In processing personal data in the Schengen Information System (SIS), the National Police violated the law on a number of points. First of all, the quality of the alerts in the SIS was not up to standard. As a result, incorrect or incomplete information about people was in the system. Also, alerts were sometimes kept too long. The violations came to light following a European investigation in which the Personal Data Authority (AP) participated.
Katja Mur, AP director: "SIS is a comprehensive system, in which a lot of information about people is stored. Often people themselves do not know that they are in SIS. So they will then not check whether that is justified and whether the information is correct. This places an extra heavy responsibility on the users of SIS. Because registration can have a big impact on people. For example, an unjustified refusal at the border or an unnecessary arrest."
Initially, the National Police did not take its own measures to address the violations in the SIS. The AP therefore informed the police that it wanted to impose an order under penalty. The AP ultimately did not have to do so because the police then ended the violations after all.
The AP conducted a coordinated inspection with the other European privacy regulators. In the Netherlands, the National Police was investigated because it is responsible for the quality and exchange of these data.
The AP concluded that the National Police violated the law in a number of ways.
The quality of the alerts was not up to par. In fact, the police did not sufficiently check whether alerts were submitted correctly and completely in the system. For example, the public prosecutor's written justification for including an alert was often missing. The AP also found that a person was registered in SIS for the wrong purpose. Furthermore, information on older alerts and their history was not retrievable.
The police did not sufficiently check whether it was necessary to keep alerts longer. Alerts on individuals may be kept for 1 year. And may be kept 1 year longer only after a thorough individual assessment. The National Police retained alerts longer without assessment.
In 2022, the National Police drew up a plan to improve the quality of the alerts and get the control of the alerts right. The police implemented these measures in 2023. The AP closely monitored and assessed this. The AP then concluded that the police have taken enough measures and that the violations have ended.
The AP closely monitors the proper recording, updating and deletion of personal data in large-scale European information systems. These systems are designed to monitor the external borders of the Schengen area and to support police and judicial authorities in carrying out their duties.
The monitoring of these systems is becoming increasingly important as new information systems are coming soon. Moreover, the new and existing systems are being linked together. This will allow even more and broader searches for people.
This aims to increase security, but at the same time it carries additional privacy risks. Being incorrectly, too long or illegally in such a system then has additional major consequences. The AP therefore continues to monitor whether agencies are working carefully with personal data in European information systems.
