IMY (Sweden) - DI-2019-13667

From GDPRhub
Revision as of 14:36, 22 November 2021 by FD (talk | contribs) (Thank you for this great summary! I made minimal changes to the names of the parties for consistency purpose (e.g. the DPA --> IMY; the Swedishi Migration Agency --> the Agency), and I streamlined the references to the VIS database. I also moved the part in the 'comment' section to the 'facts' section as it was more factual than commentary.)
IMY (Sweden) - DI-2019-13667
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(e) GDPR
Article 32 GDPR
Article 58(2)(a) GDPR
REGULATION (EC) No 767/2008 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)
Type: Other
Outcome: n/a
Started:
Decided: 17.11.2021
Published: 18.11.2021
Fine: None
Parties: The Swedish Migration Agency
National Case Number/Name: DI-2019-13667
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Anton Almer

The Swedish DPA issued two warnings to the Swedish Migration Agency (the Agency) because it was not clear if the IT-documentation of the Visa Information System (VIS) was adopted by the Agency and because the Agency lacked clear routines for deleting user logs.

English Summary

Facts

The Visa Information System (VIS) is an EU database containing information, including biometrics, on visa applications by third country nationals requiring a visa to enter the Schengen area. The purpose and usage of the VIS database is regulated in the VIS-regulation. The Swedish Migration Agency (the Agency) is the Swedish competent authority for VIS which means that they are able to enter, amend, delete or consult data in the VIS database. This also means that the Swedish Migration Agency is the controller of personal information in the "Swedish part" of the database.

Against this background, the Swedish DPA (IMY) conducted an inspection of how the Agency was processing personal data in the Swedish part of the VIS database. Although no fine was imposed, the IMY issued warnings concerning the status of the IT-documentation and the lack of routines for deleting user logs.

Holding

The IMY issued two warnings in accordance with Article 58(2)(a) GDPR. The first warning relates to how the Agency was at risk of not being able to fulfill its obligations pertaining to Article 32 GDPR (security of personal data) because it is not clear if the IT-documentation of the VIS database was adopted by the Agency or not. The second warning relates to how the Agency was at risk of not being able to fulfill its obligations pertaining to Article 5(1)(e) GDPR (principle of storage limitation) because they did not have clear routines for deleting user logs in the VIS database.

Comment

/

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.