pulizija.gov.mt

Data Protection

We are deeply committed to upholding the highest standards of data protection and privacy. We recognize the critical importance of safeguarding the personal information of the individuals we interact with, as well as the sensitive data that is essential to our operations. Our data protection policies, detailed on this page, provide transparency about the safeguards in place and outline your rights. Here, you can also learn about the systems we employ to protect your information.

What Are Your Rights In Relation To Your Personal Data Processed By The Malta Police Force?

Personal data processed by the Malta Police Force is regulated by the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (Subsidiary Legislation 586.08) and the GDPR1 when the processing is conducted for other purposes.

However, there are instances when such processing is regulated by specific legislative instruments of the European Union.

In any case, any person has the right to:

  • request access to personal data relating to them being processed by the Malta Police Force;
  • request the correction of factually inaccurate personal data relating to them or the deletion of their personal data in the case of unlawfully stored information;
  • the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) or to request verification of lawfulness of the processing.

How To Exercise Your Rights?

In Malta, any individual has the right to request access, correction or deletion of their personal data by contacting directly the data controller which in this case is the Commissioner of Police, via the Data Protection Officer, or indirectly via the Office of the IDPC as explained below.

Such rights may be exercised directly by submitting a formal request to the Data Protection Officer, on any of the following:

  • Address: The Data Protection Officer, Legal & Data Protection Unit, Police General Headquarters, St. Calcedonius Square, Floriana, FRN 1530, Malta
  • Email: dpu.police@gov.mt

Requests submitted by electronic means will be replied through the same means. Due to potential risks of submitting copies of personal documents and other sensitive information via open internet, it is advisable that the security of such electronic means is ensured before submitting the request.

Applicants should provide the following identification details in order to facilitate the responsible authority in dealing with the request:

  1. Name and surname of applicant;
  2. ID Card or Passport Number;
  3. What particular information they would like to see;
  4. A copy of the ID Card or Passport is also to be submitted for identification verification purposes.

In accordance with Maltese law, the request must be submitted in writing and signed by the data subject. The request must be made in Maltese or English.

In order to facilitate the exercise of your rights, the Malta Police Force has prepared a generic access request letter. It is imperative that when using this letter, one indicates clearly the type of personal data which he is requesting to access, rectify or delete.

Are there any limitations to your right?

The right of the data subject may be delayed, restricted or omitted, for as long as this constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned in terms of the law.

Such measures may be imposed in order to:

  1. Avoid obstructing official or legal inquiries, investigations or procedures.
  2. Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
  3. Protect public security.
  4. Protect national security.
  5. Protect the rights and freedoms of others.

In the eventuality of a restriction or refusal, the individual is informed in writing of the decision, including reasons for the decision, unless such communication would have a bearing on the work of competent authorities or on the rights and freedoms of other individuals.

Right To Lodge A Complaint

Any person not satisfied with a reply to his request as outlined above may file a complaint with the office of the IDPC or request that the IDPC verifies that his/her data protection rights are being respected and that his/her personal data are processed according to law.

The Information and Data Protection Commissioner

The Information and Data Protection Commissioner (IDPC) is the national supervisory authority in Malta responsible to conduct independent supervision, monitoring and enforcement of data protection legislation.

To that end, the IDPC is empowered to have access and inspect all the personal data and filing systems in Malta.

The Office of the IDPC may be reached on the following contact details:


1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

The use of Body Worn Cameras (BWCs) is an effective tool in the fight against crime. It also demonstrates the commitment of Law Enforcement Authorities to transparency, ensure accountability of its members, increase public trust in users, and protect its members from unjustified complaints of misconduct.
 
 
The Malta Police Force, following on the footsteps of other Law Enforcement Authorities in other countries, including EU Member States, has introduced the use of BWCs by all operational Police Officers. In line with the Standard Operating Procedures, whenever officers know or have a reasonable expectation that they will be interacting with the public in the discharge of their duties related to law enforcement, particularly in relation to the prevention, investigation and detection of criminal offences, the BWCs will be activated. Once activated, the BWCs will light a Green LED so that the public will be aware that the camera is in operation. All captured data will be then stored in a secure manner on a server and managed by a dedicated office under strict conditions and subject to adequate safeguards.
 
 
Legal Basis
 
The processing of personal data captured via BWCs is based on various legal provisions:
 
  • It is the duty of the Police to preserve public order and peace, to prevent and to detect and investigate offences, to collect evidence, whether against or in favour of the person suspected of having committed the offence, and to bring the offenders, whether principals or accomplices, before the judicial authorities in terms of Article 346(1) of the Criminal Code (Chapter 9 of the Laws of Malta).
  • This duty is reinforced and complemented by Article 4(a) of the Police Act (Chapter 164 of the Laws of Malta), which lists as one of the main objectives of the Police Force to preserve public order and peace, to prevent the commission of offences, to promote the observance of the laws, as a first guarantee of the rights of all persons in Malta, even before action is needed through the judicial system to repress, sanction or remedy any breach.
  • Article 62(1) of the Police Act specifically empowers the Police to hold, process and classify any information relevant to the commission of any crime in or outside Malta which information may be preserved by any system whatsoever, including electronic format.
  • Moreover, the Malta Police Force, may collect personal data by technical surveillance or other automated means for the prevention, investigation, detection and prosecution of criminal offices in terms of Regulation 8(3) of S.L. 586.08.
 
Personal Data Captured By BWCs
 
The categories of personal data captured by BWCs is limited to audio-visual footages and GPS coordinates. Under certain instances, such data may also include special categories data (particularly data concerning health), such as for example when the individuals concerned, on scene of an incident, are suffering from physical injuries.
 
 
Disclosure Of Data Captured By BWCs
 
Data captured by BWCs will be solely used for criminal investigation purposes by the Malta Police Force and may be made available to other competent authorities such as the Attorney General and the Judicial authorities in accordance with the law. In some instances, such data may also be used for internal monitoring and investigation purposes.
 
There may be instances where such data will be made available to foreign Law Enforcement Authorities, particularly Law Enforcement Authorities in other Member States, in pursue of a legal obligation or a bilateral agreement within the context of Police Cooperation.
 
 
Retention Period
 
All data collected from BWCs are kept for period of ninety (90) days in accordance with the Data Retention Schedule, as approved by the Information and Data Protection Commissioner. All data will be automatically deleted upon the expiration of such period in a secure way.
 
 

What Are Your Rights In Relation To Your Personal Data Captured By BWCs?

The processing of personal data collected via BWCs is regulated by the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (Subsidiary Legislation 586.08).
 
Any person has the right to:
 
  • request access to personal data relating to them processed;
  • request the correction of factually inaccurate personal data relating to them or the;
  • deletion of their personal data in the case of unlawfully processed information;
  • request restriction of processing of their personal data according to law;
  • the right to lodge a complaint with the Information and Data Protection Commissioner.
 
How To Exercise Your Rights?
 
In Malta, any individual has the right to request access, correction or deletion of their personal data by contacting directly the data controller which in this case is the Malta Police Force, via the Data Protection Officer.
 
Such rights are exercisable by submitting a formal request, preferably by using the following form, to the In-Field Tech Unit, on any of the following:
 
  • Address: Att. In-Field Tech Office, The Data Protection Officer, Legal & Data Protection Unit, Police General Headquarters, St. Calcedonius Square, Floriana, FRN 1530, Malta
  • Email: infield.police@gov.mt​
  • Telephone: +35621224001
 
The right of the data subject may be delayed, restricted or omitted, for as long as this constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned in terms of the applicable law. In the eventuality of a restriction or refusal, the individual is to be informed in writing of the decision, including reasons for the decision, unless such communication could have a bearing on the work of the national competent authorities or on the rights and freedoms of other individuals.
 
Moreover, such rights may not be exercised in accordance with the procedure laid down above, where the personal data collected via BWCs is requested by investigating officers for investigation purposes. In such cases, the rules applicable to criminal procedure shall apply.​

EURODAC is a European Union (EU) fingerprint database established in 2013, for the purposes of identifying asylum seekers and irregular border-crossers. It facilitates the judicious and transparent receipt and processing of asylum applications from those who may need the protection afforded by Europe. It helps Member States to determine responsibility for examining an asylum application by comparing fingerprint datasets.

The system is mainly comprised of a Central System, which contains the database, and a communication infrastructure between the Central System and Member States that provides a dedicated encrypted virtual network.

The EURODAC System is mainly used with regards to three different categories of persons:

  1. Category 1: asylum seekers;
  2. Category 2: persons apprehended in connection with the irregular crossing of an external border irregularly and were not turned back; and
  3. Category 3: persons found illegally present in a Member State.

All 27 Member States and Iceland, Norway, Liechtenstein and Switzerland have access to EURODAC. In Malta, the authority designated to have access to data recorded in the Central System is the Eurodac Office within the Malta Police Force.

 

Legal Basis

The processing of personal data in the EURODAC System is based on:

Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (‘EURODAC Regulation’).

 

Personal Data Processed In The EURODAC System

Category 1

The data collected on asylum seekers (over 14 years old) are:

  • fingerprint data
  • Member State of origin, place and date of the application for international protection
  • sex
  • reference number used by the Member State of origin
  • date on which the fingerprints were taken
  • date on which the data were transmitted to the central system
  • operator user ID

Category 2

Data collected on persons apprehended in connection with the irregular crossing of an external border (over 14 years old) are:

  • fingerprint data
  • Member State of origin, place and date of the apprehension
  • sex
  • reference number used by the Member State of origin
  • date on which the fingerprints were taken
  • date on which the data were transmitted to the central system
  • operator user ID

Data can only be recorded and processed in the system if the data subject is over 14 years old and they were not turned back.

Category 3

Data processed on persons found illegally staying in a Member State (over 14 years old) are:

  • fingerprint data
  • reference number used by the Member State of origin

In this case, the transmission takes place only to check whether the person concerned has previously lodged an application for asylum in another Member State(s), and if so, when. These data are not stored in the system.

 

Use Of Data Stored In the EURODAC System

EURODAC data is used for the purpose of facilitating the effective application of the Dublin Regulation1. The latter establishes the Member State responsible for the examination of the asylum application. The criteria for establishing responsibility run, in hierarchical order, from family considerations, to recent possession of visa or residence permit in a Member State, to whether the applicant has entered EU irregularly, or regularly.

However, the EURODAC Regulation also allows Member States’ law enforcement authorities and Europol to compare fingerprints where such comparison is necessary for the purpose of the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

The EURODAC Regulation allows such checks under strictly controlled circumstances and subject to specific safeguards, in particular, by including a requirement to check all available fingerprint databases first and limiting searches only to the crimes punishable by imprisonment for a maximum period of at least three years.

Such checks may only take place if approved the Data Protection Officer following an independent assessment and verification process of a request in accordance with Article 19 of the EURODAC Regulation. Such process ensures that the requirements set out by the law are complied with.

 

Retention Period

The personal data stored in the EURODAC database is only for Category 1 and Category 2. No data is stored when a check with regards to Category 3 is performed.

Category 1

These data are stored in the system for ten (10) years, and then they are automatically erased. If an asylum seeker acquires the citizenship of any Member State the data shall be erased immediately.

If a Member State grants international protection (refugee status or subsidiary protection) to an asylum seeker, their data shall be marked in the central database based on the Member States’ instructions.

Category 2

These data are stored in the system for eighteen (18) months, unless the data subject has acquired the citizenship of any Member State, has been issued with a residence document by a Member State or has left the territory of the Member States. In these cases, data shall be erased from the system as soon as possible.

 

What Are Your Rights In Relation To Your Personal Data Processed In The EURODAC System?

Personal data processed in the EURODAC System is regulated by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Any person has the right to:

  • request access to personal data relating to them stored in the EURODAC System;
  • request the correction of factually inaccurate personal data relating to them or the deletion of their personal data in the case of unlawfully stored information;
  • request restriction of processing of their personal data according to law;
  • the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) or to request verification of lawfulness of the processing.

In order to facilitate the exercise of your rights and to be able to handle the request more efficiently, you are solicited to use the following model letter.

Also note that since only fingerprint data are processed on the Eurodac System, you will be required to physically attend at the Eurodac Office in order for your fingerprints to be scanned and compared with the Eurodac System Database. Your fingerprint data will not be stored.

1 Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person.

What Are Hand-Held Speed Cameras (HSC)s?
 
Hand-Held Speed Cameras (HSCs) are gun-shaped technology devices that assist the operator to accurately determine the speed by which an object is moving. The Police make use of such devices in order to ensure that any proceedings instituted against an offender are based on reliable and accurate evidence.
 
 
When And Why Are Such Devices Ised?
 
The Police use such devices in cases where reasonable suspicion exists that a vehicle is driving with a speed beyond the set limit. This allows the Police to capture and preserve evidence that an offence has been committed.
 
 
How Are They Operated?
 
When, having regard to the circumstances, it appears to a Police Officer that a motor vehicle is moving with a speed beyond that established by law, the officer operating a HCSs pulls the trigger of the HSC to activate the device. A signal is emitted in the form of a straight laser beam. The officer points the device towards the fast-moving motor vehicle. If the signal hits a motor vehicle that is moving with a speed in excess to the set limit, the capturing function of the device is activated, and it starts capturing a series of frames and the relative speed. It is only if the vehicle is exceeding the set speed limit that it activates. Hence, no information is captured if the vehicle is not exceeding the set limit.
 
 
What Happens Next?
 
Once the reasonable suspicion of the Police has been verified, and therefore the Police has confirmation that an offence has been committed, the Police initiate proceedings against the offender. The owner of the vehicle is notified of the contravention according to law, and captured pertinent information is uploaded on the Law Enforcement System which is accessible by the offender over the web (les.gov.mt). In cases where the incident involves a more serious offence, proceedings are taken according to law in the circumstances.
 
 
Is The Use Of HSCs Regulated Ny Law?
 
The use of HSCs is based on Regulation 127 of the Motor Vehicles Regulations (S.L. 65.11 of the Laws of Malta) which establishes the framework for the different types of speed monitoring devices that may be employed. The HSCs used by the Police have been prescribed by the Minister responsible for Transport as indicated in the Government Gazettes No. 20,443 and No. 20,440 of 14 and 17 July 2020 respectively. They are calibrated biannually in accordance with the provisions of the Measurements Subject to Metrological Control Regulations (S.L. 454.17 of the Laws of Malta).
 
Legal Basis
 
The processing of personal data captured via HSCs is based on various legal provisions:
 
  • It is the duty of the Police to preserve public order and peace, to prevent and to detect and investigate offences, to collect evidence, whether against or in favour of the person suspected of having committed the offence, and to bring the offenders, whether principals or accomplices, before the judicial authorities in terms of Article 346(1) of the Criminal Code (Chapter 9 of the Laws of Malta).
  • Article 62(1) of the Police Act specifically empowers the Police to hold, process and classify any information relevant to the commission of any crime in or outside Malta which information may be preserved by any system whatsoever, including electronic format.
  • Regulation 127 of the Motor Vehicles Regulations (S.L. 65.11 of the Laws of Malta) sets the speed limit for motor vehicles and provides for the use of HSCs.
  • Moreover, the Malta Police Force, may collect personal data by technical surveillance or other automated means for the prevention, investigation, detection and prosecution of criminal offices in terms of Regulation 8(3) of S.L. 586.08.
 
Personal Data Captured By HSCs
 
The categories of personal data captured by HSCs is limited to images of the motor vehicle, which includes its registration plate, speed, location and time.
 
 
Disclosure Of Data Captured By HSCs
 
Data captured by HSCs will be used as for the issuing of traffic contraventions that are tried in the Local Tribunals. To that purpose, pertinent information is uploaded on the Law Enforcement System that is accessible by the offender over the web. In those cases that involve other more serious offences, the data is used as evidence before the Court before which proceedings are taken.
 
There may be instances where such data will be made available to foreign Law Enforcement Authorities, particularly Law Enforcement Authorities in other Member States, in pursue of a legal obligation or a bilateral agreement within the context of Police Cooperation.
 
 
Retention Period
 
Data collected from HSCs are generally kept for 2 years from the determination of the case. This is subject to longer periods, as established in the Data Retention Schedule, should the case involve more serious offences. Data will be disposed of accordingly once the relevant retention period expires.
 
 
What Are Your Rights In Relation To Your Personal Data Captured By HSCs?
 
The processing of personal data collected via HSCs is regulated by the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (S.L. 586.08).
 
Any person has the right to:
 
  • request access to personal data relating to them processed by HSCs;
  • request the correction of factually inaccurate personal data relating to them or the;
  • deletion of their personal data in the case of unlawfully processed information;
  • request restriction of processing of their personal data according to law;
  • the right to lodge a complaint with the Information and Data Protection Commissioner.
 
The PNR/API System is an integrated system that processes:
 
  • information provided by passengers and collected by airlines, in the normal course of their business, for enabling reservations and carrying out the check-in process, known as Passenger Name Record (PNR), and
  •  Advanced Passenger Information (API) data, which is sent by air carriers upon departure, operating inbound Extra-Schengen flights to Malta.
 
The Passenger Information Unit (PIU) within the Malta Police Force, under the Organized Crime wing, is responsible for operating the PNR/API System. It is mainly responsible to:
 
  1. Collect the API and PNR data from air carriers;
  2. Carry out an assessment of passengers prior to their scheduled arrival in or departure from Malta, by comparing API and PNR data against relevant databases, such as the Schengen Information System (SIS) and the National Stop List (NSL), and process them against pre-determined criteria, in order to identify persons that may be involved in a terrorist offence or serious crime1, or that are hindered from entering the Schengen Area;
  3.  Inform and disseminate PNR and API data to the competent national authorities, Europol and PIUs of other Member States, as the case may be, either spontaneously or in response to duly reasoned requests.
The received data is compared against a watchlist implemented within the system with details of persons suspected of being involved in a terrorist offence or serious crime that has been provided by the competent authorities.
 
Risk based profiles have also been introduced, whereby upon matching with several selected criteria, passengers are automatically flagged.
 
Legal Basis
 
The processing of PNR data and API is conducted under an obligation imposed by different legislative instruments of the European Union. The relative two legal instruments are:
 
  • The Passenger Name Record (PNR) Data Act (Chapter 584 of the Laws of Malta), which implements Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
  • The Communication of Passenger Data by Air or Sea Carriers Order (Subsidiary Legislation 460.18), which implements Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data.
 
Personal Data Processed In The API System
 
API data is collected by air carriers operating a flight to Malta from a third country and is transmitted electronically to the PNR/API System by the time of the closure of check-in in terms of Regulation 3 of Subsidiary Legislation 480.18.
 
Such data consists of:
 
  1. the number and type of travel document used;
  2. nationality;
  3. full names;
  4. the date of birth;
  5. the border crossing point of entry into the territory of Malta;
  6. code of transport;
  7. departure and arrival time of the transportation;
  8. total number of passengers carried on that transport; initial point of embarkation.
 
Personal Data Processed In The PNR System
 
PNR data is more informative in comparison to API and is considered to be an investigative tool, whereas same is received from air carriers operating both Intra and Extra-Schengen and inbound and outbound flights. Same is automatically sent by air carriers upon two push methods:
 
  • 24 hours prior departure
  • Upon departure
 
Such data consists of:
 
  1. PNR record locator
  2. Date of reservation/issue of ticket
  3. Date(s) of intended travel
  4. Name(s)
  5. Address and contact information (telephone number, e-mail address)
  6. All forms of payment information, including billing address
  7. Complete travel itinerary for specific PNR
  8. Frequent flyer information
  9. Travel agency/travel agent
  10. Travel status of passenger, including confirmations, check-in status, no-show or go-show information
  11. Split/divided PNR information
  12. General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
  13. Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, automated ticket fare quote fields
  14. Seat number and other seat information
  15. Code share information
  16. All baggage information
  17. Number and other names of travellers on the PNR
  18. Any Advance Passenger Information (API) data collected (including the type, number, country of issuance and expiry date of any identity document, nationality, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time and arrival time)
  19. All historical changes to the PNR listed in numbers 1 to 18.
 
Disclosure Of API And PNR Data
 
API and PNR data may be requested by the following competent authorities for the prevention, investigation and prosecution of serious crimes:
 
  • Malta Police Force
  • Principal Immigration Officer
  • Malta Security Services
  • Financial Investigation and Analysis Unit
  • Customs Department
  • Judicial authorities
  • Europol
  • PIUs in other Member States
  • Competent authorities in Third countries
 
Retention Period
 
In terms of Article 13 of the Passenger Name Record (PNR) Data Act, all data in the PNR/API System are kept for period of five years. However, after six months from collection, all data are depersonalised by masking, and disclosure of such data to the competent authorities takes place only upon the approval of a judicial authority or of the Information and Data Protection Commissioner.
 
What Are Your Rights In Relation To Your Personal Data Processed In The PNR/API System?
 
Personal data processed within the context of the PNR and API framework is regulated by the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (Subsidiary Legislation 586.08) and the GDPR2 when the processing is conducted for other purposes.
 
Any person has the right to:
 
  • request access to personal data relating to them stored in the PNR/API System;
  • request the correction of factually inaccurate personal data relating to them or the deletion of their personal data in the case of unlawfully stored information;
  • request restriction of processing of their personal data according to law;
  • the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) or to request verification of lawfulness of the processing.
 
In order to facilitate the exercise of your rights and to be able to handle request more efficiently, you are solicited to use the following model letters.
 
1 The categories of serious crimes in relation of which PNR data may be disclosed is listed under Schedule C to  CAP.584, where such crimes are punished by a custodial sentence or a detention order for a maximum period of at least three years.
 
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
The SIS is the most widely used and largest information sharing system for security and border management in Europe that allows the competent authorities of participating Member States to enter and consult alerts on persons or objects.
 
In March 2023 a new legal framework came into force. The SIS is composed of a central system (“Central SIS II”), a national system (the “N.SIS II”) in each Member State (the national data systems that will communicate data with the Central SIS II), and a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated to SIS II data and the exchange of data, including supplementary information between the authorities responsible for similar data exchanges (SIRENE Bureaux).
 
The system establishes communication amongst most EU member states and the Schengen associated countries and provides end-users with access to real time information. It is a vital factor in the smooth running of the Schengen area. It contributes to the implementation of the provisions on returns, border control, the free movement of persons and to police and judicial cooperation in criminal matters.
 
Legal Basis
 
The system assists the competent authorities in Europe to preserve internal security in the absence of internal border checks. The scope of SIS is defined in three legal instruments:
 
  • Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals
  • Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006
  • Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU
 
Personal Data Processed In The SIS
 
Pursuant to the provisions of the SIS legal framework, information in the form of alerts concerning persons, objects, vehicles and documents is processed. When the alert concerns a person, the information includes:
 
  • Identification data: Data required to identify the person sought and other information relevant for the end user carrying out a search. The alert may also include data on misused identity victims (where applicable).
  • Identification documents: Data describing the identification document of the person who is the subject of the alert – a copy of the document can be attached.
  • Alert reason: A ‘reason for the alert’, describing, in a structured way, why the person is sought.
  • Required action: An ‘action to be taken’, describing, in a structured way, what the officer must do when the person is found.
  • Case information: Information about the case e.g., authority authorising the entry of the alert, the case reference number etc.  The copy of the European Arrest Warrant (EAW) of a person wanted for arrest is also attached to alerts for arrest for surrender.
  • Information on objects related to persons: Data on objects entered in SIS to locate a person who is the subject of an alert, for example the vehicle used by the person sought.
  • Photographs: Photographs of the person who is the subject of the alert.
  • Fingerprints and palm prints: Dactyloscopic data (fingerprints and/or palm prints) for the person who is the subject of the alert.
  • Fingermarks and palmmarks: Dactyloscopic data (fingermarks and/or palmmarks) discovered at crime scenes.
  • DNA profile: DNA profile of the person who is the subject of the alert or family members (only in case of missing persons who need to be placed under protection).
 
The SIS legal framework lays down the reasons where an alert containing personal data may be issued on the system, with respect to different categories of persons. 
 
Such are retained until the purpose for which they were issued is fulfilled. Nevertheless, Member States are obliged to review the need to keep an alert periodically.
 

What Are Your Rights In Relation To Your Personal Data Processed In The SIS?

The SIS legal framework lays down the rights of persons in relation to the personal data processed in the system and which could be exercised in accordance with the national law of the respective country. In Malta, the applicable laws are the Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties).
 
​Regulations (Subsidiary Legislation 586.08) and the GDPR when the processing is conducted for other purposes.
 
 
Any person has the right to:
 
  • request access to personal data relating to them entered in the SIS;
  • request the correction of factually inaccurate personal data relating to them or the deletion of their personal data in the case of unlawfully stored information;
  • the right to lodge a complaint with the Information and Data Protection; Commissioner (IDPC) or to request verification of lawfulness of the processing.
 
In order to facilitate the exercise of your rights and to be able to handle request more efficiently, you are solicited to use the following model letters.