Which data are collected by the EES?
You need to provide your personal data each time you reach the external borders of the European countries using the EES.
The EES collects, records and stores:
- data listed in your travel document(s) (e.g. full name, date of birth, etc.)
- date and place of each entry and exit
- facial image and fingerprints (called ‘biometric data’)
- whether you were refused entry.
On the basis of the collected biometric data, biometric templates will be created and stored in the shared Biometric Matching Service (see footnote).
If you hold a short-stay visa to enter the Schengen area, your fingerprints will already be stored in the Visa Information System (VIS) and will not be stored again in the EES.
Depending on your particular situation, the system also collects your personal information from:
- the Visa Information System (which contains additional personal information)
- the European Travel Information and Authorisation System (ETIAS, in particular the status of your ETIAS travel authorisation and, if applicable, whether you are a family member of an EU national.
All this is done in full compliance with data protection rules and rights.
Why is your data collected in the EES?
Your data is collected and processed in the EES to:
- reinforce the efficiency of external border management
- prevent irregular immigration
- facilitate the management of migration flows
- identify travellers who have no right to enter or who have exceeded their permitted stay
- identify travellers who are using fake identities or passports
- help prevent, detect and investigate terrorist offences and other serious crimes.
This is required in accordance with Regulation (EU) 2017/2226, specifically Articles 14, 16 to 19 and 23 of Chapter II and Chapter III.
How will you be informed about the processing of your personal data?
You will be provided with written information about the EES and your related rights when you cross the external borders of the European countries implementing the EES for a short stay (maximum of 90 days in any 180-day period).
Conditions for collecting and storing personal data in the EES are set out in Regulation (EU) 2017/2226 establishing the Entry/Exit System.
What happens if you refuse to have your fingerprints scanned or a photo of your face taken?
If you refuse to provide your biometric data, you will be denied entry into the territory of the European countries using the EES.
Who can access your personal data?
- Authorities in European countries using the EES such as border, visa and immigration authorities for the purpose of verifying your identity and understanding whether you should be allowed to enter or stay on the territory.
- Europol may also access your data for law enforcement purposes.
- Under strict conditions, your data may be transferred to another country (inside or outside the EU) or international organisation (listed in Annex I of Regulation (EU) 2017/2226 - a UN organisation, the International Organisation for Migration, or the International Committee of the Red Cross) for return (Article 41(1) and (2), and Article 42) and/or law enforcement purposes (Article 41(6)).
- Transport carriers will only be able to verify whether short-stay visa holders have already used the number of entries authorised by their visa and will not be able to access any further personal data.
How long does the EES keep your personal data?
Your data will only be kept in the system for the purposes for which it was collected and for the specific durations outlined in the table below.
Records of entries, exits and refusals of entry | 3 years Starting on the date on which they were created |
Individual files containing personal data | 3 years and 1 day Starting on the date of your last exit or of your refusal of entry (if you were not permitted to enter) |
If no exit has been recorded | 5 years Starting on the expiry date of your authorised stay. |
Records of entries and exits for non-EU nationals who:
Please check the FAQs section for practical examples. | 1 year Starting on the date of creation of the exit record. |
If no exit has been recorded and you:
| Your data will not be kept. There is no calculation of the length of your authorised stay. |
After each time period expires, your data is automatically erased. |
How is your data in the EES protected?
The data stored in the EES is protected against abuse and access to it is restricted to specific staff within national authorities.
Your data cannot be transferred to third parties - whether public or private entities - except in certain cases. See Who can access your personal data.
All data processing is performed by the European countries using the EES.
The EU Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security, and Justice (eu-LISA) will ensure that the EES is operated in accordance with the applicable legislation.
Strong safeguards are in place for the effective protection of your personal data rights:
- as a non-EU national to which the EES applies, you have the right to request access to your data, or to request the rectification, completion or deletion of data relating to you in the EES.
- the EES is supervised by both the European Data Protection Supervisor and independent national supervisory authorities in every participating country;
- the EES has been developed in accordance with the principles of data protection by design and by default;
- full compliance with fundamental rights and data protection rules requires technology and information systems to be well designed and correctly used.
How to check your remaining days in the European countries using the EES and what happens if you overstay?
You have the right to receive information from passport control officers on the maximum remaining duration of your authorised stay. You can also consult the online tool or via the equipment installed at some border crossing points.
If you stay longer than permitted, you will be identified as an ‘overstayer’ and your data will automatically be added to a list. Authorities such as passport control officers, immigration officers and staff issuing visas have access to this list.
If you are added to the list of overstayers, other consequences can apply depending on national legislation in place in the respective European country using the EES (e.g. you may be removed from the territory; you may be subject to administrative fines or detention; you may be prevented from re-entering the EU in the future.)
If, as an overstayer, you provide credible evidence to the competent authorities, such as border authorities or immigration authorities, that you exceeded the authorised duration due to unforeseeable or mitigating circumstances (e.g. hospitalisation due to a serious injury), your data can be amended in the system and you can be removed from the list.
The calculation of the duration of the authorised stay and the generation of alerts to European countries using the EES when the authorised stay has expired do not apply to non-EU nationals who are family members of EU, EEA or Swiss nationals who travel to a state other than the state of their nationality, or already reside there, and are accompanying or joining the EU, EEA or Swiss national.
What rights do you have as regards to your personal data?
You have the right to:
- Request from the controller access to data relating to you
- Request that inaccurate or incomplete data is corrected
- Request that unlawfully processed personal data that concern you is erased and/or request that specific data are not processed
To exercise any of these rights, you must contact a data controller (e.g. the entity responsible for processing your data) or data protection officer in any of the European countries using the EES, preferably the ones to which you travelled.
You can find the relevant contact details for the European countries using the EES.
How can you make a complaint about your data?
Lodging a complaint means that you submit a formal request for a new assessment of your data protection rights, for instance, if your query to the data controller to access, delete or amend your data is refused.
You can lodge a complaint with:
- the supervisory authority of the European country using the EES in charge of processing your data (e.g. if you believe that the country has recorded your data incorrectly)
- the European Data Protection Supervisor for matters related to data processing by European Agencies, for example:
- Frontex: the European Border and Coast Guard Agency hosting the central unit operating the European Travel Information and Authorisation System (ETIAS) relevant for the visa-exempt non-EU nationals
- EU Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA): the European Union’s Agency that, through technology, supports EU countries’ efforts for a safer Europe
- Europol: the European Union’s Law Enforcement Agency aiming to achieve a safer Europe for the benefit of all citizens.
Footnote: The shared Biometric Matching Service (sBMS) will store biometric templates (which are a mathematical representation of the biometric data stored in the Visa Information System, the EES and other EU information systems) enabling searches with biometric data. The EES will use the sBMS for its interoperability with the VIS.