When people come to EU to request for asylum, authorities competent for implementing the immigration policy must know which Member State should handle their application. From 2003 on this part of the asylum procedure is facilitated by Eurodac (European automated fingerprint identification system).
Eurodac is the European Union fingerprint database, created only for identifying asylum seekers. Fingerprints are taken in a routine procedure from every applicant of at least 14 years of age when requesting for asylum, in or outside EU. Afterwards the fingerprints are transmitted in a digital format to the Central System where they are automatically compared with the fingerprint data already stored in the system. This enables competent authorities to determine whether asylum seeker has already applied for asylum in another Member State or has entered EU without necessary documents.
Automated fingerprint identification system has been functional since 15 January 2003 and is the first system in the EU of that kind. All EU Member States participate in the system, plus three additional European countries: Norway, Iceland and Switzerland, who also ratified the Eurodac Regulation.
After transmitting fingerprint set to Eurodac, the participating country gets an immediate reply whether there is a match to fingerprint data stored in a central database. In case of a match the participating country can decide to return the seeker to the country where he first entered or applied for the asylum, competent authorities of this country are then obliged to decide on his right of residence. If there is no match, the application is handled by the country which sent the fingerprint set or entered them into system.
Regulations on the operation of Eurodac determine precise and harmonised rules for all EU Member States on fingerprints in central system, record of fingerprints and other important data in central system, their storage, their comparison with other fingerprint data, the transmission of the results of such comparison and the marking and erasure of the recorded data. The legal framework consists of:
Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice
Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person
Eurodac consists of a computerised central fingerprint database and a communication infrastructure for transmission of the data between Member States and the central system. The Commission’s central unit (agency) manages the central database on behalf of Member States (processing fingerprints – quality control, fingerprint comparison, storage and deletion; transmission of the results of comparison to the Member State of origin) and is equipped with Automated Fingerprint Identification System – AFIS.
Member States are responsible for collection of data, collection and processing of fingerprints and verification of the results of the comparison, made at the central unit.
Personal data protection
I. Personal data, processed in Eurodac
Eurodac system processes personal data of 3 categories of individuals:
Applicants for international protection of at least 14 years of age,
Third-country nationals or stateless persons of at least 14 years of age, apprehended in connection with the irregular crossing of an external border of a Member State,
Third-country nationals or stateless persons found illegally staying in a Member State.
The following personal data are recorded in the Central System:
a. Member State of origin, place and date of the application for international protection/apprehension;
b. fingerprint data;
d. reference number used by the Member State of origin;
e. date on which the fingerprints were taken;
f. date on which the data were transmitted to the Central System;
g. operator user ID;
h. where applicable, the date of the arrival of the person concerned after a successful transfer;
i. where applicable, the date when the person concerned left the territory of the Member States;
j. where applicable, the date when the person concerned left or was removed from the territory of the Member States;
k. where applicable, the date when the decision to examine the application was taken.
The fingerprints are taken only to persons of at least 14 years of age and transmitted to the Central System.
II. Data storage
In the case of applicants for international protection, each set of data is stored in the Central System for ten years from the date on which the fingerprints were taken. Upon expiry of this period the Central System automatically erases the data from the Central System. Data relating to a person who has acquired citizenship of any Member State before expiry of this period shall be erased from the Central System as soon as the Member State of origin becomes aware that the person concerned has acquired such citizenship.
In the case of third-country nationals or stateless persons apprehended in connection with the irregular crossing of an external border of a member State, each set of data relating to a third-country national or stateless person, is stored in the Central System for 18 months from the date on which his/her fingerprints were taken. Upon expiry of this period, the Central System automatically erases such data. The data relating to a third-country national or stateless person shall be erased from the Central System as soon as the Member State of origin becomes aware of one of the following circumstances before the 18 month period has expired:
- the third-country national or stateless person has been issued with a residence document;
- the third-country national or stateless person has left the territory of the Member States;
- the third-country national or stateless person has acquired the citizenship of any Member State.
With a view to checking whether a third-country national or a stateless person found illegally staying within its territory has previously lodged an application for international protection in another Member State, a Member State may transmit to the Central System any fingerprint data relating to fingerprints which it may have taken of any such third-country national or stateless person of at least 14 years of age together with the reference number used by that Member State. The fingerprint data of a third-country national or a stateless person shall be transmitted to the Central System solely for the purpose of comparison with the fingerprint data of applicants for international protection transmitted by other Member States and already recorded in the Central System. The fingerprint data of such a third-country national or a stateless person shall not be recorded in the Central System, nor shall they be compared with the data transmitted to the Central System.
III. Personal data security
The Member State of origin is responsible for ensuring that:
Fingerprints are taken lawfully;
fingerprint data and the other data are lawfully transmitted to the Central System;
data are accurate and up-to-date when they are transmitted to the Central System;
without prejudice to the responsibilities of the Agency, data in the Central System are lawfully recorded, stored, corrected and erased;
the results of fingerprint data comparisons transmitted by the Central System are lawfully processed.
The Member State of origin must adopt the necessary measures, including a security plan, in order to:
deny unauthorised persons access to national installations in which the Member State carries out operations in accordance with the purposes of Eurodac (checks at entrance to the installation);
physically protect the data, including by making contingency plans for the protection of critical infrastructure;
prevent the unauthorised reading, copying, modification or removal of data media (data media control);
prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data (storage control);
prevent the unauthorised processing of data in Eurodac and any unauthorised modification or erasure of data processed in Eurodac (control of data entry);
ensure that persons authorised to access Eurodac have access only to the data covered by their access authorisation, by means of individual and unique user IDs and confidential access modes only (data access control);
ensure that all authorities with a right of access to Eurodac create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, erase and search the data, (personnel profiles);
ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);
ensure that it is possible to verify and establish what data have been processed in Eurodac, when, by whom and for what purpose (control of data recording);
prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from Eurodac or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);
monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring in order to ensure compliance with the Regulation (EU) No 603/2014 (self-auditing) and to automatically detect within 24 hours any relevant events that might indicate the occurrence of a security incident.
IV. Access to, correction and erasure of data recorded in Eurodac
Only the Member State of origin has access to data which it has transmitted and which are recorded in the Central System. No Member State may conduct searches of the data transmitted by another Member State, nor may it receive such data apart from data resulting from the comparison.
The authorities of Member States which have access to data recorded in the Central System shall be those designated by each Member State. Each Member State must without delay communicate to the Commission and the Agency a list of those units and any amendments thereto.
Only the Member State of origin shall have the right to amend the data which it has transmitted to the Central System by correcting or supplementing such data, or to erase them.
The Agency shall not transfer or make available to the authorities of any third country data recorded in the Central System. This prohibition shall not apply to transfers of such data to third countries to which Regulation (EU) No 604/2013 applies.
V. Rights of the data subject
Each person, whose personal data are processed in Eurodac system (data subject), has the right to be informed by the Member State of origin in writing, and where necessary, orally, in a language that he or she understands or is reasonably supposed to understand, of the following:
(a) the identity of the controller and of his or her representative, if any;
(b) the purpose for which his or her data will be processed in Eurodac, including a description of the aims of Regulation (EU) No 604/2013, and an explanation in intelligible form, using clear and plain language, of the fact that Eurodac may be accessed by the Member States and Europol for law enforcement purposes;
(c) the recipients of the data;
(d) in relation to an applicant for international protection, third-country national or stateless person of at least 14 years of age, apprehended in connection with the irregular crossing of an external border of the member State, the obligation to have his or her fingerprints taken;
(e) the right of access to data relating to him or her, and the right to request that inaccurate data relating to him or her be corrected or that unlawfully processed data relating to him or her be erased, as well as the right to receive information on the procedures for exercising those rights including the contact details of the controller and the national supervisory authorities.
Each data subject has the right to:
be informed of the data relating to him or her recorded in the Central System and of the Member State which transmitted them to the Central System;
request that data which are factually inaccurate be corrected or that data recorded unlawfully be erased;
bring an action or, if appropriate, a complaint before the competent authorities or courts of the State if he or she is refused the right of access, correction or deletion.
The Eurodac system supervision is provided by:
European data Protection Supervisor (EDPS) - the competent authority to monitor and supervise the Central System activities to ensure that all the personal data processing activities concerning Eurodac respect the rights of the data subjects;
Member States – the designated national supervisory authority or authorities monitor the personal data processing on national level (Information Commissioner in Slovenia) in accordance with its respective national law;
VII. Eurodac Supervision Coordination Group
Active and coordinated cooperation is vital to ensure the protection of the data subjects rights. The Eurodac Supervision Coordination Group is a platform in which the EDPS and the national data protection authorities cooperate in the framework of their responsibilities in order to ensure a coordinated supervision of Eurodac.
The tasks of the Coordination Group are to:
examine implementation problems in connection with the operation of Eurodac;
examine difficulties experienced during checks by the supervisory authorities
examine difficulties of interpretation or application of the Eurodac regulation;
draw up recommendations for common solutions to existing problems;
endeavour to enhance cooperation between the supervisory authorities.
The Coordination Group is made up of one representative from each of the national supervisory authorities for Eurodac and the EDPS. Each delegation has one vote. Each member of the Coordination Group is designated by the supervisory authority he represents. Where a Member State has designated more than one supervisory authority, they nominate a joint representative.
3. Organisation and operation
The Coordination Group meets at least twice a year. A meeting is valid if more than half of the delegations are present. The decisions are accepted by a majority of the votes validly cast. Experts and observers may participate in the meetings pursuant to a decision of the Coordination Group.
The minutes and any draft documents of the Coordination Group are not public unless the Coordination Group decides otherwise. Reports, recommendations and any other documents adopted by the Coordination Group are public, unless the Coordination Group decides otherwise. The Coordination Group draws up an activity report at least once every two years.