Eurodac

Definition and Purpose of Eurodac

Eurodac (short for European Dactyloscopy, in German: European Fingerprint System) is a central European database for fingerprints that serves the efficient and consistent implementation of asylum policy within the European Union. It enables data exchange between member states as well as selected associated states and supports the identification of asylum seekers as well as certain third-country nationals or stateless persons. Eurodac is an essential tool for the application of the so-called Dublin Regulation, which determines which state is responsible for examining an asylum application lodged in the EU.

Legal Foundations of Eurodac

Primary and Secondary Law Framework

Eurodac was established by the Eurodac Regulation, which was recast as Regulation (EU) No. 603/2013 and has since been amended several times (originally Regulation (EC) No. 2725/2000). The Regulation falls within the context of the common European asylum policy, which in turn is based on primary law such as Article 78 of the Treaty on the Functioning of the European Union (TFEU) and the Charter of Fundamental Rights of the European Union.

Objective and Scope of Application

The legal aim is to “support the effective application of the [Dublin] Regulation […]” in order to prevent an individual from submitting more than one asylum application in multiple member states (so-called multiple applications or asylum shopping).

The Regulation governs, among other things:

• Collection, transmission and comparison of fingerprints,
• Retention periods and procedures for erasure,
• Access rights of various authorities,
• Protection of the rights of affected individuals.

Material Scope of Eurodac

Groups of Persons Covered

According to Articles 9-11 of the Eurodac Regulation, the following groups must be recorded:

• Persons who submit an application for international protection (asylum application) (Art. 9),
• Third-country nationals or stateless persons apprehended during the irregular crossing of an external border (Art. 14),
• Persons who are staying irregularly in the territory of a member state and for whom a Eurodac comparison is intended to clarify which state is responsible for an asylum procedure (Art. 17).

Data Collected and Stored

For each affected group, Eurodac provides for the storage of the following data:

• Fingerprints of all available fingers (preferably all ten fingers; at least all accessible fingers),
• Gender,
• Date of birth,
• State that collected the data,
• Place and time of collection,
• a reference number,
• date of transmission.

Procedures and Technical Processes

Data Collection and Transmission

The national competent authorities capture the fingerprints using live-scan systems. The collected data are encoded and transmitted via a secure transmission channel to the central Eurodac system, which is operated by the eu-LISA Agency (Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice) based in Strasbourg.

Data Matching and Responsibility Assessment

Upon receipt of the data, an automated comparison is carried out with the database in the central Eurodac system. If a match is found, the relevant member state may receive information on previous asylum procedures, earlier applications filed, or unlawful border crossings. This forms the basis for the Dublin responsibility assessment.

Storage and Erasure of Data

The retention period is precisely defined by law:

• For asylum seekers, data are stored for a maximum of ten years (Art. 12),
• For irregular border crossings, the retention period is 18 months,
• For persons who are unlawfully present and were not registered as asylum seekers, data are generally not stored, but only a data comparison is performed (“hit/no hit”).

Early erasure takes place if, for example, an asylum procedure is finally concluded, protection is granted, or the person has demonstrably left the territory.

Data Protection and Data Subject Rights

Compliance with the General Data Protection Regulation (GDPR) and Specific Requirements

The processing of personal data in Eurodac is conducted in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 as well as specific statutory provisions in the Eurodac Regulation itself. In particular, principles such as purpose limitation, data minimization, and integrity are enforced.

Rights of Data Subjects

Data subjects have the right:

• to access information about data stored about them,
• to rectification of inaccurate data,
• to erasure of unlawfully stored data,
• to object to processing under certain conditions.

These rights can be exercised with the competent authorities of the respective member state, whose contact details must be provided.

Data Protection Supervision

Compliance with data protection requirements is supervised by national supervisory bodies and, at the European level, by the European Data Protection Supervisor (EDPS).

Access Rights and Authorities

Authorities with Access Rights

According to the applicable regulation, only specifically designated authorities of member states responsible for asylum, border control, or law enforcement have access to Eurodac. In the context of counter-terrorism or serious criminal offences, access is specially regulated and strictly monitored.

Logging and Monitoring

All access to the central system is logged to make misuse of data traceable. The logs serve both to check access permissions and to follow up on data protection violations.

Relationship to Other EU Instruments

Eurodac is embedded in an overall system of European IT structures in the field of asylum and migration, such as the Schengen Information System (SIS), the Visa Information System (VIS), and other instruments belonging to the Common European Asylum System (CEAS). The reform process initiated in 2023 with the Migration and Asylum Pact provides for a comprehensive adjustment and expansion of the Eurodac system. Planned measures include, among others, the storage of additional biometric data and expansion to cover further target groups.

Legal Remedies and Controls

Individual Protection of Rights

Against unlawful collection, processing or storage of data, affected individuals can seek administrative or judicial recourse under national law. In addition, there is the right to contact the data protection supervisory authority.

System Control

Regular audits and technical security reviews ensure the integrity and reliability of the entire system. Furthermore, eu-LISA is legally obliged to operate, maintain and further develop the system in accordance with the latest technical standards.

Literature and Further Legal Sources

• Regulation (EU) No 603/2013 on the establishment of “Eurodac”
• Dublin Regulation (EU) No 604/2013
• General Data Protection Regulation (EU) 2016/679
• Charter of Fundamental Rights of the European Union
• Website of the eu-LISA Agency

Eurodac is a central component of the European asylum system, operated under strict data protection and procedural rules. Ongoing legal developments reflect the challenges and need for reform of the EU’s common migration and asylum policy.

Frequently Asked Questions

Who is legally authorized to access data in Eurodac?

According to the Eurodac Regulation (Regulation (EU) No. 603/2013), only certain authorities of the member states and Europol are entitled to access the data stored in Eurodac. These authorities must be responsible for asylum matters, for establishing identity, for reception and examination of applications for international protection, or for combating serious crime and terrorism. Access to Eurodac data is strictly regulated and requires prior verification of necessity and proportionality. For law enforcement purposes, data may generally be accessed only when national data files have already been queried without result. All accesses are logged and monitored by independent data protection authorities to prevent abuse.

How long may personal data be stored in the Eurodac system?

The retention period for personal data in Eurodac depends on the respective category. For asylum seekers (category 1), Article 12 of the Eurodac Regulation stipulates a maximum retention period of 10 years from the time the fingerprints are taken. For persons apprehended during irregular border crossing (category 2), the retention period is 18 months; for illegal residents (category 3), it is 18 months from the time of registration. If certain conditions are met during the relevant retention period (e.g., recognition of refugee status or acquisition of the nationality of a member state), the relevant data must be deleted immediately. Responsibility for the deletion lies with the member state that entered the data.

What legal obligations do member states have regarding data protection and data security with Eurodac?

Member states are subject to extensive obligations regarding data protection and data security. The processing of personal data in the context of Eurodac must be carried out in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), Directive (EU) 2016/680, and the specific provisions of the Eurodac Regulation. They are required to take appropriate technical and organizational measures to protect data against unauthorized access, loss, or misuse. Each member state must designate an independent supervisory authority to oversee processing. It must also be ensured that all access and processing are logged and that data subjects are informed of their rights (e.g., right of access, rectification, and deletion). Data transfers to third countries or international organizations are subject to particularly strict conditions and are only permitted in exceptional cases.

Under what legal conditions may data from Eurodac be used for law enforcement purposes?

The transfer and use of Eurodac data for law enforcement purposes are governed by Chapter VI of the Eurodac Regulation. Access is only permitted in cases of serious crime or terrorist activities and is subject to strict conditions: A request may be made only after national fingerprint databases have been checked without success. Furthermore, access may only be for the purpose of identification or to determine the whereabouts of a person. The requesting authority must demonstrate the necessity of the measure. The processing, use, and storage in the context of law enforcement are limited to the purpose and duration of the respective investigation. Logging and post-control of all accesses by independent supervisory authorities are required by law.

What rights do data subjects have regarding their data stored in Eurodac?

Data subjects have various rights arising from both the GDPR and the Eurodac Regulation. These include the right to access stored data, the right to rectification of inaccurate data, the right to erasure (“right to be forgotten”), the right to restrict processing, and the right to lodge a complaint with a data protection supervisory authority. These rights are generally exercised with the member state that entered the data. Upon the data subject’s request, authorities must inform them of measures taken without delay and at the latest within one month. If, for example, rights to erasure or rectification are not granted, judicial or administrative remedies are available.

What legal provisions apply to the transfer of Eurodac data to third countries or international organizations?

The transfer of data from Eurodac to third countries or international organizations is generally prohibited and only permitted in expressly regulated exceptional cases. The Eurodac Regulation provides that transmission is only allowed if it is absolutely necessary for processing an asylum application, for the protection of the rights of the data subject, or for establishing identity due to serious crime, and only with the consent of the member state concerned. In addition, the relevant provisions of the GDPR and Directive (EU) 2016/680 must always be observed. Under no circumstances may a transfer take place if there is reason to believe that it would cause harm to the person, particularly the risk of torture, inhuman or degrading treatment or punishment.

To what extent is there an obligation to log and monitor the use of data in Eurodac?

Every access to Eurodac data must be continuously logged in accordance with Art. 34 of the Eurodac Regulation. These logs must include information on the purpose, date and time of access, the accessing authority, and the data sets viewed. The logs serve to review the permissibility and correctness of data processing and are regularly checked by independent data protection authorities. Logging and monitoring obligations are a central element in ensuring the transparency and traceability of data processing in Eurodac. Violations of the logging obligation can result in disciplinary and criminal consequences for responsible authorities and individuals.