Information on joint responsibility pursuant to Article 26 (2) sentence 2 of the General Data Protection Regulation (GDPR) in the context of the processing of data in accordance with Regulation (EC) 767/2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)

The following information aims to make the essence of the arrangement between the joint controllers on their shared responsibility available to data subjects in a transparent manner.

The Federal Foreign Office and the Federal Office of Administration cooperate closely in the visa process. This is also true when it comes to the processing of your personal data. Together they have agreed on the order for processing these data in the individual stages of the process. In the stages of the process outlined below, they are thus jointly responsible for the protection of your personal data (Article 26 GDPR).

Area of activity A:

The visa application is submitted to the visa section at one of the Federal Foreign Office’s missions abroad or to its external service provider. For a correct visa application, the data required on the application form are gathered. A photograph of the applicant is captured and their fingerprints are collected. This all takes place within the area of responsibility of the Federal Foreign Office (area of activity A). The missions abroad store the information about the person contained in the application, as well as the fingerprints and the photograph; they are then passed on to the competent authorities that will decide on the application and are processed by these authorities. These data, as well as data relating to the decision on an application or a decision to annul, revoke or extend a visa, are entered into the European Visa Information System (VIS) in accordance with Articles 8 to 14 of the VIS Regulation and stored there for the retention periods stated in Articles 23 of the VIS Regulation. In accordance with Sections 28 and 29 of the Central Register of Foreigners Act (AZRG), the personal information, photograph and visa-related data are stored by the Federal Office of Administration in the Federal Republic of Germany’s national visa database for the retention periods stated in Section 36 of the Central Register of Foreigners Act and Section 19 of the implementing regulation on the Central Register of Foreigners Act.

Area of activity B:

The Federal Foreign Office transmits the data from the application and from the decision on the application required for storage in the VIS and the national visa database from area of activity A to the Federal Office of Administration. The Federal Office of Administration processes the data and stores them in the central database made available by the EU and in the national visa database. Your personal data are therefore stored in databases of the Federal Republic of Germany and the European Union. The Federal Office of Administration works in the databases to fulfil its tasks with respect to managing or deleting data.

Third-party access:

Up until the expiry of the retention periods stated in Article 23 of the VIS Regulation, the visa authorities and the authorities responsible for checking visas at the external borders and in the territory of the Member States, as well as the immigration and asylum authorities in the Member States, have access to the data in order to check whether the conditions for legal entry into and legal stays in the territory of the Member States are met. This access also enables them to identify persons who do not or who no longer meet these conditions, as well as to examine an asylum application and determine which Member State is responsible for this examination.

In order to prevent and detect terrorist and other serious crimes and to investigate such crimes, the competent authorities of the Member States and Europol also have access to the data under certain conditions.

Within the scope of their shared responsibility for data protection, the joint controllers have agreed which of them fulfils which obligations under the GDPR. This applies in particular to the exercise of the rights of the data subjects and the fulfilment of the obligation to provide information pursuant to Articles 13 and 14 of the GDPR.

Even though they are jointly responsible, the joint controllers meet their data protection obligations in keeping with their respective competences for the individual stages of the process as follows:

Within the framework of joint responsibility:

• The Federal Foreign Office is responsible for processing the personal data in area of activity A.

• The Federal Office of Administration is responsible for processing the personal data in area of activity B.

Both controllers make the information referred to in Articles 13 and 14 of the GDPR available to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language. To this end, each controller provides the other with all necessary information from its area of activity.

The joint controllers inform each other about legal rights exercised by data subjects. They make available to each other all information required in order to reply to requests for information.

Data protection rights can be exercised in respect of both controllers.For this purpose, you should contact:

Contact point at the Federal Foreign Office:

• Address: Werderscher Markt 1, 10117 Berlin, Germany

• Email: buergerservice@diplo.de

Contact point at the Federal Office of Administration:

• Division S I 7 – EU Unit Central Services

• Email: eu-zentrale-services@bva.bund.de

• Service hotline: +49 (0)228 99 358 21200