Some personal and biometric data are collected by the new Schengen Entry/Exit System (EES). Are they protected, and who can access them? How long does the EES retain this data?
EES and personal information: Which data are collected by the EES?
The EES collects, records and stores:
- data listed in your travel document(s) (e.g. full name, date of birth, etc.)
- the date and place of each entry and exit
- a facial image and fingerprints (referred to as ‘biometric data’)
- whether you were refused entry
On the basis of the collected biometric data, biometric templates are created and stored in the shared Biometric Matching Service (see footnote).
Who can access your personal data?
- Border, visa and immigration authorities in the European countries using the EES, for the purpose of verifying your identity and determining whether you should be allowed to enter or stay in the territory.
- Law enforcement authorities of the countries using the EES, as well as Europol, for law enforcement purposes.
- Under strict conditions, your data may be transferred to another country (inside or outside the EU) or to an international organisation (listed in Annex I of Regulation (EU) 2017/2226, i.e. a UN organisation, the International Organization for Migration, or the International Committee of the Red Cross) for return purposes (Article 41(1) and (2), and Article 42) and/or law enforcement purposes (Article 41(6)).
Transfer of data to a designated authority of a third country
As per Article 41(6) of Regulation (EU) 2017/2226, data may be transferred by the designated authority to a third country in individual cases only where all of the following conditions are met:
(a) there is an exceptional case of urgency where there is:
(i) an imminent danger associated with a terrorist offence; or
(ii) an imminent danger to the life of a person, associated with a serious criminal offence;
(b) the transfer of data is necessary for the prevention, detection or investigation, in the territory of the Member States or in the third country concerned, of such a terrorist or serious criminal offence;
(c) the designated authority has access to such data in accordance with the procedures and conditions set out in Articles 31 and 32;
(d) the transfer is carried out in accordance with the applicable conditions set out in Directive (EU) 2016/680, in particular Chapter V thereof;
(e) a duly motivated written or electronic request from the third country has been submitted; and
(f) the reciprocal provision of information on entry/exit records held by the requesting third country to the Member States operating the EES is ensured.
How long does the EES keep your personal data?
| Category | Retention Period | Start Date |
| Records of entries, exits and refusals of entry | 3 years | From the date the record was created |
| Individual files containing personal data | 3 years and 1 day | From the date of last exit or refusal of entry |
| If no exit has been recorded | 5 years | From the expiry date of the authorised stay |
| Records of entries and exits for certain non-EU family members (no residence document, accompanying EU/EEA/Swiss citizen) | 1 year | From the date of creation of the exit record |
| If no exit has been recorded (same category above) | Data not retained | Not applicable |
Note: After each retention period expires, the data is automatically erased.
