Entry/Exit System (EES)

This privacy statement explains how the Royal Netherlands Marechaussee will process your personal data for the European Entry/Exit System (hereinafter the “EES”). The General Data Protection Regulation (GDPR) will apply to these data processing operations.

The EES will contain personal data of third-country nationals who enter the territory of Member States for a short stay (a maximum of 90 days within a period of 180 days). The system will enter into operation in November 2024. From that time, information about your entry into and exit from the territory of Member States, as well as, if applicable, information about a refusal of entry into that territory, will be recorded in the EES.

Your data will be collected and processed by the Royal Netherlands Marechaussee. Your personal data will be processed for border management, to prevent irregular migration and to simplify the management of migration flows. This requirement is set out in the corresponding Regulation (EU) 2017/2226.

Pilot studies

For the European Union as a whole, the EES is not scheduled to be operational until November 2024. Nevertheless, pilot trials may be conducted at airports before then. These are necessary to ensure the reliable functioning of the EES in the Netherlands. If you are asked to participate in a pilot study, your participation will be entirely voluntary and without obligation. Your personal data will only be used to test self-service kiosks, for example. The data will not be used for any other purpose. Furthermore, your personal data will not be retained or shared with the central EES or any other party. In all other respects, the safeguards and rules set out in this privacy statement will apply during the pilot studies.

Controllers

The Royal Netherlands Marechaussee is responsible for border control in the Netherlands. It performs its border control duties under the administration of the Ministry of Defence and the authority of the Ministry of Justice and Security. The Minister of Defence and the Minister of Justice and Security are therefore joint controllers in relation to the personal data processed in the performance of border control duties in the Netherlands.

The data collected, recorded and processed

The collection of personal data is required during checks at the external borders of Member States because of the need to verify compliance with entry requirements. 

The following personal data will be collected and recorded:

  • Biometric personal data. This refers to a live facial image and passport photo of all third-country nationals subject to registry in the EES. For third-country nationals who are not subject to the visa requirement and holders of a facilitated transit document (FTD), four fingerprints are also required.
  • Personal data from the travel document (full name, date and place of birth, nationality, sex, height, signature, document reference number, citizen service number or similar personal number, country of issue, validity date).
  • Language selection when registering.

Depending on your situation, data concerning you may also be collected from other sources:

  • The Visa Information System (VIS): data from your personal file;
  • The European Travel Information and Authorisation System (ETIAS): the status of your travel authorisation, in particular, and possibly your family status;
  • Any refusals of entry;
  • Any breaches of the maximum permitted duration of stay in the Schengen Area.

If you do not provide the required biometric data

If you do not provide the required biometric data for registration, verification or identification in the EES, you will be refused entry to the Schengen Area. This stipulation will of course not apply during pilot studies.

As the national border authority, the Royal Netherlands Marechaussee is required to take part in the EES for the proper performance of border control duties as laid down in Section 4(1)(f) of the Police Act 2012, Section 46(1)(a) of the Aliens Act 2000, Article 8 of the Schengen Borders Code, Section 2(1)(d) of the EU Borders and Security Regulations (Implementation) Act and, in particular, Articles 14, 16 up to and including 19 and 23 of Regulation (EU) 2017/2226. The basis for the data processing operations is therefore the performance of a task carried out for reasons of substantial public interest within the meaning of Article 6(1)(e) and Article 9(2)(g) of the GDPR.

How your personal data will be used

If, as a third-country national, you enter the Schengen Area via a border crossing in the Netherlands, you will be required to register in the EES. It will be possible to register yourself at a self-service kiosk or have yourself registered by a border guard at a Royal Netherlands Marechaussee desk. An algorithm will compare a live photograph of your face with the photograph in your travel document to verify your identity. Your personal data will be sent through Royal Netherlands Marechaussee systems to the central EES, which will be managed by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). eu-LISA will also be the data controller of the central EES.

Your personal data will also be used for all regular border checks required by the Schengen Borders Code. This includes verifying the authenticity and validity of your travel document, as well as checking national and European police databases.

When you cross the border on entry via the manned desk or the eGates, a check will be carried out to determine whether you are already registered in the EES. On exit, your departure from the Schengen Area will be recorded. If, following the end of the permitted duration of stay in the Schengen Area, there is no record of your exit, this will be automatically recorded in the EES. This may in turn result in a return decision, deportation to the country of origin and/or a temporary prohibition on entry into the Schengen Area.

If you exceed the permitted duration of stay, your data will automatically be added to a list of identified persons (a list of overstayers). The list can be accessed by the competent national authorities. If you are on the list of overstayers, the result may be a return decision, deportation to the country of origin and/or a temporary prohibition on entry into the Schengen Area. However, if you can provide credible evidence to the competent authorities that you exceeded the permitted duration of stay because of unforeseen and serious events, your personal data in the EES can be rectified or supplemented and you can be removed from the list of overstayers.

How we store your personal data and retention period

The Royal Netherlands Marechaussee has taken appropriate and organisational measures to protect personal data. We use an integrated security system made up of physical, data-related and human security measures. The full set of security measures is detailed in the Defence Security Policy.

No personal data are stored in self-service kiosks. A retention period of, in principle, 24 hours following the border crossing or registration is in effect for the other relevant Royal Netherlands Marechaussee systems. Your personal data will be stored for longer than 24 hours only if necessary to carry out criminal investigations or any other police tasks. The data processing operations are governed by the Police Data Act rather than the GDPR in that context.

Your data will be stored in the central EES for the following periods and will subsequently be automatically deleted:

  1. each record of entry, exit or refusal of entry will be retained for a period of three years from the date of the record of entry, exit or refusal of entry;
  2. the personal file containing your personal data will be retained for a period of three years and a day from the date of the last record of exit or record of refusal of entry if no new record of entry has been made in that period;
  3. if no record of exit has been made, your data will be retained for a period of five years following the last day of the permitted duration of stay.

Personal data from the EES may also be stored by authorised national agencies if the agency concerned entered or consulted that data and storage is necessary in the individual case in question. Such storage is only permitted for the same retention periods that apply to the central EES or for as long as necessary in an individual case.

Processors

Personal data for or from the EES may be processed by the following organisations at the request of the Royal Netherlands Marechaussee. Processing agreements have been concluded with these organisations, which oblige them to abide by the terms of the Royal Netherlands Marechaussee in accordance with this privacy statement.

  • Schiphol Netherlands B.V. (data processor)

Other parties that may access your data

The relevant authorities of Schengen Area Member States may access your data for purposes of border management, facilitating border crossings, immigration and law enforcement. Europol may also access your data for law enforcement purposes. Under strict conditions, your data may also be transferred to a Member State, a third country or an international organisation listed in Annex I to Regulation (EU) 2017/2226 for purposes of return or law enforcement.

Your rights

Right to be informed about duration of stay — You have the right to be informed about your maximum duration of stay in the Schengen Area when your personal data are recorded or checked in the EES.

Right of access/disclosure — You have the right to request copies of your personal data.

Right to rectification — You have the right to request changes to personal data that are inaccurate or incomplete.

Right to erasure — You have the right to request the erasure of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly or if the retention period has expired. Specifically, you have the right to have your personal data in the EES erased if they are still in the EES because you exited after the expiry of your permitted duration of stay and you can prove that your late departure was caused by an unforeseen and serious event.

Right to restriction of processing — You have the right to request the restriction of processing of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly.

Right to object — You have the right to object against the processing of your personal data. This request will only be granted if the personal data have been obtained unlawfully or improperly.

Right to portability — You have the right to request our organisation to provide your personal data to another organisation.

Contact

If you have any questions about this privacy statement, about the EES or about the processing of your personal data, or if you want to exercise the above-mentioned rights, please contact us through the website listed below or by post. The GDPR gives us a period of one month, which can be extended conditionally by another two months, to respond to your requests.

www.marechaussee.nl/privacy

Postal address:

Royal Netherlands Marechaussee
Legal Affairs Cluster
GDPR Coordinator
PO Box 90200
3509 BE Utrecht
Netherlands

Complaints: national

If you wish to file a complaint about the processing of your personal data or if you are of the opinion that the Royal Netherlands Marechaussee did not handle a request in that regard properly, please contact the Netherlands Ministry of Defence Data Protection Officer by email to functionaris.gegevensbescherming@mindef.nl or the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl.

Email: info@autoriteitpersoonsgegevens.nl

Postal address:

Dutch Data Protection Authority
PO Box 93374
2509 AJ The Hague
Netherlands

Complaints: European

In the event of complaints about data processing operations in the central EES, please contact the European Data Protection Supervisor: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en.

This statement was last updated on 18/12/2023.