Data protection: How ETIAS handles personal information

This website does not belong to, nor is it affiliated with, the EU. The official website of the European Union is europa.eu.

Data protection: How ETIAS handles personal information
  • ETIAS will process the personal information of millions of travellers each year.
  • Data protection has been a key consideration during the development of ETIAS.
  • Who has access to databases? How long is information stored?

In the digital age, concerns about data protection are widespread.

Companies and organisations constantly require information from their users. This leads to questions about how this data is stored and how it is kept safe.

When travellers apply for an ETIAS authorisation for Europe, their information will be protected.

The ETIAS data protection policy is in line with European law and the Charter of Fundamental Rights.

The ETIAS regulation explains how the EU data protection regulation will be met. This visa waiver will keep European residents and visitors safe without compromising privacy.

WHAT PERSONAL DATA WILL BE COLLECTED BY ETIAS?

ETIAS will be needed for short visa-free trips to Europe. Tourists and business travellers will provide personal information when they apply, including:

  • Full name
  • Place and date of birth
  • Nationality
  • Gender
  • Occupation
  • Contact details
  • Country of residence
  • Information about previous criminal offences
  • Recent travel history

The EU rules for data protection therefore affect business travel and tourism in Europe.

WHY DOES ETIAS REQUIRE TRAVELLERS’ PERSONAL INFORMATION?

The EU requires this information for security reasons. Citizens of several countries do not need a visa to travel to Europe and are not currently subject to screening processes.

ETIAS will allow safer visa-free travel to Europe by collecting data and identifying possible security risks.

HOW ETIAS PROTECTS PERSONAL DATA

The agency which manages the large ETIAS IT system is eu-LISA. eu-LISA is responsible for most of the systems that screen ETIAS traveller data, including EURODAC, SIS, and VIS.

eu-LISA is responsible for ensuring that data is handled safely and adequately protected.

Information is collected by ETIAS to improve the security of EU citizens. Nevertheless, it is important that the fundamental rights of data subjects are upheld.

The ETIAS regulation explains how data will be handled and stored, as well as rights to compensation for unlawful processing, should it occur.

ETIAS AND THE SAFE PROCESSING OF PERSONAL DATA

The ETIAS Central Unit and National Units and eu-LISA are responsible for making sure that personal data is processed securely and in accordance with European law.

Article 59 of the ETIAS regulation addresses the security of data protection in 15 points, including:

  • Physical protection of data
  • Ensuring only authorised individuals have access to all elements
  • Using encryption to prevent unauthorized reading, copying, modification or deleting of personal details
  • Establishing what data has been processed, when and for what purpose

The encryption of data and limiting access to certain authorized bodies helps prevent the misuse of personal information.

RIGHT TO COMPENSATION IF ETIAS DATA PROTECTION RULES ARE BROKEN

Article 63 of the ETIAS regulation addresses the liability of the data controller or processor.

It says that anyone who suffers damage as the result of unlawful data handling will be entitled to compensation.

Compensation will either come from the member state or from eu-LISA, depending on who was responsible.

HOW ETIAS DATA IS SHARED WITH THIRD COUNTRIES AND OTHER ORGANISATIONS

Article 65 of the ETIAS regulation addresses the sharing of data.

The article states that personal information stored in the ETIAS Central Unit will not be made available to any international organisation or private party except for Interpol, the International Criminal Police Organisation.

Interpol plays a key role in the pre-screening of travelers heading to Europe. Transferring data to Interpol is necessary to protect the public.

Article 65 of the regulation also explains the special circumstances in which immigration authorities may access information to be transferred to a third country.

Exceptions can be made in urgent cases, such as danger of terrorist activity or threat to life associated with a serious criminal offence.

ONLY AUTHORISED INDIVIDUALS CAN ACCESS ETIAS

Law enforcement authorities and Europol will be able to consult ETIAS data under strict conditions. They should only request access when it is needed to carry out their roles.

eu-LISA will be responsible for keeping logs of all ETIAS data processing operations, recording:

  • The reason for accessing the data
  • The date and time of the operation
  • The staff member to have carried out the operation

In addition, eu-LISA will keep records of those staff members authorised to enter and retrieve data. This will prevent unnecessary or unlawful accessing of information.

HOW LONG IS PERSONAL DATA STORED BY ETIAS?

Personal data will only be stored by ETIAS temporarily, either for:

  • The validity period of the travel authorisation when the application was approved
  • 5 years from the last ETIAS refusal, revokement or annulment

Provided the applicant gives their consent, data can be kept for 3 years after the authorisation has expired. After this, the information will be automatically erased from the ETIAS Central System.

ETIAS AND THE CHARTER OF FUNDAMENTAL RIGHTS

The section on freedom in the Charter of Fundamental Rights is directly relevant to ETIAS.

Article 8 of the charter states that “everyone has the right to the protection of personal data concerning him or her”.

To comply with the charter, ETIAS travellers’ data must only be processed for specific, legitimate purposes and with consent. Everyone has the right to access the information collected about them.

The European Data Protection Supervisor (EDPS) is an independent authority that ensures ETIAS upholds human rights to privacy and data protection.

THE ETIAS FUNDAMENTAL RIGHTS GUIDANCE BOARD

To ensure that the ETIAS program respects and safeguards fundamental rights, Frontex (the European Border and Coast Guard Agency) have established a Fundamental Rights Guidance Board.

The Guidance Board will perform regular evaluations of ETIAS and all the processes involved. It will then make any necessary recommendations to the ETIAS Screening Board.

In particular, the ETIAS Fundamental Rights Guidance Board will assess:

  • Privacy
  • Data protection
  • Non-discrimination

The Board is made up of representatives of the following:

  • The Frontex Fundamental Rights Officer
  • The Consultative Forum on Fundamental Rights of Frontex
  • The European Data Protection Supervisor
  • The European Data Protection Board
  • The European Union Agency for Fundamental Rights

Key figures on the Board include:

  • Chairperson: Sebastian Hümmeler, the European Data Protection Board
  • Deputy chairperson: Jonas Grimheden, Frontex’s Fundamental Rights Officer

ETIAS SMART BORDERS AND DATA PROTECTION

The Entry-Exit System (EES), also managed by eu-LISA, will soon be implemented at EU borders. The system registers the data of third-country nationals crossing external Schengen Area borders.

Europe’s EES records the biometric data of ETIAS travellers and those arriving with a visa. This information is considered sensitive, given that a person's facial measurements are unique and can alone be used to identify an individual.

EES has been reviewed and revised, based on recommendations from the European Data Protection Supervisor (EDPS) to ensure that it complies with EU personal data protection law.

Looking to the future, the increased use of artificial intelligence at EU border control will lead to further challenges regarding data protection.

The delicate nature of such data means that authorities, in particular the EDPS, must ensure the fundamental right to data protection is maintained.

Infrastructure and IT systems cannot be implemented until full compliance with EU data protection regulation is guaranteed.

DATA PROTECTION LAW IN EUROPE

Data security is one of the European Union’s highest priorities. Failure to handle information correctly has costly economic consequences.

Privacy and security law in the EU requires organizations in the Union and across the world to maintain high privacy standards.

ETIAS AND THE EU GENERAL DATA PROTECTION REGULATION

The EU's General Data Protection Regulation (GDPR) was implemented in 2018 to give individuals greater control over their personal information and how it is used.

The creation of GDPR simplified international business by establishing a unified regulation applicable across the EU.

GDPR ensures the proper handling of an individual’s details. To comply with the regulation, an organisation must inform users about:

  • The extent of data collection
  • How long it will be retained
  • If it will be transferred to a third party

People have a right to view their personal data and see an overview of how it is processed. Under certain circumstances, they also have the right to erasure, meaning that they can request for their data to be deleted.

As ETIAS will process the personal data of third-country nationals, it is subject to this regulation. The ETIAS system has been developed in line with GDPR.

Prev Next >>

Related Posts

ETIAS 2024
ETIAS will become operational in 2026 , according to official EU sources. Visa-free v [...]
etias tax and payment
Non-EU citizens travelling to Europe without a visa need to apply for ETIAS, this includes [...]
EES Europe ETIAS
The Entry-Exit System (EES) will have a significant impact on Schengen Area border contro [...]