Skip to main content

Knowing Your Data Related Rights: Romania's Schengen Full Access

|

After more than a decade of anticipation, Romania has officially become a full member of the Schengen Area. As of 1 January 2025, land border checks with Romania and Bulgaria are a thing of the past, building on the earlier removal of air and sea border controls on 31 March 2024. This article explores the impact of Romania's full Schengen accession, with a special focus on the rights of data subjects in this new context.

Introduction

Romania's recent accession to the Schengen Area has opened new doors for the free movement of over 400 million European Union (EU) citizens, as well as non-EU residents and visitors traveling for tourism, study or business purposes. This expanded mobility brings new challenges and requirements from the perspectives of personal data protection and data security, such as access to the Schengen Information System (SIS) which safeguards public order and national security through data exchange across Schengen Member States.  
For Romania, as a recent participant to the SIS, the system also incorporates its national component, the National Information System of Alerts (NISA).

 

Understanding SIS and NISA

SIS is a large-scale information system that supports external border control and law cooperation among the Schengen Member States. By linking national databases through a central architecture, SIS facilitates the sharing of data on individuals, vehicles, and goods for various purposes, including criminal investigations, missing person alerts and visa-related issues.

A new version of Schengen Information System (SIS II) started operating on 7 March 2023.

The legal framework under which SIS operates consists primarily of three EU Regulations: (i) Regulation (EU) 2018/1862 – concerning police and judicial cooperation, (ii) Regulation (EU) 2018/1861 – addressing border checks, and (iii) Regulation (EU) 2018/1860 – focused on the return of third-country nationals staying illegally.
In order to allow the proper application of certain provisions of the aforementioned EU Regulations, Romania has enacted Law No. 76/2023, regulating the organisation and functioning of the NISA and participation of Romania in the SIS.

 

Ensuring Data Protection and Transparency

The Romanian Data Protection Authority (ANSPDCP), as national supervisory authority for the processing of personal data in Romania, monitors independently the lawfulness of the personal data processing in the NISA. Among others, it ensures the audits of the data processing operations in the NISA.

Law No. 76/2023 emphasizes the importance of transparency and accountability in data processing within NISA and SIS. Article 61 of the law specifies that data processing in these systems must comply with the GDPR and Romania’s Law No. 363/2018 (which refers to the processing of personal data carried out by public authorities in relation to criminal offences and the application and enforcement of criminal sanctions). This legal framework guarantees that Romania's participation in the Schengen Area aligns with EU data protection standards while maintaining high levels of national security and public safety.

 

Key Data Subject Rights under SIS and NISA

Individuals whose data is processed within SIS or NISA have the following data subject rights according to the GDPR:

  1. Right of Access: individuals have the right to know if their personal data is being processed in the SIS or NISA and, if so, to access that data.
  2. Right to Rectification: individuals can request the correction of inaccurate or incomplete data held about them in the SIS or NISA.
  3. Right to Erasure ("right to be forgotten"): allows individuals to request the deletion of their data if the legal grounds allow it.

Data subject requests to access, rectify or erase data can be submitted to the Data Protection Office within the General Inspectorate of Romanian Police (the "Data Protection Office") at the dedicated email address: cererischengen@politiaromana.ro.

Alternatively, data subjects may file requests to exercise their rights (in the context of data processing in the NISA or SIS) with any competent national authority, such as: Romanian Police, Romanian Border Police, Romanian Gendarmerie, General Inspectorate for Immigration, General Directorate for Personal Records, General Directorate for Passports or Ministry of Foreign Affairs. These authorities have the obligation to forward such requests to the Data Protection Office within 5 working days of receipt.
The Data Protection Office must inform the data subject of any action taken on their request within one month of receipt. This period may be extended by an additional two months if the request is particularly complex or if there are numerous requests.

If a data subject does not receive a response from the Data Protection Office or is dissatisfied with the outcome, they have the right to contact the ANSPDCP for further review and resolution.

 

Conclusion

Romania's access to the Schengen Area marks a significant step towards greater European integration. It also brings both opportunities and responsibilities. While Romania benefits from increased mobility and security cooperation through the Schengen Information System, it also creates the framework to uphold the fundamental data protection rights of its citizens and residents.

 

Article provided by INPLP members: Adelina Iftime-Blagean and Nina Lazar (Wolf Theiss Rechtsanwälte GmbH & Co KG, Romania)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}