Schengen Information System (SIS II)
This privacy statement explains how the Royal Netherlands Marechaussee processes personal and police data from or into the Schengen Information System (SIS II).
One of the following privacy-related pieces of legislation may apply to these SIS II data processing operations:
Which of these two applies depends on the type of duty for which the data are required. Police duties involve police data within the meaning of the Wpg. Duties concerning border control and foreign nationals involve personal data within the meaning of the GDPR.
SIS II controller
Each EU Member State must designate a central controller for SIS II. In the Netherlands, the National Police has been designated. The National Police is therefore the central controller for the Dutch part of SIS II. The Royal Netherlands Marechaussee is only responsible if it processes SIS II data in its own systems or alters the data. The same applies to other Dutch government organisations that have access to SIS II.
The Royal Netherlands Marechaussee uses SIS II to perform different statutory, public duties. In most cases, the Minister of Defence is the formal controller for the processing of data in our own systems and processes. However, as GDPR or Wpg manager, the Commander of the Royal Netherlands Marechaussee is tasked with ensuring compliance with privacy legislation within the organisation on behalf of the Minister of Defence.
Types of SIS II data
From its own systems, the Royal Netherlands Marechaussee can consult SIS II data, as well as enter, alter or delete data itself. The Royal Netherlands Marechaussee does so to perform different public duties. This may involve data of a normal, special, sensitive or criminal nature, as long as the data are relevant to the performance of the task and the data are necessary for the specific dossier.
Legal basis for the processing for SIS II data
SIS II is based on Regulation (EC) No 1987/2006 and was recently expanded by the new Regulations (EU) 2018/1860, 2018/1861 and 2018/1862. According to these regulations, Member States may grant certain authorities access to SIS II. In the Netherlands, the Royal Netherlands Marechaussee is one of those authorities. Our national duties are listed in Section 4 of the Dutch Police Act 2012.
On the basis of the regulations referred to above, the Royal Netherlands Marechaussee may process SIS II data for all of its statutory duties. However, the data are mainly used for border control.
Use of SIS II data
The Royal Netherlands Marechaussee uses personal data and police data only to perform its duties and will never sell, lease or use these data for commercial purposes. The Royal Netherlands Marechaussee does not share the data with third parties unless doing so is required or permitted by the relevant statutory provisions.
Retention of SIS II data
The Royal Netherlands Marechaussee has taken appropriate and organisational measures to protect personal data. It uses an integrated security system made up of physical, informational and personnel measures. The full set of security measures is set out in the Defence Security Policy. The Royal Netherlands Marechaussee itself is not a manager or central controller in relation to SIS II. The security of SIS II is therefore beyond our responsibility.
SIS II uses the retention periods prescribed by the regulations. If the underlying decision has been revoked, annulled, implemented or is otherwise no longer valid or necessary, the data must be deleted from SIS II. This is overseen by the parties that perform the central controller role.
If there are hits when SIS II is consulted, the data found may be entered into the Royal Netherlands Marechaussee’s own systems. The data are then given a longer retention period in accordance with the GDPR or Wpg. Retention in national files for a longer period is permitted on the basis of Article 49, paragraph 3 of Regulation (EU) 2018/1861, the provisions of which are also declared applicable in Article 19 of Regulation (EU) 2018/1860, and Article 57 of Regulation (EU) 2018/1862.
SIS II processors
The Royal Netherlands Marechaussee may process SIS II data in systems that are managed by other organisations. These organisations are then processors within the meaning of the GDPR or Wpg. Prior to processing, the organisations concerned must be screened in accordance with the Defence Security Policy. Processing agreements must also be concluded in advance so that these organisations comply with the terms of the Royal Netherlands Marechaussee in accordance with this privacy statement.
Your rights with respect to data in SIS II
If you would like to know whether an alert concerning you has been entered into SIS II or if you would like a correction to be made or an alert to be deleted from SIS II, you may submit a request concerning inspection, correction or deletion in any Schengen country. To do so, write an email message or letter to the national privacy supervisory authority or the national authority that is responsible for data in SIS II. In the Netherlands, this authority is the National Police.
Use the online form on the website of the police to submit a request. Alternatively, you can send a letter to:
Attn Privacy Officer
PO Box 100
3970 AC Driebergen
Include a copy of your passport so that your identity can be checked.
If you would like to know whether and how your SIS II data have been processed by the Royal Netherlands Marechaussee, see your rights and the relevant contact details below.
- The right of access/disclosure. You have the right to request access to or information about your data.
- The right to rectification. ou have the right to request the alteration of data that you believe to be inaccurate or incomplete.
- The right to erasure. You have the right to request the erasure of your data. This request will only be granted if the data have been obtained unlawfully or improperly or if the retention period has expired.
- The right to restriction of processing. You have the right to request that the processing of your data be restricted. This request will only be granted if the data have been obtained unlawfully or improperly.
- The right to object. You have the right to object to the processing of your data. This request will only be granted if the data have been obtained unlawfully or improperly.
- The right to portability. You have the right to ask the Royal Netherlands Marechaussee to provide your data to another organisation.
If you have any questions about this privacy statement or about the processing of your personal or police data, or if you wish to exercise the above-mentioned rights, please contact us through the website listed below or by post. The GDPR gives us a period of one month to respond. Under certain conditions, this period may be extended by two months. The Wpg provides for a period of six weeks. Under certain conditions, this period may be extended by four to six weeks.
Royal Netherlands Marechaussee
Legal Affairs Cluster
GDPR Coordinator or Wpg Privacy Officer
PO Box 90200
3509 BE Utrecht
Complaints to the supervisory authority
If you wish to file a complaint about the processing of your personal or police data, or if you believe that the Royal Netherlands Marechaussee has not handled a request concerning such processing properly, you can contact the Dutch Data Protection Authority.
Dutch Data Protection Authority
PO Box 93374
2509 AJ The Hague