Act on the Schengen Information System in Iceland

This Act shall apply to the Icelandic national section of the Schengen Information System and the protection of the individual in connection with the recording and treatment of data in that system.
The term "the Icelandic section of the Schengen Information System" refers to an electronic data file that is operated in Iceland and connected to the joint information system for the Schengen Area.

The Commissioner of the Icelandic National Police shall operate and be responsible for the information system. He shall attend to the recording of data in the system and the transmission of other data according to this Act.
When data is entered into the system, care shall be taken to ensure that it is accurate and reliable and that the conditions of this Act regarding the entry of data have been met.

The Commissioner of the Icelandic National Police, and the party who, acting under his authority, provides the computer services, shall by means of organised and systematic procedures ensure the security of the information system in such a way that unauthorised persons will not gain access to it or be able to influence the recording of data in it. In the same way it shall be ensured that the system functions smoothly and is accessible to those who work with it.

The recording of data in the Schengen Information System shall be aimed at maintaining public safety and policy, including national security. The data specified in Article 5 shall only be entered in the system if its entry is necessary in terms of the purpose as defined in Articles 6-8 and there are sufficiently urgent reasons to warrant its entry.
In the case of the entering of information on wanted persons with a request for their arrest and extradition under item a of paragraph 1 of Article 6, care shall be taken to establish whether such measures are permitted under the law of the state to which the application is made.

The following data concerning persons may be recorded in the information system:
a. name and first name, with reference to the possible separate recording of aliases;
b. permanent distinguishing physical characteristics;
c. initial of another personal name;
d. place and date of birth;
e. sex;
f. nationality;
g. whether the person concerned is armed;
h. whether the person concerned is violent;
i. reason for the entry (alert);
j. action requested.
Data may be entered in the information system on the following objects:
a. motor vehicles with a capacity in excess of 50 cc which have been stolen, misappropriated or lost;
b. trailers and caravans with an unladen weight of over 750 kg which have been stolen, misappropriated or lost;
c. firearms which have been stolen, misappropriated or lost;
d. blank official documents which have been stolen, misappropriated or lost;
e. authentic identity papers (passports, identity cards, driving licences) which have been stolen, misappropriated or lost;
f. banknotes (registered notes).

Data on persons may be recorded in the information system in the following cases:
a. in response to a request for the arrest and extradition of a wanted person;
b. when an alien is to be denied entry into the country because:
1. he has been sentenced in Iceland or abroad to a term of imprisonment of at least one year, or there are other grounds for suspecting that he will commit criminal acts in the Schengen Area, or
2. his previous conduct or other reasons give grounds for suspecting that the purpose of his entering Iceland, or the Schengen Area, is to commit acts of vandalism or engage in spying or unlawful intelligence activities, or
3. he has been expelled from Iceland and a prohibition against his re-entry into the country is in force;
c. in connection with a search for a missing person, or when the person is to be kept in custody temporarily for his own safety or that of others;
d. in connection with efforts made to find out the residence or abode of a witness, an accused person who has been indicted and is due to appear in court or a person on whom sentence is to be served in a criminal case, or who is to be summonsed to serve a prison sentence.
When data of the type specified in item a. of paragraph 1 above has been entered, the following information shall be sent as soon as possible to the state to which the request is directed:
a. the authority which issued the request for the arrest of the person;
b. whether an arrest warrant has been issued;
c. the type of offence involved, with references to the appropriate criminal law provisions;
d. the facts of the case, including where and when the offence was committed and the part played by the wanted person;
e. to the extent possible, the consequences of the offence.

Data on persons and vehicles may be recorded in the information system in order to enable discreet surveillance, a body search or a physical examination to be carried out in the following instances:
a. in connection with the investigation and prosecution of criminal offences, and to ensure public safety when:
1. there is a reasonable suspicion that the individual is committing, or will commit, numerous extremely serious offences;
2. an overall assessment of the individual involved, including an assessment of offences which he has already committed, indicates that he is likely to commit very serious offences;
b. when unequivocal evidence indicates that information regarding the person's abode, the route and destination of the journey, the persons accompanying the person concerned, or the passengers or objects conveyed, or the circumstances in which the person or vehicle was found, is necessary in order to prevent the person involved constituting a serious hazard or threat to national security.

Information on objects sought for the purpose of confiscation or to be used as evidence in criminal proceedings may be entered in the information system.

Data recorded in the system may not be used for any purpose other than that covered by the aim of the entry as specified in Articles 6-8.
With the authorisation of the state issuing the alert, derogation may be made from paragraph 1 and the data may be used for another purpose specified in Articles 6-8 under the following circumstances:
a. to prevent an imminent serious threat to public policy and safety,
b. for serious reasons of state security,
c. for the purpose of preventing a serious offence.

The following authorities shall be connected on-line to the information system in order to carry out these tasks:
a. the police, for the purpose of border surveillance and other law enforcement;
b. the Department of Immigration, for the purpose of processing applications for visas and entry or residence permits, and to perform other duties according to the Foreign Nationals Supervision Act, to the extent necessary in order to take action in view of information entered under item b. of paragraph 1 of Article 6;
In order to work with the information system, the employee involved must obtain a special permit from the Commissioner of the Icelandic National Police, this depending on his meeting the requirements laid down regarding competence and security. The employee involved shall only have such access to the system as is essential for him to be able to perform his task.

At their request, the following authorities shall have access to data from the information system to the extent necessary to enable them to perform the following tasks:
a. the Customs authorities, for border surveillance and when they carry out, or assist with, law enforcement;
b. the Icelandic Coast Guard, when it carries out, or assists with, law enforcement;
c. the Ministry of Justice, when it exercises authorisations in its capacity as the superior authority.

Any person who in the course of his work becomes aware of data recorded in the system shall be obliged to ensure that registered data is not passed on to unauthorised persons. The obligation not to divulge such data shall continue even after the person stops work.

Any person on whom data is entered in the information system (data subject) shall have the right to be informed of the data recorded on him in the system.
The right of a data subject to information under paragraph 1 shall not apply if it is necessary to keep the information secret in order to achieve the intended aim of the entry, or in view of the interests of other persons. When discreet surveillance under Article 7 is in progress, the data subject shall not have the right to be informed of the recorded data.
If a person requests to be informed of data on him that has been entered in the system by another state, that state shall be given an opportunity to express its position before the request is granted.

In cases where incorrect, misleading or incomplete data has been entered into the information system, or if data has been entered without the requisite authorisation, the Commissioner of the Icelandic National Police shall, if requested or at his own initiative, ensure that it is corrected, deleted or expanded. Where such data has been passed on or used, the Commissioner of the Icelandic National Police shall make every effort he can in order to prevent this having an effect on the interests of the data subject.
If data referred to in paragraph 1 has been entered in the information system by another state, the Commissioner of the Icelandic National Police shall, without unreasonable delay, inform that state of the deficiencies of the entry, with a request to have the necessary changes made.

When the Commissioner of the Icelandic National Police receives a request under Article 13 or 14, he shall adopt a position on it without unreasonable delay. Reasons for the commissioner's decision shall given to the extent possible without revealing any information that should be kept secret.

Any person who suffers injury that can be traced to the entry or use of data in the system that is contrary to the rules on the system shall be entitled to compensation from the State Treasury. Compensation shall be paid for both financial and non-pecuniary loss.
Compensation shall be paid even though the data was entered in another state, if it is used in Iceland. Compensation shall be paid irrespective of culpability, though it may be waived or reduced if the person sustaining the injury contributed to the entry or use of the data himself.
Claims for compensation shall expire two years after the person suffering the injury becomes aware of the entry in the information system.

Personal data and data on objects recorded in the system shall only be kept for the time required to meet the purposes for which it was recorded.
The need for keeping an alert shall be reviewed as follows:
a. personal data under Article 6: within three years of the date of entry;
b. personal data and data on vehicles under Article 7: within one year of the date of entry.
In the event of a decision to keep data records in the information system, paragraph 2 shall apply to the subsequent reassessment of the records.
Data entered under Article 8 shall not be kept for longer than stated below, counting from the date of entry:
a. data on authentic identity papers and registered banknotes: five years.
b. data on motor vehicles, trailers or caravans: three years.
c. other data: ten years.

The Personal Data Protection Authority shall monitor to ensure that the entry and handling of data in the information system are in conformity with this Act and the rules applying to the protection of the individual and individual privacy. The Data Protection Commission shall also check to ensure that the security of data in the information system is guaranteed so that unauthorised persons can not gain access to it or influence the entry of data into the system.
The Personal Data Protection Authority shall have access to recorded data and other materials necessary for it to discharge its supervisory duties under paragraph 1.
If the Personal Data Protection Authority has criticisms to make of the way the information system is operated, it shall submit such criticisms and proposals for rectification to the Commissioner of the Icelandic National Police and the Ministry of Justice.

The Minister shall issue regulations containing further provisions on the application of this Act, including:
a. the security of the information system and the internal monitoring of security (cf. Article 3);
b. requirements regarding competence and security which personnel of the police or the Department of Immigration must meet in order to work with the information system (cf. paragraph 2 of Article 10);
c. monitoring of the information system by the Personal Data Protection Authority (cf. Article 18).

This Act takes effect immediately.