This privacy statement explains how the National Commissioner of Icelandic Police processes your personal data for the European Entry/Exit System (hereinafter the "EES"). The General Data Protection Regulation (GDPR) applies to these data processing operations.

The EES contains personal data of third-country nationals entering the territory of Member States of the Schengen-area for a short stay (maximum 90 days within a 180-day period). The system will become operational in phases. From that point on, information regarding your entries into and exits from the territory of the Member States, and where applicable, information on refusal of entry to this territory, will be registered in the EES.

For this purpose, your data will be collected by and processed by the District Police Commissioners and the National Commissioner of Icelandic Police. Your personal data is processed for border management, preventing irregular immigration, and simplifying the management of migration flows. This is required by the applicable Regulation (EU) 2017/2226.

Controllers

District Police Commissioners are responsible for the operations of border control located in their districts and The National Commissioner of Icelandic Police is responsible for the operation of the EES system in Iceland.

Iceland is not responsible for data processing in the EES by European institutions or other Member States. The central EES is managed by eu-LISA, a European Union agency.

For more information about processing in the central EES, please refer to the European Commission’s website.

The data collected, recorded and processed

During checks at the external borders of Member States, the collection of your personal data is mandatory, as it is necessary to verify compliance with entry conditions.

The following personal data will be collected and recorded:

• Biometric personal data:

  This refers to a live facial image and the passport photo of all third-country nationals who must be registered in the EES. For third-country nationals who are visa-exempt or hold a Facilitated Transit Document (FTD), four fingerprints will also be required.

• Personal data from the travel document:

  Full name, date and place of birth, nationality, gender, height, signature, document reference number, social security number or similar personal number, country of issue, and validity date.

• Language selection:

  During registration in kiosks.

Depending on your situation, data may also be collected from other sources:

• The Visa Information System (VIS) Data from your personal file;

• Any refusals of entry

• Any overstays

  beyond the maximum permitted duration of stay in the Schengen Area.

If you do not provide the required biometric data

If you do not provide the biometric data required for registration, verification, or identification in the EES, you will be refused entry to the Schengen Area.

Legal basis for personal data collection

National Commissioner of Icelandic Police is responsible for the setup of EES and the national connection to the central EES hosted by eu-LISA. Icland is obligated to participate in the EES for the proper execution of border control duties. This obligation is based on:

• Article 16, Act on Borders no. 136/2022

• Article 8 of the Schengen Borders Code;

• Articles 14, 16-19, and 23 of Chapter II and III of the EES Regulation.

The legal basis for processing is compliance with a legal obligation (Article 6(1)(c) GDPR) and the necessity for substantial public interest (Article 9(2)(g) GDPR).

How your personal data will be used

As a third-country national entering the Schengen Area for short-stay visit via a border post in Iceland, you are required to register in the EES. Registration occurs either at a self-service kiosk or at a manual desk operated by a border guard or police officer from district police commissioners. An algorithm will compare a live facial photo with the photo in your travel document to verify your identity. Your personal data will be sent through the National Commissioner of Icelandic Police systems to the central EES, which is managed by eu-LISA, the data controller for the central EES.

Your personal data will also be used for regular border checks as required by the Schengen Borders Code. This includes verifying the authenticity and validity of your travel document and checking national and European police databases.

When you cross the border on entry, a check will be conducted to determine whether you are already registered in the EES. On exit, your departure will be recorded. If there is no record of your exit after the permitted duration of stay, this will be automatically recorded in the EES. This can result in a return decision, deportation to your country of origin, and/or a temporary ban on entry into the Schengen Area.

If you overstay the permitted duration, your data will automatically be added to a list of identified overstayers. This list is accessible to the competent national authorities. If you are listed as an overstayer, this can result in a return decision, deportation, and/or a temporary ban from the Schengen Area. However, if you provide credible evidence that your overstay was due to unforeseen and serious events, your personal data in the EES can be corrected or supplemented, and you can be removed from the overstayers’ list.

How we store your personal data and retention period

Your personal data will be stored in the central EES for the following periods:

• Records of each entry, exit, or refusal of entry will be retained for three years from the date of the record;

• The personal file containing your data will be retained for three years and one day from the last exit or refusal of entry, provided no new entry is made in that period;

• If no exit record is made, your data will be retained for five years after the last day of the permitted duration of stay.

Personal data from the EES may also be stored by authorised national agencies when necessary in individual cases. Such storage is subject to the same retention periods as the central EES or for as long as necessary in an individual case according to law on the process of personal data no. 90/2108 or law on the use of personal data for law enforcement purpose no. 75/2019 as applicable . Personal data will only be stored longer if necessary for criminal investigations or other police tasks. These data processing operations fall under the law on the use of personal data for law enforcement purpose no. 75/2019.

Logs of all data processing within EES is kept by eu-LISA.

Processors

Personal data for or from the EES may be processed by the following organisations on behalf of the National Commissioner of Icelandic Police: IDEMIA

Other parties that may access your data

Relevant authorities in Schengen Area Member States may access your data for border management, facilitating border crossings, immigration, and law enforcement. Europol may also access your data for law enforcement purposes. Under strict conditions, your data may be transferred to a Member State, third country, or international organisation listed in Annex I of Regulation (EU) 2017/2226 for return or law enforcement purposes.

Your rights

The National Commissioner of Icelandic Police seeks to fully inform you of your rights regarding your personal data. Each traveller has the following rights:

• Right to be informed about duration of stay:

  You have the right to be informed about your maximum duration of stay in the Schengen Area when your personal data is recorded or checked in the EES. You can verify the duration of your authorised stay by using the short stay calculator tool available on the European Commission’s website Short-stay Calculator - European Commission;

  https://home-affairs.ec.europa.eu/policies/schengen/border-crossing/short-stay-calculator_en

• Right of access/disclosure:

  You have the right to request copies of your personal data.

• Right to rectification:

  You have the right to request changes to personal data that are inaccurate or incomplete.

• Right to erasure:

  You have the right to request the erasure of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly, or if the retention period has expired. Specifically, you have the right to have your personal data erased from the EES if they remain because you exited late and can prove this was due to unforeseen and serious events.

• Right to restriction of processing:

  You have the right to request the restriction of processing of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly.

• Right to object:

  You have the right to object to the processing of your personal data. This request will only be granted if the personal data were obtained unlawfully or improperly.

Contact

If you have any questions about this privacy statement, the EES, or the processing of your personal data, or if you want to exercise the above-mentioned rights, please contact the National Commissioner of the Icelandic Police through the email rls@rls.is or the postal address below. The EES regulation gives us a period of 45 days (in deviation from the regular GDPR deadlines) to respond to your requests.

Iceland

Complaints: national

National Commissioner of Icelandic Police, Border Management Department

Postal address: Rauðarárstígur 25, 105 Reykjavík

Tel: +354 444 2500

Email: lmd@logreglan.is

If you wish to file a complaint about the processing of your personal data or if you are of the opinion that the National Commissioner of Icelandic Police did not handle a request in that regard properly, please contact The Icelandic Data Protection Authority, ‘Persónuvernd’

Address: Laugavegur 166, 105 Reykjavík

Iceland

Tel: +354 510 9600

Email: postur@personuvernd.is

web address: www.personuvernd.is

Complaints: European

For complaints about data processing operations in the central EES, please contact the European Data Protection Supervisor: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en.