Risks to GDPR in digitization of visa applications in Europe

The Council and the European Parliament have reached a preliminary agreement around digitizing the visa procedure. 

The regulation will provide the ability to apply for a visa online and replace the current visa sticker with a digital visa. Its purpose is twofold: to make the visa application process more efficient and to improve the security of the Schengen area. 

Member states have yet to approve this agreement. Once member states have given their agreement, the approval process in the Council and European Parliament can begin. 

In this blog, we will discuss what people want to achieve with this digital visa procedure and what GDPR challenges it will bring. 

1. Why is there a need for a digital visa application process

In recent years, there have been many complex challenges in the areas of migration and security, creating a great need for sweeping changes to EU visa policy. There is also the fact that the COVID-19 pandemic has significantly delayed visa operations and visa applications.

At the same time, recent technological developments offer new opportunities to make procedures smoother and more effective, both for visa applicants and national authorities.

In this regard, on April 27, 2022, the Commission submitted a legislative proposal to digitize the visa procedure.

The agreed rules will modernize, simplify and harmonize visa procedures for third-country nationals applying for visas and for the member states required to issue such visas.

What is a schengen visa?

A Schengen visa is, until now, a sticker in a foreign national’s passport. The visa gives access to the 27 countries of the

Schengen area

. Today the visa procedures for the Schengen area thus still rely heavily on paperwork, this also entails a lot of additional costs for both travelers and the member states themselves.

In doing so, the procedures for applying for the Schengen visa from member state to member state and only some member states have to date partially digitized procedures. The physical visa stickers, still used in most member states, are also more susceptible to forgery, fraud and theft, something that the digital visas will significantly improven.

2. What does the new regulation seek to accomplish?

The regulation, when finally adopted, will modernize two important aspects of the visa process:

  1. The digitization of the visa sticker;
  1. The digitization of visa applications, by establishing an EU online platform for visa applications.

What do you gain from this modernization?

With these modernizations, visa applicants will be able to apply for a Schengen visa online through the visa application platform, through this platform they will be redirected to the relevant national visa systems, including payment of the same visa fee, regardless of the Schengen country they wish to visit.

The applicant will also be notified of decisions on their visa. Personal appearance at the consulate will then in principle only be necessary for new applicants, persons whose biometric data are no longer valid and persons with a new travel document.

Efficiency, Security and Information Assurance

When a person plans to visit multiple Schengen countries, the platform will automatically determine which country is responsible for processing the application based on the length of stay. However, the applicant is also given the option to indicate whether the application should be processed by a specific member state, depending on the purpose of travel.

Under the proposed new rules, visas will be issued in digital format, as a 2D barcode, cryptographically signed. This reduces security risks associated with counterfeit and stolen visa stickers.

Applicants are provided with up-to-date information on Schengen short-stay visas, as well as all necessary information on requirements and procedures (such as supporting documents, visa fees or the need for an appointment to collect biometric identifiers).

Efficient Chatbot, Digital Format and Expansion to Non-Schengen EU Countries

In addition, a chatbot will be added that will allow visa applicants to get answers to their questions in a user-friendly way.

The Schengen visa sticker will be replaced by a digital Schengen visa (encrypted 2D barcode) that will also apply to long-stay visas. It will also be able to be issued by EU countries that do not yet fully apply the Schengen rules, such as Bulgaria, Romania and Cyprus, for example.

Member states will have a 7-year transition period to join the platform.

3. Principles for the GDPR

The new platform will store the IP address from which the visa application is sent among the application data and similar information.

According to the landmark ruling of the Court of Justice of the European Union (CJEU) in the Breyer case, the IP address may fall into the category of personal data to whose processing the safeguards of the GDPR apply.

The various agencies, including Europol and EU member state authorities, could then access the “personal data” of data subjects for a variety of purposes, including law enforcement and border management.

Need and Limitations of IP Address Data in Digitization of Schengen Visa Procedure

As such, the collection and elaboration of IP address data must be necessary and proportionate to the digitization of the Schengen visa process.

However, the current draft of the regulation lacks a proper assessment of the necessity of such data processing activities that could unduly restrict the data processing rights of affected individuals under Article 52 of the EU Charter of Fundamental Rights.

One can indeed question whether collecting the applicant’s IP address is really necessary for the evaluation of his Visa application.

Bottlenecks in the Draft Schengen Visa Regulation.

Another problem is the data quality controls provided for in the draft regulation.

Indeed, the draft regulation would require consulates and third-party service providers to perform data quality checks on information uploaded to the platform. However, the European regulator fails to provide a uniform procedure for data quality assessment.

Spelling mistakes, translation errors, technical glitches and unreliable birth certificates are some examples of low-quality data flows affecting large-scale information systems in the freedom, security and justice space.

Another pain point regarding the draft regulation is the right of data subjects to be informed about the processing of their personal data.

Informing Data Subjects and Challenges in Purpose-Binding and Data Minimization in the Schengen Visa Platform

According to the draft law, the Schengen visa platform must provide the applicant with all relevant information about the digitized application process. However, the platform must also adequately inform data subjects to ensure fair and legitimate data processing activities in accordance with GDPR requirements.

In particular, data subjects should be informed about the modalities and purposes of data processing activities concerning their personal data in the context of interoperability between large-scale information systems at the EU external borders.

Different factors (e.g., border authorities, law enforcement agencies) access data for a variety of purposes, including border control, counterterrorism and migration management. The overlap of such different purposes may make it difficult to comply with the principles of purpose limitation and data minimization


The visa process will become more flexible and practical due to digitalization. The applicant will obtain his visa faster and be more correctly informed about the procedure.

Uniformity will also be created and eventually all member states will use the same platform.

However, further insistence on data protection safeguards will be needed at the same time so that the digitization of Visa procedures will not serve to legitimize haphazard data collection activities for security purposes.


Meer berichten

Onzichtbare Bedreiging Voor Privacy

Invisible Threat To Privacy

Introduction Companies use personal data to optimize their marketing campaigns, perform accurate analysis and improve their business strategies. But as the value

cyber security tips

10 Cyber Security Tips for SMEs

Cyber security is critical for SMEs. A cyber attack can have serious consequences, from data loss to financial and reputational damage. Here

de toekomst van GDPR

The Future of Data Protection

Introduction: Since its implementation in 2018, the General Data Protection Regulation (GDPR) has had a significant impact on how organizations worldwide collect,


©DPO Associates Alle rechten voorbehouden. Privacy verklaringCookie verklaring | Algemene voorwaarden