7-day deletion rule, 90/180-day limit: Indian travellers' complete guide to Schengen Visa Code
The seven-day deletion mandate sits within the Schengen Visa Code, and is reinforced by the EU's Visa Information System regulations
- May 29, 2026,
- Updated May 29, 2026 7:58 PM IST
There is a rule buried inside European visa law that most Indian travellers have never heard of. It says that once you submit your passport details, fingerprints, and photograph to a visa application centre, that data must be deleted from local systems within seven days of being transmitted to the relevant embassy, without any exceptions.
A 2025 report from the Hungarian consulate found that applicant data at VFS Global's New Delhi centre was being retained for over a month. The breach was not an administrative grey area; it was a direct violation of one of the Schengen Visa Code's most fundamental data protection provisions, one that exists specifically to limit how long your most sensitive personal information remains exposed on third-party systems.
The finding has put a spotlight on a legal framework that governs every Schengen visa application filed from India, and that most applicants never read.
DO CHECKOUT: BT Explainer: Why visa service provider VFS Global is in the spotlight
What the 7-day rule is and why it exists
The seven-day deletion mandate sits within the Schengen Visa Code, formally Regulation EC No 810/2009, and is reinforced by the EU's Visa Information System regulations. The logic is straightforward. Once biometric and personal data have been successfully transmitted to the diplomatic mission or the central VIS database, their continued presence on local systems serves no processing purpose.
Keeping it there, in caches, on discs, or within third-party IT infrastructure, creates unnecessary security exposure and violates both the Code and the EU's General Data Protection Regulation.
Long-term data retention is handled centrally. The VIS database stores transmitted applicant data securely for up to five years for legal verification and future processing. That responsibility belongs to the central system. It does not belong to a visa application centre in New Delhi, Mumbai, or anywhere else.
When VFS Global failed to clear that data within the required window, it was not a paperwork lapse. It was a breach of the legal boundary that separates legitimate data processing from unauthorised retention of some of the most sensitive information an individual can submit.
In an official statement, VFS Global said, “VFS Global is a trusted partner to governments worldwide. Given the nature of our work in visa administrative services, we operate under rigorous oversight across all markets, including for governments with some of the most stringent integrity and security requirements. For a quarter of a century, we have supported client governments in delivering secure and efficient visa services at scale, and our work is subject to regular competitive tender. We do not tolerate fraud, data misuse, or any conduct that falls below the high standards our clients and their applicants expect of us.
“Our optional value-added services are developed in consultation with, and approved and monitored by, our client governments. Whether applicants choose to use these services or not, they have no bearing on visa application decisions, which are solely a matter for governments. We are committed to ensuring that the optional nature of these services is clearly and consistently communicated at every touchpoint.”
The broader framework: what the Schengen Visa Code covers
The seven-day rule is one provision within a much larger legal structure. The Schengen Visa Code governs short-stay visas across all 29 Schengen member states and sets the rules every applicant and every processing centre must follow.
The 90/180-day rule
The most widely known provision limits stays to 90 days within any 180 days. That window is not fixed to a calendar cycle; it rolls continuously. The European Commission provides an official Short-Stay Calculator to help travellers track their remaining allowance. Overstaying, even briefly, can trigger entry bans and complicate future applications.
Where and when to apply
Applications must go to the consulate of your primary destination — the country where you will spend the most days. If time is divided equally across multiple countries, apply at the consulate of your first point of entry. Applications can be submitted up to six months before travel but no later than 15 days before departure. Consulates are required to decide within 15 calendar days, extendable to 45 days for complex cases.
Passport and biometric requirements
Your passport must have been issued within the last 10 years, remain valid for at least three months beyond your planned departure from the Schengen area, and carry at least two blank pages. First-time applicants must appear in person to submit 10 fingerprints and a digital photograph. Once enrolled, those biometrics remain valid for 59 months, meaning repeat travellers within that window do not need to re-enrol.
Mandatory travel insurance
A Schengen visa application requires travel insurance covering all 29 member states with a minimum of €30,000 in coverage. The policy must explicitly include emergency medical treatment, hospitalisation, and repatriation for medical reasons or death.
What a visa does and does not guarantee
A Single-Entry visa permits one entry into the Schengen zone. A Multiple-Entry visa allows unlimited entries within the 90/180-day limit. But a visa is an entry permit, not a guarantee of entry. Border guards at the point of arrival can still refuse entry if a traveller cannot produce proof of accommodation, return tickets, or sufficient financial means.
There is a rule buried inside European visa law that most Indian travellers have never heard of. It says that once you submit your passport details, fingerprints, and photograph to a visa application centre, that data must be deleted from local systems within seven days of being transmitted to the relevant embassy, without any exceptions.
A 2025 report from the Hungarian consulate found that applicant data at VFS Global's New Delhi centre was being retained for over a month. The breach was not an administrative grey area; it was a direct violation of one of the Schengen Visa Code's most fundamental data protection provisions, one that exists specifically to limit how long your most sensitive personal information remains exposed on third-party systems.
The finding has put a spotlight on a legal framework that governs every Schengen visa application filed from India, and that most applicants never read.
DO CHECKOUT: BT Explainer: Why visa service provider VFS Global is in the spotlight
What the 7-day rule is and why it exists
The seven-day deletion mandate sits within the Schengen Visa Code, formally Regulation EC No 810/2009, and is reinforced by the EU's Visa Information System regulations. The logic is straightforward. Once biometric and personal data have been successfully transmitted to the diplomatic mission or the central VIS database, their continued presence on local systems serves no processing purpose.
Keeping it there, in caches, on discs, or within third-party IT infrastructure, creates unnecessary security exposure and violates both the Code and the EU's General Data Protection Regulation.
Long-term data retention is handled centrally. The VIS database stores transmitted applicant data securely for up to five years for legal verification and future processing. That responsibility belongs to the central system. It does not belong to a visa application centre in New Delhi, Mumbai, or anywhere else.
When VFS Global failed to clear that data within the required window, it was not a paperwork lapse. It was a breach of the legal boundary that separates legitimate data processing from unauthorised retention of some of the most sensitive information an individual can submit.
In an official statement, VFS Global said, “VFS Global is a trusted partner to governments worldwide. Given the nature of our work in visa administrative services, we operate under rigorous oversight across all markets, including for governments with some of the most stringent integrity and security requirements. For a quarter of a century, we have supported client governments in delivering secure and efficient visa services at scale, and our work is subject to regular competitive tender. We do not tolerate fraud, data misuse, or any conduct that falls below the high standards our clients and their applicants expect of us.
“Our optional value-added services are developed in consultation with, and approved and monitored by, our client governments. Whether applicants choose to use these services or not, they have no bearing on visa application decisions, which are solely a matter for governments. We are committed to ensuring that the optional nature of these services is clearly and consistently communicated at every touchpoint.”
The broader framework: what the Schengen Visa Code covers
The seven-day rule is one provision within a much larger legal structure. The Schengen Visa Code governs short-stay visas across all 29 Schengen member states and sets the rules every applicant and every processing centre must follow.
The 90/180-day rule
The most widely known provision limits stays to 90 days within any 180 days. That window is not fixed to a calendar cycle; it rolls continuously. The European Commission provides an official Short-Stay Calculator to help travellers track their remaining allowance. Overstaying, even briefly, can trigger entry bans and complicate future applications.
Where and when to apply
Applications must go to the consulate of your primary destination — the country where you will spend the most days. If time is divided equally across multiple countries, apply at the consulate of your first point of entry. Applications can be submitted up to six months before travel but no later than 15 days before departure. Consulates are required to decide within 15 calendar days, extendable to 45 days for complex cases.
Passport and biometric requirements
Your passport must have been issued within the last 10 years, remain valid for at least three months beyond your planned departure from the Schengen area, and carry at least two blank pages. First-time applicants must appear in person to submit 10 fingerprints and a digital photograph. Once enrolled, those biometrics remain valid for 59 months, meaning repeat travellers within that window do not need to re-enrol.
Mandatory travel insurance
A Schengen visa application requires travel insurance covering all 29 member states with a minimum of €30,000 in coverage. The policy must explicitly include emergency medical treatment, hospitalisation, and repatriation for medical reasons or death.
What a visa does and does not guarantee
A Single-Entry visa permits one entry into the Schengen zone. A Multiple-Entry visa allows unlimited entries within the 90/180-day limit. But a visa is an entry permit, not a guarantee of entry. Border guards at the point of arrival can still refuse entry if a traveller cannot produce proof of accommodation, return tickets, or sufficient financial means.