The Federal Commissioner for Data Protection and Freedom of Information

Navigation and service

Data Protection at the Border – The new European Information Systems

Over the near future, the European Union (EU) will introduce new information systems for border surveillance. Find out more about EES and ETIAS, the two most important new systems.

Graphik mit Reisenden vor dem Schalter einer Passkontrolle am Flughafen
Source: ©Maria - stock.adobe.com

In this article, we would like to introduce you to the most important new emerging systems and functionalities for border surveillance - EES and ETIAS. In connection with their introduction, existing systems, such as the Visa Information System, will also be modified.

Entry/Exit System (EES)

The EES is expected to be introduced at the EU's external borders in the near future. In Germany, these external borders are the borders at airports and seaports.

What is the EES?

The EES is an electronic system that records the time and place of entry and exit of third-country nationals admitted for a short stay in the territory of the Member States. The duration of the authorised stay is calculated automatically. The duration is up to 90 days in a 180-day period (according to Article 6 paragraph 1 of Regulation (EU) 2016/399, Schengen Borders Code).

The system helps to identify persons who have exceeded their permitted length of stay. This replaces the previous stamping of passports.

The aim of the system is to speed up the border control process and to prevent, detect or investigate terrorism and serious crimes.

Who belongs to the admitted third-country nationals?

A third-country national is a person who does not have the nationality of a Member State of the European Union and does not enjoy a right to freedom of movement equivalent to that of Union citizens (Articles 20 and 21 TFEU Treaty on the Functioning of the European Union).

A short stay is permitted for up to 90 days within a 180-day period. The Federal Foreign Office provides helpful explanations on visa.

Article 2, paragraphs 3 and 4 of the EES Regulation lists the groups of persons to whom the regulation does not apply. These include, for example, family members of Union citizens under certain conditions, holders of long-term visas and others.

What data are stored in the EES?

According to Article 16-18 of the EES Regulation, the following data are stored in principle:

  • Personal details
  • Information about travel documents
  • Facial image
  • Fingerprint data (not required for children under 12 years of age and for persons for whom this is physically impossible)
  • Date and time of entry, border crossing point, status of the third-country national
  • Accordingly, date and time of exit, border crossing point
  • Visa details (e.g. visa sticker number, number of permitted entries)

A data record is generated for each entry/exit. The data records of a person are summarised.

How long will the data be stored in the EES?

Basically the data will be stored for three years and one day. The period begins principally on the date of the last exit record.

If there is no exit record following the date of expiry of the period of authorised stay, the data retention period is five years.

Which authorities have access to the data?

The data are recorded by the Federal Police as a border authority. The visa authorities have access to the data when checking entry authorisation, the Federal Police when checking applications for admission to the national facilitation programme, the immigration authorities, and police authorities for law enforcement and security purposes.

What rights do data subjects have?

According to Article 52 of the EES Regulation, a right of access to, rectification, completion and erasure of personal data exist as well as of restriction of the processing thereof. The Federal Office of Administration, BVA is competent for processing these requests.

According to Article 50 of the EES Regulation, data subjects must be provided with information on the use of EES data before the data are collected.

Further information

Further information about the system can be found here:

EES Regulation

Additional Information of the EU on EES

Additional Information of the European Commission on EES

Information of the Federal Office of Administration, BVA [German]

Information of the Federal Police [German]

 

European Travel Information and Authorisation System (ETIAS)

The European Travel Information and Authorisation System (ETIAS) is expected to be introduced six months after the EES went into operation. The system can be used to apply for travel authorisations to enter the so-called Schengen area before travelling.

What is ETIAS?

ETIAS is an electronic system for travel authorisations. This will be an entry condition for travellers from certain countries. The procedure specifically affects third-country nationals who want to enter European countries and are exempt from the visa requirement. The European CUnion provides information on who needs an ETIAS travel authorisation to enter which countries.

In the future, ETIAS authorisations will be required to enter the following countries:

List of countries where ETIAS is necessary for entry
Source: European Union

List as text version

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czeck Republik, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland

People from these countries will need the authorisation in the future:

List of countries/territories that must apply for an ETIAS travel authorisation
Source: European Union

List as text version

Albania, Antigua and Barbuda, Agentina, Australia, Bahamas, Barbados, Bosnia and Herzegovina, Brazil, Brunei, Canada, Chile, Colombia, Costa Rica, Dominica, El Salvador, Gerogia, Grenada, Guatemala, Honduras, Hong Kong, Israel, Japan, Kiribati, Kosovo, Macao, Malaysia, Marshall Islands, Mauritius, Mexico, Micronesia, Moldova, Montenegro, New Zealand, Nicaragua, North Macedonia, Palau, Panama, Paraguay, Peru, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Samoa, Serbia, Seychelles, Singapore, Solomon Islands, South Korea, Taiwan, Timor-Leste, Tonga, Trinidad and Tobago, Tuvalu, Ukraine, United Arab Emirates, United Kingdom, United States of America, Uruguay, Venezuela

These permits can be used by travellers for short-term stays (usually up to 90 days within a 180-day period). They are valid for three years unless a new passport is used. However, even with the ETIAS travel authorisation, entry is not guaranteed and border controls still take place.

What data are stored in the ETIAS?

In accordance with Article 17 of the ETIAS Regulation, the system stores the data entered by the applicant. These include:

  • Data for identification purposes, such as name, date of birth, nationality;
  • Information about the travel document, such as ID number;
  • Contact details, such as address and telephone number;
  • Information about education and job.

In addition, it is necessary in certain cases to provide further information, for example, when minors are travelling. In this case, the person exercising parental authority or the legal guardian must be provided.

The data provided by the applicant is stored in the so-called application file. Further data on the application are additionally stored in this file (Article 19 ETIAS Regulation). For example, an application number is created and the payment of the fee is recorded.

What happens to my data following my application?

The further processing of the application file is automated (Article 20 of the ETIAS Regulation). In concrete terms, this means that other European information systems are checked to find out whether there are reasons against entry to the Schengen area. For example, a comparison is made with the Schengen Information System (SIS) in order to check whether the entered identity document has been stolen.

If the check does not report any hits for alerts in the checked systems, the ETIAS travel authorisation will be issued automatically.

However, if the check reports a hit, further processing is done manually (Article 22 ETIAS Regulation). First, it is ensured that there is no false hit. This is done by the ETIAS Central Unit at the European Border and Coast Guard Agency. This agency then forwards the file to the respective national ETIAS Unit, which will decide on the application. Every Schengen state will have such an ETIAS National Unit. In Germany, this unit is located at the Federal Police.

The ETIAS National Unit may also ask the applicant for further information in order to decide on the application. After the decision has been made, the applicant will receive information about the authorisation or refusal.

How long will the data be stored?

If an ETIAS travel authorisation has been issued, the data will be stored until the authorisation expires (usually three years). This means that in general, the data will be automatically deleted after three years. Travelers can freely and explicitly consent that the data will be stored for a further three years. This can facilitate a new application for a later travel authorisation.

If a travel authorisation is refused, annulled or revoked, the data will be stored for five years. The date of the last negative decision is the decisive factor in this regard.

Which authorities have access to the data?

Access to ETIAS data takes place at the borders. There, the border authorities carry out a query in the system. The immigration authorities also have access (Articles 47-49 ETIAS Regulation).

If an application has to be processed manually, the ETIAS Central Unit at the European Border and Coast Guard Agency and, if necessary, the competent ETIAS National Unit will have access. Every Schengen state will have such a national ETIAS office. In Germany, this will be the Federal Police.

National law enforcement authorities and Europol can also access the data under certain conditions. This can happen if the access serves the purpose of preventing, detecting, and investigating terrorist offences or other serious criminal offences (Articles 50-53 ETIAS Regulation).

What rights do data subjects have?

According to Article 64 of the ETIAS Regulation, there is a right of access to, of rectification, of completion, of erasure of personal data and of restriction of processing.

Further information

Please note that there are various websites offering a supposed ETIAS travel authorisation. We encourage you to use the website of the European Commission. Here you will find out in particular when the system will be put into operation and whether an application is necessary.

ETIAS Regulation

Information from the Federal Police on ETIAS [German]

Information from Frontex on ETIAS

Data protection impact assessment of the European Data Protection Supervisor on ETIAS