Data Subject Rights

​What are the data subjects' rights?

By making a written request to the eu-LISA Data Protection Officer (DPO), data subjects (individuals whose data is being processed) have the right to:

  • be informed about the collection and use of their personal data;

  • the information received must be clear, concise and transparent and provided in an easily accessible format;

  • access the data processed, collected and used concerning themselves;

  • rectify the information in case of inaccuracy and incompleteness;

  • erase unlawful data collected;

  • restrict the processing of personal data;

  • data portability;

  • object to the processing of your personal data and/or the conduction of profiling activities;

  • not be subject to a decision based solely on automated processing, including profiling.

The Regulation (EU) 2018/1725 grants data subjects with rights aiming at insuring their rights to privacy and data protection.

When eu-LISA processes personal data, data subjects have the right to be informed of the processing. The data controller must provide the following information, before the time of collection:

  • the identity of the controller;

  • the purpose of the processing;

  • the legal grounds of the processing operation;

  • the time of data retention;

  • the recipients of the data;

  • the rights of the data subjects and how they can be exercised.

In exceptional circumstances, eu-LISA may restrict one or several of these rights for a temporary period of time by virtue of Article 25 of Regulation (EU) 2018/1725 and of its Internal Rules laid down under Decision No 2021-096 of the Management Board inter alia on the grounds of prevention, investigation, detection and prosecution of criminal offences. Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable.

How can data subjects exercise these rights or make a complaint?

If data subjects want to exercise their rights or if they have any questions related to the processing of their personal data by eu-LISA, they can address a question directly to eu-LISA using the contact form.

If data subjects consider that their rights have been infringed by eu-LISA when it processes data relating to them, they can lodge a complaint to eu-LISA's DPO or directly to the European Data Protection Supervisor (EDPS).

How can a complaint be submitted to eu-LISA's DPO?

A complaint can be lodged to eu-LISA's DPO using the complaint submission form. This form can be completed electronically. All relevant information needs to be included in the complaint form. To avoid unnecessary delay, any evidence supporting the allegations needs to be attached (email exchanges, letters, screenshots, etc.).

Before lodging a complaint, please be aware of the following:

  • The privacy statement covering the complaint procedure;

  • The processing of personal data carried out by national authorities or private entities falls outside the competence of eu-LISA's DPO and that of the EDPS. eu-LISA's DPO is only competent to deal with complaints against eu-LISA;

  • Complaints can only relate to the processing of personal data and the violation of rights related to the protection of personal data;

  • Complainants are recommended to contact the EDPS only after having first contacted the data controller and/or eu-LISA's DPO. However, data subjects can directly lodge a complaint to the EDPS, if this is deemed necessary;

  • Any complaint related to Eurodac, SIS or VIS should be treated by the competent National Supervision Authorities. In this regard, please refer to the complaint procedure.

Personal data will only be used and stored to the extent necessary to reply to the query. eu-LISA's DPO will make his or her best efforts to provide an answer within a reasonable time, within a period that will not exceed 3 months.

If the data subject is not satisfied with the reply of eu-LISA's DPO, he or she has the right of recourse at any time to the EDPS. The EDPS is an independent supervisory authority established in accordance with Regulation (EU) 2018/1725, responsible for ensuring that the fundamental rights and freedoms of natural persons, in particular the rights to privacy and data protection, are respected by the European Union institutions and bodies. Therefore, if data subjects consider that their personal data has been misused by eu-LISA, they can launch a complaint to the EDPS. The EDPS, after assessing the admissibility, will carry out an inquiry and take appropriate measures to solve it. For more information regarding the EDPS, please refer to the EDPS website.

Exercise your rights or lodge a complaint related to the Eurodac, SIS or VIS systems

eu-LISA is the European Union Agency that provides technical and operational expertise in order to manage Eurodac, the Schengen Information System (SIS) and the Visa Information System (VIS) amongst others. However, eu-LISA does not access the information in Eurodac records, SIS records or VISA applications.

National authorities of the Member States and Associated Countries directly manage the information for which they are responsible.

For this reason, if the data subject wants to exercise his/her rights (information, access, rectification, blocking, erasure, and/or objection) regarding one of the large-scale IT systems, the complaint or the request should be addressed to the national data protection authority of the involved Member State or supervisor authorities.

The European Union has set up the Supervision Coordination Groups (SCG) of Eurodac, SIS and VIS. In order to ensure a high and consistent level of protection, the supervision of these three large-scale IT systems is shared between the national Data Protection Authorities ('DPAs') and the EDPS. For these three large-scale IT systems, eu-LISA’s task is to provide information on their current operational status, namely how the systems perform, what are the incidents encountered and how the quality of the data is.

Following the legal requirement of Article 4(3) of the Implementing Rules on data protection, the eu-LISA Data Protection Officer represents eu-LISA at the meetings, answering questions concerning data protection issues. More information can be found at the following links:

A guide on exercising rights of information and access to SIS:


For further information, please contact:

eu-LISA DATA PROTECTION OFFICER

EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)

Vesilennuki 5
10415 Tallinn, Estonia
dpo@eulisa.europa.eu

Wojciech Wiewiórowski
European Data Protection Supervisor

Postal address:

Rue Wiertz, 60
B-1047 Brussels, Belgium
Tel: (+32) 2 283 1900
Fax: (+32) 2 283 1950
e-mail: edps@edps.europa.eu
website: https://www.edps.europa.eu/