The EU fingerprint database (Eurodac)

The EU has established a central fingerprint database for asylum seekers to help process asylum applications. The Danish Data Protection Agency is a supervisory authority tasked with ensuring that the authorities comply with provisions relating to this area, which you can read more about below.

When a person travels to Europe to seek asylum, the immigration authorities need to find out which of the Member States is responsible for processing that asylum seeker’s application. The Eurodac Regulation (EU) No 603/2013 of 26 June 2013 establishes the legal framework for how authorities in a Member State can run checks in a common fingerprint database to determine whether an asylum seeker has already applied for asylum before in another Member State. If that turns out to be the case, the authorities can refuse an application for asylum solely on that basis.

To that end, the EU has created a European fingerprint database called Eurodac. The system, which has been exclusively designed to identify asylum seekers, consists of a central database with fingerprint data. The European Commission is responsible for administrating the database, which relevant authorities in each EU Member State can access.

What data is recorded

At present, all applicants aged 14 years and above are fingerprinted as part of routine procedure in connection with the asylum application process. The fingerprints are electronically transmitted to a central unit in the European Commission, where they are automatically cross-referenced with all the fingerprints already stored in the database. This allows the authorities to investigate whether the applicant has entered the EU without the necessary documentation and whether they have already applied for asylum in another Member State.

The fingerprints are used for the sole purpose of moving the asylum application procedure forward. The scheme ensures that genuine refugees are sent directly to the Member State that is supposed to process their application. At the same time, the scheme prevents illegitimate applicants from “shopping around” in other Member States after their application has been denied in one Member State, or from submitting several applications for asylum in several countries at the same time.

The following data is registered about asylum seekers in the central system:

  • fingerprints as well as the date of fingerprinting and transmission of the fingerprint data to Eurodac
  • Member State of origin as well as the location and date of the submission of the asylum application
  • gender
  • reference number used in the Member State of origin
  • where appropriate, the date of the person’s arrival after a transfer from another Member State
  • where appropriate, the date on which the person concerned left or was deported from the Member States’ territory
  • where appropriate, the date on which the decision was made to process the application of the person concerned

The following data is registered about illegal immigrants in the system:

  • fingerprints as well as the date of fingerprinting and transmission of the fingerprint data to Eurodac
  • Member State of origin as well as the location and date of the apprehension of the person concerned
  • gender
  • reference number used in the Member State of origin

Fingerprints of asylum seekers are stored for a maximum of 10 years. Once this period expires, or as soon as an applicant acquires citizenship in a Member State, the data is automatically erased. Fingerprints of illegal immigrants are only stored for 18 months.

What rights do registered persons have?

If you are registered in Eurodac, you have certain rights. You generally have the right to know whether data about you has been entered in Eurodac, as well as the right to access personal data about you. You also have the right to have factually incorrect data rectified and demand the erasure of unlawfully registered data.

If you want:

  • access to data about you that has been registered in Eurodac
  • to rectify data about you in Eurodac which you believe is factually incorrect or incomplete
  • to demand the erasure of data about you in Eurodac which you believe has been illegally registered

you should contact the Danish National Police, which is the authority responsible for the data (the data controller).

You can find the contact details for the Danish National Police on their website.

Supervision of Eurodac

The European Data Protection Supervisor (EDPS) is the supervisory authority of the Central Unit, while the national data protection authorities are responsible for supervising the use of Eurodac in their respective Member States.

In Denmark, the national supervisory authority is the Danish Data Protection Agency. The Danish Data Protection Agency supervises, through investigative and corrective powers, the use of data that is transmitted and received in accordance with the provisions of the Eurodac regulation. The national data protection authorities derive their supervisory authority from article 30 of the Eurodac regulation.
This supervisory role mainly entails inspections and processing complaints such as those of registered persons who object to having been registered in Eurodac or having been denied access to the data that has been registered about them in the system.

Complaints

If you are dissatisfied with a decision reached by the Danish National Police concerning your request to access, rectify or erase data about you in Eurodac, you can submit a complaint to the Danish Data Protection Agency.

For complaints concerning (denial of) access to personal data in Eurodac, the Danish Data Protection Authority considers whether the Danish National Police’s denial of access is justified. At the same time, the Danish Data Protection Agency checks for any registrations that would be in breach of the provisions relating to Eurodac.

For complaints concerning rectification or erasing of data in Eurodac, the Danish Data Protection Agency considers whether the Danish National Police’s refusal to rectify or erase data in Eurodac is justified. The Danish Data Protection Agency also checks to make sure that none of the data recorded in Eurodac about the person constitutes a violation of the rules, including any information that ought to have been erased according to the rules.

If you wish to submit a complaint to the Danish Data Protection Agency

In order to process your complaint concerning a decision made by the Danish National Police about your right to access, rectify or erase data in Eurodac, the agency requires the following information:

  • a description of the nature of your complaint
  • a copy of the decision or response that you received from the Danish National Police
  • any other material that you think is relevant to your complaint

If you submit a complaint to the Danish Data Protection Agency concerning the processing of your personal data in Eurodac before you have contacted the Danish National Police, the agency will generally refer your complaint to the Danish National Police, as the Danish National Police is the formal data controller of Eurodac.

If you are dissatisfied with the Danish Data Protection Agency’s decision, you may bring the matter before a court of law. You cannot submit a complaint to other authorities about the Danish Data Protection Agency’s decision.

Denmark’s Justice and Home Affairs opt-out

As a consequence of the Danish Judicial and Home Affairs opt-out, Denmark is not directly party to the Eurodac regulation, but the country has subsequently adopted the Eurodac regulation through a so-called “parallel agreement”, which is why (parts of) the provisions of the regulation accordingly apply in Denmark.