1. Introduction

The Visa Information System (VIS) is a system for the exchange of visa data between Schengen States. Essentially it enables authorised national authorities to enter and update visa data and to consult these data electronically. It consists of a central IT system, the National Interface in each Member State, and the communication infrastructure between the Central Visa Information System and the National Interfaces. This communication infrastructure links this central system to national systems. VIS connects consulates in non-EU countries and all external border crossing points of Schengen States. It processes data and decisions relating to applications for short-stay visas to visit, or to transit through, the Schengen Area. The system can perform biometric matching, primarily of fingerprints, for identification and verification purposes.

The main objectives of the VIS are to facilitate visa application procedures, to facilitate checks at external borders and to enhance security. The VIS facilitates the exchange of data between Schengen States on visa applications in order to ease procedures, prevent “visa shopping” and assist in the fight against fraud, enhance security and assist with asylum applications.

The VIS was progressively being rolled out in the different regions of the world and became fully operational in 2015.

The VIS system was established with Council Decision 2004/512, while Regulation 767/2008 defines the purpose and functionalities of the system. Additionally, Council Decision 2008/633 provides the legal basis for the access of Member States’ designated authorities as well as of the access of Europol to the VIS. 

Competent visa authorities may consult the VIS for the purpose of examining applications and decisions related thereto. The authorities responsible for carrying out checks at external borders and within the national territories have access to search the VIS for the purpose of verifying the identity of the person, the authenticity of the visa or whether the person meets the requirements for entering, staying in or residing within the national territories. Asylum authorities only have access to search the VIS for the purpose of determining the EU State responsible for the examination of an asylum application. In specific cases, national authorities and Europol may request access to data entered into the VIS for the purposes of preventing, detecting and investigating terrorist and criminal offences.

The Hellenic Data Protection Authority is the national supervisory authority designated with the supervision of the VIS system and monitors independently the lawfulness of the processing of personal data including their transmission to and from the VIS.

2. Rights of data subjects

Data are kept in the VIS for five years. This retention period starts from the expiry date of the issued visa, the date a negative decision is taken or the date a decision to modify an issued visa is taken. Any person has the right to be informed about his/her data in the VIS, as provided for in art. 37 of Regulation 767/2008.

The data subjects have the right of access (article 12 of Law 2472/1997) to personal data relating to them and the right to object (article 13 of Law 2472/1997) to the processing of their personal data and in essence request that inaccurate data about him/her is corrected and unlawfully recorded data is deleted.. Both rights are exercised in writing directly to the data controller (Ministry of Foreign Affairs). The above mentioned rights are also described in art. 38 of Regulation 767/2008 and art. 14 of Decision 2008/633.  The contact details of the Ministry are the following:

Hellenic Ministry of Foreign Affairs

1st Vas. Sofias Av.
106 71 Athens, Greece

In both cases (right of access / right to object), if the data controller does not respond in writing within 15 days (without prejudice to art. 38 of Regulation 767/2008 and art. 14 of Decision 2008/633), the data subject has the right to appeal before the DPA. Limitations and conditions to the right of access are provided within art. 12 para. 5 of Law 2472/1997 citing that by virtue of a decision by the Authority, upon application by the Controller, the obligation to inform, pursuant to paragraphs 1 and 2 of the present article, may be lifted in whole or in part, provided that the processing of personal data is carried out on national security grounds or for the detection of particularly serious crimes. In this case the President of the Authority or his/her substitute carries out all necessary acts and has free access to the files. The contact details of the Hellenic DPA are the following:

Hellenic Data Protection Authority
Kifisias 1-3, 1st floor
GR – 115 23 Athens
Tel.: ++30 210 6475600
Fax: ++ 30 210 6475628