Data protection

Pages16-17
Report on the VIS 16
business continuity and disaster recovery capabilities of the VIS. The exercise covered rehearsing the existing
processes and technical pro cedures and further improving the overall coordination and readiness of the V IS
community in the event of a disaster. The outcome of the exercise was mainly analysed with Member States at
SON42 meetings. A list of improvement measures was drawn up and monitored continuously through the
operation and secure management lifecycle of the system.
As part of the update of the VIS ICD due to the interconnection with the EES mentioned above, there was a
thorough review of the interconnection security requirements.
In November 2018, the European Data Protection Supervisor (EDPS) carried out an inspection on the VIS central
system focusing on operational management, internal communication infrastructure and security. The final
EDPS 2019 inspection report was received by eu-LISA in November 2019. The recommendations were analysed
and, as per s tandard practice, they will be addressed in order to further enhance the level of trust in the
management of the system. Overall, the inspection report noted no critical findings regarding the security of
the central VIS, and no security incidents regarding any unauthorised access to VIS data. Note that the VIS
central system is an isolated, controlled and secure environment.
Fruitful cooperation with Member States and other EU Agencies has been maintained in particular through the
SON, where knowledge and best practices have been exchanged. The network meets twice a year, discussing
developments in the threat landscape, latest trends in the security and business continuity fields, and ways
ahead for the security community.
5. Data protection
Data protection is a key factor in the success of the VISs operations and for
the Member States using the system. The quality of the data, data security
and regulatory compliance with the legal framework provide the conditions
for the VIS to support Member States effectively in the visa procedure and in
border checks, while upholding the rights and free doms of third- country
nationals applying for a Schengen Visa.
The protection of personal data related to individuals processed by the VIS
at central system level is monitor ed by the European Data Protection
Supervisor (EDPS) in close cooperation with eu -L)SAs Data Protection Officer (DPO). Quality of data stored in
the VIS central system and the rights of data subjects, as per the legal provisions, are ensured by the Member
States.
As mentioned above, at end 2018, the EDPS carried out an i nspection of the VIS central system with the
support of the Acting DPO and the Security Unit. The inspection also included checks to follow up on the
recommendations from the previous VIS inspection carried out in 2015 and new checks on personal data
breach procedures, personal data retention periods and system acquisition. The Acting DPO coordinated the
inspection and acted as a liaison between the Agency and the EDPS during the entire exercise .
Throughout the reporting period, the DPO of eu-LISA was regularly consulted by the VIS Product Manager and
the VIS Operational Change Advisory Board on a number of VIS-relate d projects involving personal data.
Accountability, a risk-based approach, transparency and managing data breaches are key aspects stemming
from the EU I-DPR43, which came into force on 11 December 2018. eu-LISAs DPO is committed to informing,
raising awareness and advising on these new obligations, in particular, in regard to the operational management
of the VIS central system and the developments required for interoperability with ot her large-scale IT systems.
42 Security Officer Network.
43 Regulation (EU) 2018/1725 GDPR for EU Institutions and Bodies (EUI-GDPR) came into force on 11 December 2018.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT