Go to content

Entry/Exit System (EES)

This privacy statement explains how the Royal Netherlands Marechaussee processes your personal data for the European Entry/Exit System (hereinafter the "EES"). The General Data Protection Regulation (GDPR) applies to these data processing operations.

The EES contains personal data of third-country nationals who enter the territory of Member States for a short stay (a maximum of 90 days within a 180-day period). The system will enter into operation in the fall of 2024. From that time, information about your entry into and exit from the Member States’ territory, as well as, if applicable, information about refusal of entry, will be recorded in the EES.

Your data will be collected and processed by the Royal Netherlands Marechaussee. Your personal data will be processed for border management, preventing irregular migration, and facilitating the management of migration flows. This requirement is set out in Regulation (EU) 2017/2226.

Pilot studies

For the European Union, the EES is scheduled to become operational in the fall of 2024. However, pilot trials may be conducted at airports earlier in 2024. These pilot studies are necessary to ensure the reliable functioning of the EES in the Netherlands. If you are asked to participate in such a pilot study, your participation will be entirely voluntary. Your personal data will only be used to test functionalities, such as self-service kiosks, and for no other purposes. Your personal data will not be retained or sent to the central EES or other parties. The same guarantees and rules laid out in this privacy statement will apply during pilot studies.

Controllers

The Royal Netherlands Marechaussee is responsible for carrying out border control in the Netherlands. It performs its duties under the administration of the Ministry of Defence. The data processing for the EES at the national level is thus under the responsibility of the Minister of Defence. However, authority over national border control tasks in the Netherlands rests with the Minister for Asylum and Migration.

The Netherlands is not responsible for data processing in the EES by European institutions or other Member States. The central EES is managed by eu-LISA, a European Union agency.

For more information about processing in the central EES, please refer to the European Commission’s website.

The data collected, recorded and processed

During checks at the external borders of Member States, the collection of your personal data is mandatory, as it is necessary to verify compliance with entry conditions.

The following personal data will be collected and recorded:

  • Biometric personal data: This refers to a live facial image and the passport photo of all third-country nationals who must be registered in the EES. For third-country nationals who are visa-exempt or hold a Facilitated Transit Document (FTD), four fingerprints will also be required.

  • Personal data from the travel document: Full name, date and place of birth, nationality, gender, height, signature, document reference number, citizen service number (BSN) or similar personal number, country of issue, and validity date.

  • Language selection during registration.

Depending on your situation, data may also be collected from other sources:

  • The Visa Information System (VIS): Data from your personal file;
  • The European Travel Information and Authorisation System (ETIAS): Your travel authorisation status and possibly your family status;
  • Any refusals of entry;
  • Any overstays beyond the maximum permitted duration of stay in the Schengen Area.

If you do not provide the required biometric data

If you do not provide the biometric data required for registration, verification, or identification in the EES, you will be refused entry to the Schengen Area. This stipulation does not apply during pilot studies.

As the national border authority, the Royal Netherlands Marechaussee is obligated to participate in the EES for the proper execution of border control duties. This obligation is based on:

  • Section 4(1)(f) of the Police Act 2012;
  • Section 46(1)(a) of the Aliens Act 2000;
  • Article 8 of the Schengen Borders Code;
  • Section 2(1)(d) of the Implementation Act on EU Borders and Security Regulations;
  • Articles 14, 16-19, and 23 of Chapter II and III of the EES Regulation.

The legal basis for processing is compliance with a legal obligation (Article 6(1)(c) GDPR) and the necessity for substantial public interest (Article 9(2)(g) GDPR).

How your personal data will be used

As a third-country national entering the Schengen Area via a border post in the Netherlands, you are required to register in the EES. Registration occurs either at a self-service kiosk or at a manual desk operated by a border guard of the Royal Netherlands Marechaussee. An algorithm will compare a live facial photo with the photo in your travel document to verify your identity. Your personal data will be sent through the Royal Netherlands Marechaussee systems to the central EES, which is managed by eu-LISA, the data controller for the central EES.

Your personal data will also be used for regular border checks as required by the Schengen Borders Code. This includes verifying the authenticity and validity of your travel document and checking national and European police databases.

When you cross the border on entry at a manned desk or eGate, a check will be conducted to determine whether you are already registered in the EES. On exit, your departure will be recorded. If there is no record of your exit after the permitted duration of stay, this will be automatically recorded in the EES. This can result in a return decision, deportation to your country of origin, and/or a temporary ban on entry into the Schengen Area.

If you overstay the permitted duration, your data will automatically be added to a list of identified overstayers. This list is accessible to the competent national authorities. If you are listed as an overstayer, this can result in a return decision, deportation, and/or a temporary ban from the Schengen Area. However, if you provide credible evidence that your overstay was due to unforeseen and serious events, your personal data in the EES can be corrected or supplemented, and you can be removed from the overstayers’ list.

How we store your personal data and retention period

The Royal Netherlands Marechaussee has implemented appropriate technical and organisational measures to protect personal data. An integrated security system, comprising physical, informational, and personnel security measures, is in place. These measures are detailed in the Defence Security Policy.

No personal data is stored in the self-service kiosks. In other Royal Netherlands Marechaussee systems, a retention period of 24 hours applies after a border crossing or registration. Personal data will only be stored longer if necessary for criminal investigations or other police tasks. These data processing operations fall under the Police Data Act, not the GDPR.

Your personal data will be stored in the central EES for the following periods:

  • Records of each entry, exit, or refusal of entry will be retained for three years from the date of the record;
  • The personal file containing your data will be retained for three years and one day from the last exit or refusal of entry, provided no new entry is made in that period;
  • If no exit record is made, your data will be retained for five years after the last day of the permitted duration of stay.

Personal data from the EES may also be stored by authorised national agencies when necessary in individual cases. Such storage is subject to the same retention periods as the central EES or for as long as necessary in an individual case.

Processors

Personal data for or from the EES may be processed by the following organisations on behalf of the Royal Netherlands Marechaussee. Processing agreements have been concluded with these organisations, requiring them to comply with the terms of this privacy statement:

  • Schiphol Netherlands B.V. (data processor)

Other parties that may access your data

Relevant authorities in Schengen Area Member States may access your data for border management, facilitating border crossings, immigration, and law enforcement. Europol may also access your data for law enforcement purposes. Under strict conditions, your data may be transferred to a Member State, third country, or international organisation listed in Annex I of Regulation (EU) 2017/2226 for return or law enforcement purposes.

Your rights

The Royal Netherlands Marechaussee seeks to fully inform you of your rights regarding your personal data. Each traveller has the following rights:

  • Right to be informed about duration of stay: You have the right to be informed about your maximum duration of stay in the Schengen Area when your personal data is recorded or checked in the EES.
  • Right of access/disclosure: You have the right to request copies of your personal data.
  • Right to rectification: You have the right to request changes to personal data that are inaccurate or incomplete.
  • Right to erasure: You have the right to request the erasure of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly, or if the retention period has expired. Specifically, you have the right to have your personal data erased from the EES if they remain because you exited late and can prove this was due to unforeseen and serious events.
  • Right to restriction of processing: You have the right to request the restriction of processing of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly.
  • Right to object: You have the right to object to the processing of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly.

Contact

If you have any questions about this privacy statement, the EES, or the processing of your personal data, or if you want to exercise the above-mentioned rights, please contact us through the website or postal address below. The EES regulation gives us a period of 45 days (in deviation from the regular GDPR deadlines) to respond to your requests.

www.marechaussee.nl/privacy

Postal address:

Royal Netherlands Marechaussee
Legal Affairs Cluster
GDPR Coordinator
PO Box 90200
3509 BE Utrecht
Netherlands

Complaints: national

If you wish to file a complaint about the processing of your personal data or if you are of the opinion that the Royal Netherlands Marechaussee did not handle a request in that regard properly, please contact the Netherlands Ministry of Defence Data Protection Officer by email to functionaris.gegevensbescherming@mindef.nl or the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl.

Email: info@autoriteitpersoonsgegevens.nl

Postal address:

Dutch Data Protection Authority
PO Box 93374
2509 AJ The Hague
Netherlands

Complaints: European

For complaints about data processing operations in the central EES, please contact the European Data Protection Supervisor:
https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en.

This statement was last updated on 29 August 2024.