Romanian DPA issued appropriate recommendations on the adequate information of data subjects (according to Article 12 of Law no. 677/2001), in all situations in which personal data is processed, the organisation of the premises in which personal data is archived, the establishment and the observance of the limited retention period of the personal data, enabling the identification of the data subjects strictly for the period necessary to achieve the goals for which data is collected and further processed, as well as the periodic training of personnel."
  • SLOVAKIA: "The only irregularities were found in the Slovak embassy in Croatia, where not all best practices related to entrance to area where personal data are processed were fulfilled."
  • SLOVENIA: "The available financial resources do not allow the Slovenian DPA frequent travels to third countries but one inspection on the VIS is planned for 2015."
  • SPAIN: There was "an infringement of the Ministry of Foreign Affairs and Cooperation affecting the principle of quality of the personal data, set forth at article 4 of the Spanish Data Protection Act."
  • SWITZERLAND: "In November 2013, the Swiss DPA inspected the Swiss consulate in Dubai. This control also included a control of the VIS, the log files, the biometrics (fingerprints) and of the externalisation. During the on the spot visit, the Swiss DPA was accompanied by the DPO of the Ministry of foreign affairs. As a result, the Swiss DPA asked for improvements concerning a secure transmission of the appointment-data, deletion of data, and a clause of deletion."

    Forthcoming work for the VIS Supervision Coordination Group includes:

    "Reporting on the questionnaires circulated on checking the access to the VIS data and data subjects’ rights;
    "Reporting on the use of ESPs for the processing of visa applications;
    "Developing a security audit framework;
    "Checking how national authorities are ensuring training staff of authorities having a right to access the VIS on data security and data protection rules."

    Further reading

  • Chinese to Schengen countries to submit biometric data (Statewatch News Online, September 2015)
  • EU: Documents: visas and law enforcement (Statewatch News Online, August 2015)
  • Report on the technical functioning of the Visa Information System (VIS) (Statewatch News Online, May 2014)
  • Collection of personal data for the EU's Visa Information System spreads further across the globe (Statewatch News Online, October 2012)

    Our work is only possible with your support.
    Become a Friend of Statewatch from as little as £1/€1 per month.


    Spotted an error? If you've spotted a problem with this page, just click once to let us know.

    Report error