Visa and immigration

Information on the processing of personal data

The collection of personal data required by any visa application including the taking of the photograph and the taking of the fingerprints are mandatory for the examination of a visa application. Failure to provide such data will result in the application being inadmissible.

The responsible authorities

Ministère des Affaires étrangères et européennes
Bureau des Passeports, Visas et Légalisations
6 Rue de l’Ancien Athenée
L-1144 Luxembourg
service.visas@mae.etat.lu
Data protection officer: dataprotection.mae@mae.etat.lu

The legal basis

The legal basis for the collection and the processing of personal data is set out in Regulation (EC) 767/2008 (VIS Regulation), Regulation (EU) 2019/1155 amending Regulation (EC) 810/2009 establishing a Community Code on Visas (Visa Code) and Council Decision 2008/633/JHA.

The processing of personal data

The data will be shared with the relevant authorities of the Member States[1] and processed by those authorities for the purposes of a decision on a visa application.

The data and data concerning the decision taken on an application or a decision whether to annul, revoke, or extend a visa issued will be entered into, and stored in the Visa Information System (VIS) for a maximum period of five years, during which it will be accessible to the visa authorities and the authorities competent for carrying out checks on visas at external borders and within the Member States, immigration and asylum authorities in the Member States for the purposes of verifying whether the conditions for the legal entry into, stay and residence on the territory of the Member States are fulfilled, of identifying persons who do not or who no longer fulfil these conditions, of examining an asylum application and of determining responsibility for such examination.

Under certain conditions the data will be also available to designated authorities of the Member States and to Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences.

Third Country and international organisations

Personal data might also be transferred to third countries or international organisations for the purpose of proving the identity of third-country nationals, including for the purpose of return. Such transfer only take place under certain conditions[2]. You can contact the authority responsible for processing the data to obtain further information on these conditions and how they are met in your specific case.

Transparency and rights of the data subject

Under the General Data Protection Regulation[3] and the VIS Regulation[4], you are entitled to obtain access to your personal data, including a copy of it, as well as the identity of the Member State which transmitted it to the VIS. You also have the right that your personal data which is inaccurate or incomplete be corrected or completed, that the processing of your personal data be restricted under certain conditions, and that your personal data processed unlawfully be erased.

You may address your request for access, rectification, restriction or erasure directly to the authority responsible for processing the data. Further details on how you may exercise these rights, including the related remedies according to the national law of the State concerned, are available on its website and can be provided upon request.

You may also address your request to any other Member State. The list of competent authorities and their contact details is available at: https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/borders-and-visas/visa-policy/how_to_apply/docs/links_to_ms_websites_en.pdf

Lodge a complaint

You are also entitled to lodge at any time a complaint with the national data protection authority of the Member State of the alleged infringement, or of any other member State, if you consider that your data have been unlawfully processed.

The data protection authority of Luxembourg is:

National Commission for Data Protection (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux
Phone: (+352) 26 10 60 - 1
Web contact: https://cnpd.public.lu/en/support/contact.html
Website: https://cnpd.public.lu/en/commission-nationale.html

[1] Austria, Belgium, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Malta, The Netherlands, Poland, Portugal, Slovakia, Spain, Sweden, Norway, Iceland, Liechtenstein and Switzerland

[2] Article 31 of Regulation (EC) 767/2008 (VIS Regulation)

[3] Article 15 to 19 of Regulation (EU) 2016/679 (GDPR)

[4] Article 38 of Regulation (EC) 767/2008 (VIS Regulation)

The Visa Information System (VIS) is a system for the exchange of data on short-stay visas between Schengen States. The main objectives of the VIS are to facilitate visa application procedures and checks at external borders as well as to enhance security. 

The purpose of this global VIS introduction process is to better protect applicants against identity theft and to prevent document fraud and so-called "visa shopping". Fingerprints are widely used within the EU as a more secure means of identification. The use of biometric data for identification purposes of a visa holder is a faster and more accurate way to identify a visa holder by border police.

The VIS consists of a central database, a national interface in each Schengen State, and a communication infrastructure between the central database and the national interface. The VIS is connected to the national visa systems of all Schengen States via the national interfaces to enable competent authorities of the Schengen States to process data on visa applications and on visas issued, refused, annulled, revoked or extended.

The VIS is composed of two systems, first the VIS database with alphanumerical searching capabilities and an Automated Fingerprint Identification System (AFIS) that compares received fingerprints against the database and returns a hit/no hit response, along with matches.

The principal central VIS is located in Strasbourg (France) and a back-up central VIS, capable of ensuring all functionalities of the principal central VIS is located in Sankt Johann in Pongau (Austria). 

The VIS processes continuously the information collected by Schengen States' Consulates. For example, the information entered locally by the visa authorities can be available within a few minutes in the VIS. The VIS supports swift services for verification of visa holders at the border crossing points. For example, a verification takes only a few seconds.

The Commission was in charge of the development of the central database, the national interfaces and the communication infrastructure between the central VIS and the national interfaces. Each Schengen State is responsible for the development, management, and operation of its national system.

The Agency for the management of large-scale IT systems (eu-LISA) is the Management Authority of the VIS.

What is the legal basis for the VIS?

The main acts constituting the VIS legal framework are:

• Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS), OJUE L 213, 15.6.2004, p. 5.
• Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the VIS and the exchange of data between Member States on short-stay visas (VIS Regulation), OJUE L 218, 13.8.2008, p. 60.
• Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the VIS by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offence, OJUE L 218, 13.8.2008, p. 129.
• Regulation (EC) No 81/2009 of the European Parliament and of the Council of 14 January 2009 amending Regulation (EC) No 562/2006 as regards the use of the Visa Information System (VIS) under the Schengen Borders Code, OJUE L 35, 4.2.2009, p. 56.
• Regulation (EC) No 810/2009 of the European Parliament and the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code), OJUE L 243, 5.9.2009, p. 1.

What are the consequences of VIS in practice for visa applicants?

First-time visa applicants always have to appear in person when lodging the application in order to provide their photograph and fingerprints.

The photograph will be digitally taken at the time of the application at a later stage – it is currently scanned from an existing paper photograph.

For subsequent applications within 5 years, the fingerprints can be copied from the previous application file in the VIS.

Nevertheless, it has to be underlined that in case of reasonable doubt regarding the identity of the applicant, the Consulate shall collect again fingerprints within the 5-year period specified above. Furthermore, the applicant may request that they be collected if, at the time when the application is lodged, it cannot be immediately confirmed that the fingerprints were collected within this 5-year period. 

Visa applicants' biometric data can be collected by Schengen States' Consulates and external service providers but not commercial intermediaries (e.g. travel agencies).

When arriving at the external border of the Schengen area, visa holders will have to provide their fingerprints for comparison with those registered in the VIS, if requested by Schengen States' border control authorities. The searches in the VIS by Schengen States’ border guards are carried out using the visa sticker number in combination with the fingerprints, except in a limited set of circumstances (for instance due to the intensity of traffic).

Visa holders whose fingerprints were not collected at the time of application, because they were exempted from this, will not be requested to provide fingerprints at the border.

What happens to those people who refuse to provide fingerprints for various reasons?

Unfortunately, a person will not be issued a Schengen visa if he/she fails to provide biometric data. There are, however, in accordance with Article 13(7) of the Visa Code several categories of citizens, who do not have to provide this data, as indicated in the FAQ under Question 18) .

If I already have a biometric passport, do I also need to submit my fingerprints?

Yes, the owners of biometric passports also have to show up in person when applying for a short-stay Schengen visa.

How is my biometric data protected in the VIS?

Strict data protection rules are defined in the VIS-related rules and are subject to the control of national and European data protection authorities.  

Data is kept in the VIS for maximum 5 years starting from the expiry date of the visa, if a visa has been issued; or on the new expiry date of the visa, if a visa has been extended; or on the date when the negative decision is taken by the visa authorities. 

Any person has the right to obtain communication of the data recorded in the VIS related to him/her from the Schengen State which entered the data into the system. Any person may also request that inaccurate data related to him/her be corrected and that data unlawfully recorded be deleted.

In each Schengen State, national supervisory authorities monitor independently the processing of the personal data registered in the VIS by the Schengen State in question.

The European Data Protection Supervisor monitors the data processing activities by the VIS Management Authority. 

Which data are registered in the VIS?

Schengen States' visa authorities register in the VIS data relating to short-stay visa applications (i.e. applications for stays in the Schengen area up to 90 days). Data on national long-stay visas are not yet registered in the VIS.

On receipt of an application, the visa authorities of the competent Schengen State will create an application file in the VIS and will register the alphanumeric data contained in the Schengen visa application form, the digital photograph, and the 10 fingerprints taken flat of the applicant. 

If the applicant is travelling in a group, the application files of the travelers will be linked in the VIS. If a previous application has been registered for the same applicant, both applications will also be linked in the VIS.

When a decision has been taken on the application (issuance / refusal of the visa) or subsequently (annulment, revocation, extension), the information is registered in the VIS by the visa authorities of the competent Schengen States. When the visa is issued and if all the applicant's data - including his/her fingerprints - was registered in the VIS, a code 'VIS' is inserted in the visa sticker.

Which authorities have access to the VIS?

The visa authorities of the Schengen States have access to the VIS both for entering and consulting the data. The data on the application and on the decisions related thereto are entered in the VIS by the visa authorities of the Schengen State competent for examining the application or for taking the decision. Data entered by one Schengen State may then be consulted by the visa authorities of all other Schengen States, for instance when examining another application from the same applicant.

Other authorities from the Schengen States have access to the VIS for consultation only.

The national border authorities have access to the VIS for the purpose of verifying the identity of the visa holder, the authenticity of the visa, and whether the conditions for entry to the territory of the Schengen States are fulfilled. Checks in the VIS at the external borders of the Schengen area with systematic fingerprint verifications are compulsory, except in a limited set of circumstances.

The national authorities responsible for carrying out identity checks within the territory of the Schengen States have access to the VIS for the purpose of verifying the identity of the visa holder, the authenticity of the visa, and whether the conditions for entry, stay or residence on the territory of the Schengen States are fulfilled.  

The competent national asylum authorities have access to the VIS for determining the Member State responsible for examining an asylum application in accordance with Regulation (EC) n° 343/2003 and for the examination of such an application.

Europol has access to the VIS for consultation for the purpose of prevention, detection and investigation of terrorist offences and of other serious criminal offences.

The national law enforcement authorities have access to VIS data for the same purposes, providing that certain legal conditions are fulfilled: access to VIS data must be necessary in a specific case and there must be reasonable grounds to consider that the consultation of the data will substantially contribute to the prevention, detection or investigation of terrorist and other serious crimes.

As a rule, VIS data cannot be transferred or made available to a third country or an international organization. By way of derogation, certain data registered in the VIS (name, nationality, travel document number, residence) may be communicated to a third country or an international organization when necessary in an individual case for proving the identity of a third country national, including for the purpose of return. 

In the exercise of its public interest mission, the General Department of immigration of the Ministry of Home Affairs collects and uses your personal data to allow the processing of your file according to the provisions of the amended law of the 29 August 2008 on the free movement of persons and immigration.

The data collected by the General Department of immigration can also be used to update your data in the National Register of Natural Persons as well as for statistical purposes. The data can also be used to verify the regularity of your stay under the provisions of the amended law of August 29, 2008 mentioned above, by other administrations and ministries in the context of other procedures, such as the procedure of acquisition of the Luxembourg nationality at the Ministry of Justice.

The data processed, or part of them, necessary for the accomplishment of a public mission, might be communicated or made accessible to other authorities, who are authorized to access it according to a legal provisions (National Reception Office, Health Directorate, Ministry of Justice).

The data are kept for the duration of the processing of the file at the General Department of immigration and for as long as necessary to fulfill the purposes mentioned above.

You have a right to access, rectify and delete your data, as well as a right of objection and a right to demand the limitation of treatment, under certain conditions and unless the treatment is necessary for the administration to carry out a public interest mission.

If you wish to exercise these rights or for any request relating to data protection, you can contact the General Department of immigration of the Ministry of Home Affairs (B.P.752, L-2017 Luxembourg) by postal mail accompanied by a proof of identity. Complaints may be addressed to the Data Protection Officer (Commissaire à la protection des données auprès de l’Etat, 43, bd Roosevelt L-1450 Luxembourg).

Complaints may be lodged with the National Commission for the Protection of Data (CNPD) (15, Boulevard du Jazz L-4370 Belvaux).

For detailed information on how to exercise your access rights, please visit the following site: 

https://cnpd.public.lu/en/particuliers/vos-droits/droit-acces.html