1.   A system known as ‘Eurodac’ is hereby established. Its purpose is to:

2.   Without prejudice to the processing of data intended for Eurodac by the Member State of origin in databases set up under that Member State’s national law, biometric data and other personal data may be processed in Eurodac only for the purposes set out in this Regulation, in Regulations (EC) No 767/2008, (EU) 2018/1240, (EU) 2019/818, (EU) 2024/1351 and (EU) 2024/1350 and in Directive 2001/55/EC.

This Regulation fully respects human dignity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union (the ‘Charter’), including the right to respect for private life, the right to the protection of personal data, the right to asylum and the prohibition of torture and inhuman or degrading treatment. In that respect, the processing of personal data in accordance with this Regulation shall not result in any discrimination against persons covered by this Regulation based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

A person’s right to privacy and to data protection shall be safeguarded in accordance with this Regulation, both with regard to access by the Member States’ authorities and by the Union’s authorised agencies to Eurodac.

1.   For the purposes of this Regulation:

2.   The definitions set out in Article 4 of Regulation (EU) 2016/679 shall apply to this Regulation in so far as personal data are processed by the authorities of the Member States for the purposes laid down in Article 1(1), points (a), (b), (c) and (j) of this Regulation.

3.   Unless stated otherwise, the definitions set out in Article 2 of Regulation (EU) 2024/1351 shall apply to this Regulation.

4.   The definitions set out in Article 3 of Directive (EU) 2016/680 shall apply to this Regulation in so far as personal data are processed by the competent authorities of the Member States for law enforcement purposes.

1.   Eurodac shall consist of:

2.   The CIR shall contain the data referred to in Article 17(1), points (a) to (f), (h) and (i), Article 19(1), points (a) to (f), (h) and (i), Article 21(1), points (a) to (f), (h) and (i), Article 22(2), points (a) to (f), (h) and (i), Article 23(2), points (a) to (f), (h) and (i), Article 24, paragraph (2), points (a) to (f) and (h), and paragraph (3), point (a), and Article 26(2), points (a) to (f), (h) and (i). The remaining Eurodac data shall be stored in the Central System.

3.   The Communication Infrastructure shall use the existing ‘Secure Trans European Services for Telematics between Administrations’ (TESTA) network. In order to ensure confidentiality, personal data transmitted to or from Eurodac shall be encrypted.

4.   Each Member State shall have a single National Access Point. Europol shall have a single access point (the Europol Access Point).

5.   Data relating to persons covered by Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) and Article 26(1) which are processed in Eurodac shall be processed on behalf of the Member State of origin under the conditions set out in this Regulation and separated by appropriate technical means.

6.   All datasets registered in Eurodac corresponding to the same third-country national or stateless person shall be linked in a sequence. Where an automatic comparison is carried out in accordance with Articles 27 and 28 and a hit is obtained against at least one other set of fingerprints or, where those fingerprints are of a quality which does not ensure appropriate comparison or are not available, facial image data in another dataset corresponding to that same third-country national or stateless person, Eurodac shall automatically link those datasets on the basis of the comparison. Where necessary, an expert shall check, in accordance with Article 38(4) and (5), the result of an automatic comparison carried out in accordance with Articles 27 and 28. When the receiving Member State confirms the hit, it shall send a notification confirming the linking of those datasets to eu-LISA.

7.   The rules governing Eurodac shall also apply to operations carried out by the Member States as from the transmission of data to Eurodac until use is made of the results of the comparison.

1.   eu-LISA shall be responsible for the operational management of Eurodac.

The operational management of Eurodac shall consist of all the tasks necessary to keep Eurodac functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality, in particular as regards the time required to query Eurodac. eu-LISA shall develop a business continuity plan and system, taking into account maintenance needs and unforeseen downtime of Eurodac, including the impact of business continuity measures on data protection and security.

eu-LISA shall ensure, in cooperation with the Member States, that the best available and most secure technology and techniques, subject to a cost-benefit analysis, are used for Eurodac.

2.   eu-LISA may use real personal data from the Eurodac production system for testing purposes, in accordance with Regulation (EU) 2016/679, in the following cases:

In the cases referred to in points (a) and (b) of the first subparagraph, the security measures, access control and logging activities at the testing environment shall be equal to the ones for the Eurodac production system. Processing of real personal data adapted for testing shall be subject to stringent conditions and rendered anonymous in such a way that the data subject is no longer identifiable. Once the purpose for which the testing was carried out has been achieved or the tests have been completed, the real personal data shall be immediately and permanently erased from the testing environment.

3.   eu-LISA shall be responsible for the following tasks relating to the Communication Infrastructure:

4.   The Commission shall be responsible for all tasks relating to the Communication Infrastructure, other than those referred to in paragraph 3, in particular:

5.   Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Regulation (EEC, Euratom, ECSC) No 259/68 of the Council (35), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to all its staff required to work with Eurodac data. This paragraph shall also apply after such staff leave office or employment or after the termination of their duties.

1.   For law enforcement purposes, Member States shall designate the authorities that are authorised to request comparisons with Eurodac data pursuant to this Regulation. Designated authorities shall be authorities of the Member States which are responsible for the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

2.   Each Member State shall keep a list of its designated authorities.

3.   Each Member State shall keep a list of the operating units within its designated authorities that are authorised to request comparisons with Eurodac data through the National Access Point.

1.   For law enforcement purposes, each Member State shall designate a single national authority or a unit of such an authority to act as its verifying authority. The verifying authority shall be an authority of the Member State which is responsible for the prevention, detection or investigation of terrorist offences or of other serious criminal offences.

The designated authority and the verifying authority may be part of the same organisation, if permitted under national law, but the verifying authority shall act independently when performing its tasks under this Regulation. The verifying authority shall be separate from the operating units referred to in Article 5(3) and shall not receive instructions from them as regards the outcome of the verification.

In accordance with their constitutional or legal requirements, Member States may designate more than one verifying authority to reflect their organisational and administrative structures.

2.   The verifying authority shall ensure that the conditions for requesting comparisons of biometric or alphanumeric data with Eurodac data are fulfilled.

Only duly empowered staff of the verifying authority shall be authorised to receive and forward requests for access to Eurodac in accordance with Article 32.

Only the verifying authority shall be authorised to forward requests for comparison of biometric or alphanumeric data to the National Access Point.

1.   For law enforcement purposes, Europol shall designate one or more of its operating units as the ‘Europol designated authority’. The Europol designated authority shall be authorised to request comparisons with Eurodac data through the Europol Access Point in order to support and strengthen action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling within Europol’s mandate.

2.   For law enforcement purposes, Europol shall designate a single specialised unit with duly empowered Europol officials to act as its verifying authority. The Europol verifying authority shall be authorised to forward requests by the Europol designated authority for comparisons with Eurodac data through the Europol Access Point. The Europol verifying authority shall be fully independent of the Europol designated authority when performing its tasks under this Regulation. The Europol verifying authority shall be separate from the Europol designated authority and shall not receive instructions from it as regards the outcome of the verification. The Europol verifying authority shall ensure that the conditions for requesting comparisons of biometric or alphanumeric data with Eurodac data are fulfilled.

1.   From 12 June 2026, Eurodac shall be connected to the European search portal referred to in Article 6 of Regulation (EU) 2019/818 in order to enable the application of Articles 11 and 20 of Regulation (EU) 2018/1240.

2.   The automated processing referred to in Article 20 of Regulation (EU) 2018/1240 shall enable the verifications provided for in that Article and the subsequent verifications provided for in Articles 22 and 26 of that Regulation.

For the purpose of carrying out the verifications referred to in Article 20(2), point (k), of Regulation (EU) 2018/1240, the ETIAS Central System shall use the European search portal to compare the data in ETIAS with the data in Eurodac collected on the basis of Articles 17, 19, 21, 22, 23, 24 and 26 of this Regulation in a read-only format using the data categories listed in the table of correspondences set out in Annex I of this Regulation corresponding to persons having left or having been removed from the territory of the Member States in compliance with a return decision or removal order. Those verifications shall be without prejudice to the specific rules provided for in Article 24(3) of Regulation (EU) 2018/1240.

1.   ETIAS National Units shall consult Eurodac by means of the same alphanumerical data as those used for the automated processing referred to in Article 8.

2.   For the purposes of Article 1(1), point (g), of this Regulation, the ETIAS National Units shall have access to Eurodac, in accordance with Regulation (EU) 2018/1240, to consult data in a read-only format in order to examine applications for travel authorisation. In particular, the ETIAS National Units may consult the data referred to in Articles 17, 19, 21, 22, 23, 24 and 26 of this Regulation.

3.   Following consultation and access pursuant to paragraphs 1 and 2, the result of the assessment shall be recorded only in the ETIAS application files.

1.   eu-LISA shall draw up statistics on the work of Eurodac every month indicating, in particular:

2.   The monthly statistical data for persons as referred to in paragraph 1, shall be published each month. At the end of each year, eu-LISA shall publish the yearly statistical data for persons referred to in paragraph 1. The statistical data shall be broken down by Member State. The statistical data for persons as referred to in paragraph 1, point (i), shall, where possible, be broken down by year of birth and sex.

Nothing in this paragraph shall affect the anonymised nature of the statistical data.

3.   For the purpose of supporting the objectives referred to in Article 1, points (c) and (i), eu-LISA shall produce monthly cross-system statistics. Those statistics shall not allow for the identification of individuals and shall use data from Eurodac, the VIS, ETIAS and the EES.

The statistics referred to in the first subparagraph shall be made available to the Member States, to the European Parliament, to the Commission, to the European Union Agency for Asylum, to the European Border and Coast Guard Agency and to Europol.

The Commission shall, by means of implementing acts, specify the content of the monthly cross-system statistics referred to in the first subparagraph. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 56(2).

Cross-system statistics alone shall not be used to deny access to the territory of the Union.

4.   At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the application of this Regulation and the statistics referred to in paragraph 1 and shall, upon request, make them available to the Member States, to the European Parliament, to the European Union Agency for Asylum, to the European Border and Coast Guard Agency and to Europol.

5.   eu-LISA shall store the data referred to in paragraphs 1 to 4 of this Article for research and analysis purposes, thus enabling the authorities referred to in paragraph 3 of this Article to obtain customisable reports and statistics in the central repository for reporting and statistics referred to in Article 39 of Regulation (EU) 2019/818. Those data shall not allow for the identification of individuals.

6.   Access to the central repository for reporting and statistics as referred to in Article 39 of Regulation (EU) 2019/818 shall be granted to eu-LISA, to the Commission, to the authorities designated by each Member State in accordance with Article 40(2) of this Regulation and to the authorised users of the European Union Agency for Asylum, of the European Border and Coast Guard Agency and of Europol, where such access is relevant for the implementation of their tasks.

1.   Member States shall take the biometric data of persons referred to in Article 15(1), Article 18(1) and (2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) and Article 26(1) for the purposes of Article 1(1), points (a), (b), (c) and (j), and shall require those persons to provide their biometric data and inform them in accordance with Article 42.

2.   Member States shall respect the dignity and physical integrity of the person during the fingerprinting procedure and when capturing his or her facial image.

3.   Administrative measures for the purpose of ensuring compliance with the obligation to provide biometric data set out in paragraph 1 shall be laid down in national law. Those measures shall be effective, proportionate and dissuasive and may include the possibility to use means of coercion as a last resort.

4.   Where all of the measures laid down in national law as referred to in paragraph 3 fail to ensure compliance by an applicant with the obligation to provide biometric data, the relevant provisions of Union law on asylum concerning non-compliance with that obligation shall apply.

5.   Without prejudice to paragraphs 3 and 4, where it is impossible to take the biometric data of a third-country national or stateless person who is deemed to be a vulnerable person due to the condition of that person’s fingertips or face, and where that person did not intentionally bring about the condition, the authorities of the Member State concerned shall not employ administrative measures for ensuring compliance with the obligation to provide biometric data.

6.   The procedure for taking biometric data shall be determined and applied in accordance with the national practice of the Member State concerned and in accordance with the safeguards laid down in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

1.   The biometric data of minors from the age of six shall be taken by officials trained specifically to take a minor’s biometric data in a child-friendly and child-sensitive manner and in full respect of the best interests of the child and the safeguards laid down in the United Nations Convention on the Rights of the Child.

The best interests of the child shall be a primary consideration in the application of this Regulation. In the event that there is uncertainty as to whether or not a child is under the age of six and there is no supporting proof of that child’s age, the competent authorities of the Member States shall consider that child to be under the age of six for the purposes of this Regulation.

The minor shall be accompanied by, where present, an adult family member throughout the time when his or her biometric data are taken. The unaccompanied minor shall be accompanied by a representative or, where a representative has not been designated, a person trained to safeguard the best interests of the child and his or her general wellbeing, throughout the time when his or her biometric data are taken. Such a trained person shall not be the official responsible for taking the biometric data, shall act independently and shall not receive orders either from the official or the service responsible for taking the biometric data. Such a trained person shall be the person designated to provisionally act as a representative under Directive (EU) 2024/1346, where that person has been designated.

No form of force shall be used against minors to ensure their compliance with the obligation to provide biometric data. However, where permitted by relevant Union or national law, and as a last resort, a proportionate degree of coercion may be used against minors to ensure their compliance with that obligation. When applying such a proportionate degree of coercion, Member States shall respect the dignity and physical integrity of the minor.

Where a minor, in particular an unaccompanied or separated minor, refuses to give their biometric data and there are reasonable grounds for believing that there are risks relating to safeguarding or protecting the minor, as assessed by an official trained specifically to take a minor’s biometric data, the minor shall be referred to the competent national child protection authorities, the national referral mechanisms or both.

2.   Where it is not possible to take the fingerprints or capture the facial image of a minor due to the conditions of the fingertips or face, Article 13(5) shall apply. Where the fingerprints or facial image of a minor are retaken, paragraph 1 of this Article shall apply.

3.   Eurodac data that pertain to a child under the age of 14 shall only be used for law enforcement purposes against such a child where there are grounds in addition to those referred to in Article 33(1), point (d), to consider that those data are necessary for the purpose of the prevention, detection or investigation of a terrorist offence or other serious criminal offence which that child is suspected of having committed.

4.   This Regulation shall be without prejudice to the application of the conditions set out in Article 13 of Directive (EU) 2024/1346.

1.   Each Member State shall take, in accordance with Article 13(2), the biometric data of every applicant for international protection of at least six years of age:

Non-compliance with the 72-hour time limit referred to in the first subparagraph, points (a) and (b), of this paragraph shall not relieve Member States of the obligation to take the biometric data and transmit them to Eurodac. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 38, the Member State of origin shall retake the fingerprints of the applicant and retransmit them as soon as possible and no later than 48 hours after they have been successfully retaken.

2.   By way of derogation from paragraph 1, where it is not possible to take the biometric data of an applicant for international protection on account of measures taken to ensure his or her health or the protection of public health, Member States shall take and transmit such biometric data as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time limits referred to in paragraph 1, the first subparagraph, points (a) and (b), by a maximum of a further 48 hours in order to carry out their national continuity plans.

3.   Where requested by the Member State concerned, the biometric data, alphanumeric data and, where available, a scanned colour copy of an identity or travel document may also be taken and transmitted on behalf of that Member State by members of the European Border and Coast Guard Teams or experts of the asylum support teams specifically trained for that purpose, when exercising powers and performing their tasks in accordance with Regulations (EU) 2019/1896 and (EU) 2021/2303.

4.   Each dataset collected and transmitted in accordance with this Article shall be linked with other datasets corresponding to the same third-country national or stateless person in a sequence as set out in Article 3(6).

1.   As soon as the Member State responsible has been determined in accordance with Regulation (EU) 2024/1351, the Member State that conducts the procedures for determining the Member State responsible shall update its dataset recorded in accordance with Article 17 of this Regulation regarding the person concerned by adding the Member State responsible.

Where a Member State becomes responsible because there are reasonable grounds to consider that the applicant poses a threat to internal security in accordance with Article 16(4) of Regulation (EU) 2024/1351, it shall update its dataset recorded in accordance with Article 17 of this Regulation regarding the person concerned by adding the Member State responsible.

2.   The following information shall be sent to Eurodac in order to be stored in accordance with Article 29(1) for the purposes of transmission under Articles 27 and 28:

3.   Where responsibility shifts to another Member State, pursuant to Articles 37(1) and Article 68(3) of Regulation (EU) 2024/1351, the Member State that establishes that responsibility has shifted, or the Member State of relocation, shall indicate the Member State responsible.

4.   Where paragraph 1 or 3 of this Article or Article 31(6) apply, Eurodac shall, as soon as possible and no later than 72 hours after receiving the data concerned, inform all Member States of origin of the transmission of such data by another Member State of origin having produced a hit with data which they transmitted relating to persons as referred to in Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1). Those Member States of origin shall also update the Member State responsible in the datasets corresponding to persons as referred to in Article 15(1).

1.   Only the following data shall be recorded in Eurodac in accordance with Article 3(2):

2.   Additionally, where applicable and available, the following data shall be promptly recorded in Eurodac in accordance with Article 3(2):

3.   Where all the data referred to in paragraph 1, points (a) to (f) and (h), of this Article relating to a person as referred to in Article 15 are recorded in Eurodac, they shall be considered to be a dataset transmitted to Eurodac for the purposes of Article 27(1), point (aa), of Regulation (EU) 2019/818.

4.   The Member State of origin which has concluded that the threat to internal security identified following the screening referred to in Regulation (EU) 2024/1356 or following an examination pursuant to Article 16(4) of Regulation (EU) 2024/1351 or to Article 9(5) of Regulation (EU) 2024/1348 no longer applies shall delete the record of the security flag from the dataset, after having consulted any other Member States having registered a dataset of the same person. Eurodac shall, as soon as possible and no later than 72 hours after the deletion of the security flag by another Member State of origin having produced a hit with data which other Member States of origin transmitted relating to persons as referred to in Article 15(1), Article 22(1), Article 23(1) or Article 24(1) of this Regulation, inform those Member States of origin of that deletion. Those Member States of origin shall also delete the security flag in the corresponding dataset.

1.   Each Member State shall promptly take, in accordance with Article 13(2), the biometric data of every third-country national or stateless person of at least six years of age who is apprehended by the competent control authorities in connection with the irregular crossing by land, sea or air of the border of that Member State, who comes from a third country, who is not turned back, or who remains physically on the territory of the Member States, and who is not kept in custody, confinement or detention during the entirety of the period between apprehension and removal on the basis of the decision to turn him or her back.

2.   The Member State concerned shall, as soon as possible and no later than 72 hours after the date of apprehension, transmit to Eurodac in accordance with Article 3(2) the following data in relation to any third-country national or stateless person referred to in paragraph 1 who is not turned back:

3.   Additionally, where applicable and available, the following data shall be promptly transmitted to Eurodac in accordance with Article 3(2):

4.   By way of derogation from paragraph 2, the data referred to in paragraph 2 relating to persons apprehended, as referred to in paragraph 1, who remain physically on the territory of the Member States but are kept in custody, confinement or detention upon their apprehension for a period exceeding 72 hours shall be transmitted before their release from custody, confinement or detention.

5.   Non-compliance with the 72-hour time limit referred to in paragraph 2 of this Article shall not relieve Member States of the obligation to take the biometric data and transmit them to Eurodac. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 38, the Member State of origin shall retake the fingerprints of persons apprehended as described in paragraph 1 of this Article and retransmit them as soon as possible and no later than 48 hours after they have been successfully retaken.

6.   By way of derogation from paragraph 1, where it is not possible to take the biometric data of the apprehended person on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and transmit such biometric data as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time limit referred to in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

7.   As soon as the Member State of origin ensures that the person concerned whose data were recorded in Eurodac in accordance with paragraph 1 has left the territory of the Member States in compliance with a return decision or removal order, it shall update its dataset recorded relating to the person concerned by adding the date of his or her removal or when he or she left the territory.

8.   Where requested by the Member State concerned, the biometric data, alphanumeric data and, where available, a scanned colour copy of an identity or travel document may also be taken and transmitted on behalf of that Member State by members of the European Border and Coast Guard Teams or experts of the asylum support teams specifically trained for that purpose, when exercising powers and performing their tasks in accordance with Regulations (EU) 2019/1896 and (EU) 2021/2303.

9.   Each dataset collected and transmitted in accordance with this Article shall be linked with other datasets corresponding to the same third-country national or stateless person in a sequence as set out in Article 3(6).

10.   Where all the data referred to in paragraph 2, points (a) to (f) and (h), of this Article relating to a person as referred to in paragraph 1 of this Article are recorded in Eurodac, they shall be considered to be a dataset transmitted to Eurodac for the purposes of Article 27(1), point (aa), of Regulation (EU) 2019/818.

1.   Each Member State shall promptly take, in accordance with Article 13(2), the biometric data of every third-country national or stateless person of at least six years of age who is illegally staying within its territory.

2.   The Member State concerned shall, as soon as possible and no later than 72 hours after the third-country national or the stateless person has been found to be illegally staying, transmit to Eurodac in accordance with Article 3(2) the following data in relation to any third-country national or stateless person referred to in paragraph 1:

3.   Additionally, where applicable and available, the following data shall be promptly transmitted to Eurodac in accordance with Article 3(2):

4.   Non-compliance with the 72-hour time limit referred to in paragraph 2 of this Article shall not relieve Member States of the obligation to take the biometric data and transmit them to Eurodac. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 38, the Member State of origin shall retake the fingerprints of persons apprehended as described in paragraph 1 of this Article and retransmit them as soon as possible and no later than 48 hours after they have been successfully retaken.

5.   By way of derogation from paragraph 1, where it is not possible to take the biometric data of the apprehended person on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and transmit such biometric data as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time limit referred to in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

6.   As soon as the Member State of origin ensures that the person concerned whose data were recorded in Eurodac in accordance with paragraph 1 has left the territory of the Member States in compliance with a return decision or removal order, it shall update its dataset recorded relating to the person concerned by adding the date of his or her removal or when he or she left the territory.

7.   Each dataset collected and transmitted in accordance with this Article shall be linked with other datasets corresponding to the same third-country national or stateless person in a sequence as set out in Article 3(6).

8.   Where all the data referred to in paragraph 2, points (a) to (f) and (h), of this Article relating to a person as referred to in paragraph 1 of this Article are recorded in Eurodac, they shall be considered to be a dataset transmitted to Eurodac for the purposes of Article 27(1), point (aa), of Regulation (EU) 2019/818.

1.   Each Member State shall promptly take the biometric data of every third-country national or stateless person of at least six years of age who is disembarked following a search and rescue operation as defined in Regulation (EU) 2024/1351.

2.   The Member State concerned shall, as soon as possible and no later than 72 hours after the date of disembarkation, transmit to Eurodac in accordance with Article 3(2) the following data in relation to any third-country national or stateless person referred to in paragraph 1:

3.   Additionally, where applicable and available, the following data shall be transmitted to Eurodac in accordance with Article 3(2) as soon as available:

4.   Non-compliance with the time limit referred to in paragraph 2 of this Article shall not relieve Member States of the obligation to take the biometric data and transmit them to Eurodac. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 38, the Member State of origin shall retake the fingerprints of persons disembarked as described in paragraph 1 of this Article and retransmit them as soon as possible and no later than 48 hours after they have been successfully retaken.

5.   By way of derogation from paragraph 1, where it is not possible to take the biometric data of the disembarked person on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and transmit such biometric data as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 72-hour time limit referred to in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

6.   In the event of a sudden influx, Member States may extend the 72-hour time limit referred to in paragraph 2 by a maximum of a further 48 hours. That derogation shall enter into force on the date it is notified to the Commission and to the other Member States and for the duration stated in the notification. The duration stated in the notification shall not exceed one month.

7.   As soon as the Member State of origin ensures that the person concerned whose data were recorded in Eurodac in accordance with paragraph 1 has left the territory of the Member States in compliance with a return decision or removal order, it shall update its dataset recorded relating to the person concerned by adding the date of his or her removal or when he or she left the territory.

8.   Where requested by the Member State concerned, the biometric data, alphanumeric data and, where available, a scanned colour copy of an identity or travel document may also be taken and transmitted on behalf of that Member State by members of the European Border and Coast Guard Teams or experts of the asylum support teams specifically trained for that purpose, when exercising powers and performing their tasks in accordance with Regulations (EU) 2019/1896 and (EU) 2021/2303.

9.   Each dataset collected and transmitted in accordance with this Article shall be linked with other datasets corresponding to the same third-country national or stateless person in a sequence as set out in Article 3(6).

10.   Without prejudice to the application of Regulation (EU) 2024/1351, the fact that the data of a person are transmitted to Eurodac in accordance with this Article shall not result in any discrimination against or difference of treatment of a person covered by Article 22(1) of this Regulation.

11.   Where all the data referred to in paragraph 2, points (a) to (f) and (h), of this Article relating to a person as referred to in paragraph 1 of this Article are recorded in Eurodac, they shall be considered to be a dataset transmitted to Eurodac for the purposes of Article 27(1), point (aa), of Regulation (EU) 2019/818.

1.   As soon as the Member State of relocation is obliged to relocate the person concerned pursuant to Article 67(9) of Regulation (EU) 2024/1351, the benefitting Member State shall update its dataset recorded in accordance with Article 17, 22, 23 or 24 of this Regulation relating to the person concerned by adding the Member State of relocation.

2.   When a person arrives in the Member State of relocation following the confirmation by the Member State of relocation to relocate the person concerned pursuant to Article 67(9) of Regulation (EU) 2024/1351, that Member State shall send a dataset recorded in accordance with Article 17 or 23 of this Regulation relating to the person concerned and shall include his or her date of arrival. The dataset shall be stored in accordance with Article 29(1) for the purpose of transmission under Articles 27 and 28.

1.   Each Member State shall promptly take the biometric data of every third-country national or stateless person of at least six years of age registered as a beneficiary of temporary protection in the territory of that Member State pursuant to Directive 2001/55/EC.

2.   The Member State concerned shall, as soon as possible and no later than 10 days after the registration as a beneficiary of temporary protection, transmit to Eurodac in accordance with Article 3(2) the following data in relation to any third-country national or stateless person referred to in paragraph 1:

3.   Non-compliance with the 10-day time limit referred to in paragraph 2 of this Article shall not relieve Member States of the obligation to take the biometric data and transmit them to Eurodac. Where the condition of the fingertips does not allow the taking of fingerprints of a quality ensuring appropriate comparison under Article 38, the Member State of origin shall retake the fingerprints of the beneficiary of temporary protection as described in paragraph 1 of this Article and retransmit them as soon as possible and no later than 48 hours after they have been successfully retaken.

4.   By way of derogation from paragraph 1, where it is not possible to take the biometric data of the beneficiary of temporary protection on account of measures taken to ensure his or her health or the protection of public health, the Member State concerned shall take and transmit such biometric data as soon as possible and no later than 48 hours after those health grounds no longer prevail.

In the event of serious technical problems, Member States may extend the 10-day time limit referred to in paragraph 2 by a maximum of a further 48 hours in order to carry out their national continuity plans.

5.   Where requested by the Member State concerned, the biometric data may also be taken and transmitted on behalf of that Member State by members of the European Border and Coast Guard Teams or experts of the asylum support teams specifically trained for that purpose, when exercising powers and performing their tasks in accordance with Regulations (EU) 2019/1896 and (EU) 2021/2303.

6.   Each dataset collected and transmitted in accordance with this Article shall be linked with other datasets corresponding to the same third-country national or stateless person in a sequence as set out in Article 3(6).

7.   Where all the data referred to in paragraph 2, points (a) to (f) and (h), of this Article relating to a person as referred to in paragraph 1 of this Article are recorded in Eurodac, they shall be considered to be a dataset transmitted to Eurodac for the purposes of Article 27(1), point (aa), of Regulation (EU) 2019/818.

1.   Biometric data transmitted by any Member State, with the exception of those transmitted in accordance with Article 16(2), points (a) and (c), and Articles 18 and 20, shall be compared automatically with the biometric data transmitted by other Member States and already stored in Eurodac in accordance with Article 15, Article 18(2), and Articles 20, 22, 23, 24 and 26.

2.   Biometric data transmitted by any Member State in accordance with Article 18(1) shall be compared automatically with the biometric data transmitted by other Member States and already stored in Eurodac in accordance with Article 15 and marked in accordance with Article 31, and with Article 18(2) and Article 20.

3.   Eurodac shall ensure, at the request of a Member State, that the comparison referred to in paragraph 1 covers the biometric data previously transmitted by that Member State, in addition to the biometric data from other Member States.

4.   Eurodac shall automatically transmit the hit or the negative result of the comparison to the Member State of origin following the procedures set out in Article 38(4). Where there is a hit, it shall transmit, for all datasets corresponding to the hit, the data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) along with, where appropriate, the mark referred to in Article 31(1) and (4). Where a negative result is received, the data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) shall not be transmitted.

5.   Where a hit is received by a Member State from Eurodac that can assist that Member State in carrying out its obligations under Article 1(1), point (a), that hit shall take precedence over any other hit received.

1.   Where the condition of the fingertips does not allow for the taking of fingerprints of a quality ensuring appropriate comparison under Article 38 or where no fingerprints are available for comparison, a Member State shall carry out a comparison of facial image data.

2.   Facial image data and data relating to the sex of the data subject may be compared automatically with the facial image data and the data relating to the sex of the data subject transmitted by other Member States and already stored in Eurodac in accordance with Article 15, Article 18(2) and Articles 20, 22, 23, 24 and 26, with the exception of those transmitted in accordance with Article 16(2), points (a) and (c), and Articles 18 and 20.

Eurodac shall ensure, at the request of a Member State, that the comparison referred to in paragraph 1 covers the facial image data previously transmitted by that Member State, in addition to the facial image data from other Member States.

3.   Facial image data and data relating to the sex of the data subject transmitted by any Member State in accordance with Article 18(1) may be compared automatically with the facial image data and the data relating to the sex of the data subject transmitted by other Member States and already stored in Eurodac in accordance with Article 15 and marked in accordance with Article 31, and with Article 18(2) and Article 20.

4.   Eurodac shall automatically transmit the hit or the negative result of the comparison to the Member State of origin following the procedures set out in Article 38(5). Where there is a hit, it shall transmit, for all datasets corresponding to the hit, the data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) along with, where appropriate, the mark referred to in Article 31(1) and (4). Where a negative result is received, the data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) shall not be transmitted.

5.   Where a hit is received by a Member State from Eurodac that can assist that Member State in carrying out its obligations under Article 1(1), point (a), that hit shall take precedence over any other hit received.

1.   For the purposes of Article 15(1), each dataset relating to an applicant for international protection recorded in accordance with Article 17, shall be stored in Eurodac for ten years from the date on which the biometric data were transmitted.

2.   The biometric data referred to in Article 18(1) shall not be recorded in Eurodac.

3.   For the purposes of Article 18(2), each dataset recorded in accordance with Article 19 relating to a third-country national or stateless person as referred to in Article 18(2), point (a), shall be stored in Eurodac for five years from the date on which the biometric data were transmitted.

4.   For the purposes of Article 18(2), each dataset recorded in accordance with Article 19 relating to a third-country national or stateless person as referred to in Article 18(2), point (b) or (c), shall be stored in Eurodac for three years from the date on which the biometric data were transmitted.

5.   For the purposes of Article 20, each dataset relating to a third-country national or stateless person recorded in accordance with Article 21 shall be stored in Eurodac for five years from the date on which the biometric data were transmitted.

6.   For the purposes of Article 22(1), each dataset relating to a third-country national or stateless person recorded in accordance with Article 22 shall be stored in Eurodac for five years from the date on which the biometric data were transmitted.

7.   For the purposes of Article 23(1), each dataset relating to a third-country national or stateless person recorded in accordance with Article 23 shall be stored in Eurodac for five years from the date on which the biometric data were transmitted.

8.   For the purposes of Article 24(1), each dataset relating to a third-country national or stateless person recorded in accordance with Article 24 shall be stored in Eurodac for five years from the date on which the biometric data were transmitted.

9.   For the purposes of Article 26(1), each dataset relating to a third-country national or stateless person recorded in accordance with Article 26 shall be stored in Eurodac for one year from the date of entry into force of the relevant Council Implementing Decision. The retention period shall be extended every year for the duration of the temporary protection.

10.   Upon expiry of the data storage periods referred to in paragraphs 1 to 9 of this Article, the data of the data subjects shall be automatically erased from Eurodac.

1.   Data relating to a person who has acquired the citizenship of a Member State of origin before the expiry of the period referred to in Article 29(1), (3), (5), (6), (7), (8) or (9) shall be erased from Eurodac without delay by that Member State in accordance with Article 40(3).

Data relating to a person who has acquired the citizenship of another Member State before the expiry of the period referred to in Article 29(1), (3), (5), (6), (7), (8) or (9) shall be erased from Eurodac by the Member State of origin, in accordance with Article 40(3), as soon as it becomes aware of the fact that the person concerned has acquired such citizenship.

2.   Eurodac shall, as soon as possible and no later than 72 hours after the erasure, inform all Member States of origin of the erasure of data in accordance with paragraph 1 of this Article by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1).

1.   For the purposes laid down in Article 1(1), point (a), the Member State of origin which granted international protection to a person whose data were previously recorded in Eurodac pursuant to Article 17 shall mark the relevant data in accordance with the requirements for electronic communication with Eurodac established by eu-LISA. That mark shall be stored in Eurodac in accordance with Article 29(1) for the purposes of transmission under Articles 27 and 28. Eurodac shall, as soon as possible and no later than 72 hours after the marking of the data, inform all Member States of origin of the marking of data by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1). Those Member States of origin shall also mark the corresponding datasets.

2.   The data of beneficiaries of international protection stored in Eurodac in accordance with Article 3(2) and marked pursuant to paragraph 1 of this Article shall be made available for comparison for law enforcement purposes until such data are automatically erased from Eurodac in accordance with Article 29(10).

3.   The Member State of origin shall unmark data concerning a third-country national or stateless person whose data were previously marked in accordance with paragraph 1 of this Article if his or her status is withdrawn under Article 14 or 19 of Regulation (EU) 2024/1347.

4.   For the purposes laid down in Article 1(1), points (a) and (c), the Member State of origin which issued a residence document to an illegally staying third-country national or stateless person whose data were previously recorded in Eurodac, as appropriate, pursuant to Article 22(2) or Article 23(2), or to a third-country national or stateless person disembarked following a search and rescue operation whose data were previously recorded in Eurodac pursuant to Article 24(2), shall mark the relevant data in accordance with the requirements for electronic communication with Eurodac established by eu-LISA. That mark shall be stored in Eurodac in accordance with Article 29(6), (7), (8) and (9) for the purposes of transmission under Articles 27 and 28. Eurodac shall, as soon as possible and no later than 72 hours after the marking of data, inform all Member States of origin of the marking of data by another Member State of origin having produced a hit with data which they transmitted relating to persons referred to in Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1). Those Member States of origin shall also mark the corresponding datasets.

5.   The data of illegally staying third-country nationals or stateless persons stored in Eurodac and marked pursuant to paragraph 4 of this Article shall be made available for comparison for law enforcement purposes until such data are automatically erased from Eurodac in accordance with Article 29(10).

6.   For the purposes of Article 68(4) of Regulation (EU) 2024/1351, the Member State of relocation shall, following the registration of the data pursuant to Article 25(2) of this Regulation, register itself as the Member State responsible and mark those data with the marking introduced by the Member State that granted protection.

1.   For law enforcement purposes, the Member States’ designated authorities and the Europol designated authority may submit a reasoned electronic request as provided for in Article 33(1) and in Article 34(1), together with the reference number used by them, to the verifying authority to be forwarded for a comparison of biometric data or alphanumeric data to Eurodac via the National Access Point or Europol Access Point. Upon receipt of such a request, the verifying authority shall verify whether all the conditions for requesting a comparison as referred to in Article 33 or 34, as applicable, are fulfilled.

2.   Where all the conditions for requesting a comparison as referred to in Article 33 or 34 are fulfilled, the verifying authority shall forward the request for comparison to the National Access Point or Europol Access Point, which shall forward it to Eurodac in accordance with Articles 27 and 28 for the purposes of comparison with the biometric or alphanumeric data transmitted to Eurodac pursuant to Article 15, Article 18(2) and Articles 20, 22, 23, 24 and 26.

3.   A comparison of a facial image with other facial image data in Eurodac for law enforcement purposes may be carried out as provided for in Article 28(1), if such data are available at the time the reasoned electronic request is made by the Member States’ designated authorities or the Europol designated authority.

4.   In exceptional cases of urgency where there is a need to prevent an imminent danger associated with a terrorist offence or other serious criminal offence, the verifying authority may transmit the biometric or alphanumeric data to the National Access Point or Europol Access Point for comparison immediately upon receipt of a request by a designated authority and only verify ex post whether all the conditions for requesting a comparison as referred to in Article 33 or 34 are fulfilled, including whether an exceptional case of urgency actually existed. The ex post verification shall take place without undue delay after the processing of the request.

5.   Where an ex post verification determines that the access to Eurodac data was not justified, all the authorities that have accessed such data shall erase the information communicated from Eurodac and shall inform the verifying authority of such erasure.

1.   For law enforcement purposes, designated authorities may submit a reasoned electronic request for the comparison of biometric or alphanumeric data with the data stored in Eurodac within the scope of their powers only where all of the following conditions have been met:

In addition to the prior check of the databases referred to in the first subparagraph, designated authorities may also conduct a check in the VIS, provided that the conditions for a comparison with the data stored therein, as laid down in Decision 2008/633/JHA, are met. Designated authorities may submit the reasoned electronic request referred to in the first subparagraph simultaneously with a request for comparison with the data stored in the VIS.

2.   Where the designated authorities have consulted the CIR in accordance with Article 22(1) of Regulation (EU) 2019/818 and the CIR, in accordance with paragraph 2 of that Article, has indicated that the data relating to the person concerned are stored in Eurodac, the designated authorities may access Eurodac for consultation without a prior check in national databases or in the automated fingerprinting identification systems of all other Member States.

3.   Requests for comparison with Eurodac data for law enforcement purposes, shall be carried out with biometric or alphanumeric data.

1.   For law enforcement purposes, the Europol designated authority may submit a reasoned electronic request for the comparison of biometric or alphanumeric data with the data stored in Eurodac within the limits of Europol’s mandate and where necessary for the performance of Europol’s tasks only where all of the following conditions have been met:

2.   Where Europol has consulted the CIR in accordance with Article 22(1) of Regulation (EU) 2019/818 and the CIR, in accordance with paragraph 2 of that Article, has indicated that the data relating to the person concerned are stored in Eurodac, Europol may access Eurodac for consultation under the conditions provided for in this Article.

3.   Requests for comparison with Eurodac data for law enforcement purposes, shall be carried out with biometric or alphanumeric data.

4.   Processing of information obtained by Europol from comparison with Eurodac data shall be subject to the authorisation of the Member State of origin. Such authorisation shall be obtained via the Europol national unit of that Member State.

1.   Without prejudice to Article 39, all communication between the designated authorities, the verifying authorities, the National Access Points and the Europol Access Point shall be secure and take place electronically.

2.   For law enforcement purposes, searches with biometric or alphanumeric data shall be digitally processed by the Member States and Europol and transmitted in the data format as set out in the agreed Interface Control Document, in order to ensure that the comparison can be carried out with other data stored in Eurodac.

1.   The Member State of origin shall be responsible for ensuring that:

2.   The Member State of origin shall ensure the security of the data referred to in paragraph 1 of this Article before and during transmission to Eurodac, as provided for in Article 48, and the security of the data it receives from Eurodac.

3.   The Member State of origin shall be responsible for the final identification of the data pursuant to Article 38(4).

4.   eu-LISA shall ensure that Eurodac is operated, including for testing purposes, in accordance with this Regulation and relevant Union data protection rules. In particular, eu-LISA shall:

eu-LISA shall inform the European Parliament, the Council and the European Data Protection Supervisor of the measures it takes pursuant to the first subparagraph of this paragraph.

1.   Biometric data and other personal data shall be digitally processed and transmitted in the data format as set out in the agreed Interface Control Document. As far as necessary for the efficient operation of Eurodac, eu-LISA shall establish the technical requirements concerning the data format to be used for the transmission of data by Member States to Eurodac and vice versa. eu-LISA shall ensure that the biometric data transmitted by the Member States can be compared by the computerised fingerprint and facial recognition system.

2.   Member States shall transmit the data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) electronically. The data referred to in Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2) shall be automatically recorded in Eurodac. As far as necessary for the efficient operation of Eurodac, eu-LISA shall establish the technical requirements to ensure that data can be properly electronically transmitted from the Member States to Eurodac and vice versa.

3.   Member States shall ensure that the reference number referred to in Article 17(1), point (k), Article 19(1), point (k), Article 21(1), point (k), Article 22(2), point (k), Article 23(2), point (k), Article 24(2), point (k), Article 26(2), point (k), and Article 32(1) makes it possible to relate data unambiguously to a particular person and to the Member State which is transmitting the data and also makes it possible to indicate whether such data relate to a person as referred to in Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1).

4.   The reference number referred to in paragraph 3 of this Article shall begin with the identification letter or letters by which the Member State transmitting the data is identified. The identification letter or letters shall be followed by the identification of the category of person or request. ‘1’ refers to persons as referred to in Article 15(1), ‘2’ to persons as referred to in Article 22(1), ‘3’ to persons as referred to in Article 23(1), ‘4’ to requests as referred to in Article 33, ‘5’ to requests as referred to in Article 34, ‘6’ to requests as referred to in Article 43, ‘7’ to requests as referred to in Article 18, ‘8’ to persons as referred to in Article 20, ‘9’ to persons as referred to in Article 24(1) and ‘0’ to persons as referred to in Article 26(1).

5.   eu-LISA shall establish the technical procedures necessary for Member States to ensure receipt of unambiguous data by Eurodac.

6.   Eurodac shall confirm receipt of the transmitted data as soon as possible. To that end, eu-LISA shall establish the necessary technical requirements to ensure that Member States receive the confirmation receipt if requested.

1.   Member States shall ensure the transmission of biometric data of an appropriate quality for the purposes of comparison by means of the computerised fingerprint and facial recognition system. As far as is necessary to ensure that the results of the comparison by Eurodac reach a very high level of accuracy, eu-LISA shall establish the appropriate quality of transmitted biometric data. Eurodac shall, as soon as possible, check the quality of the biometric data transmitted. If the biometric data do not lend themselves to comparison using the computerised fingerprint and facial recognition system, Eurodac shall inform the Member State concerned. That Member State shall then transmit biometric data of the appropriate quality using the same reference number as the previous set of biometric data.

2.   Eurodac shall carry out comparisons in the order of arrival of requests. Each request shall be handled within 24 hours of its arrival. A Member State may, for reasons connected with national law, require particularly urgent comparisons to be carried out within one hour. Where such time limits cannot be respected due to circumstances which are outside the eu-LISA’s responsibility, Eurodac shall process the request as a matter of priority as soon as those circumstances no longer prevail. In such cases, as far as is necessary for the efficient operation of Eurodac, eu-LISA shall establish criteria to ensure the priority handling of requests.

3.   As far as is necessary for the efficient operation of Eurodac, eu-LISA shall establish the operational procedures for the processing of the data received and for transmitting the result of the comparison.

4.   Where necessary, a fingerprint expert in the receiving Member State, as defined in accordance with its national rules and specifically trained in the types of fingerprint comparisons provided for in this Regulation, shall immediately check the result of the comparison of fingerprint data carried out pursuant to Article 27.

Where, following a comparison of both fingerprint and facial image data with data recorded in the computerised central database, Eurodac returns a fingerprint hit and a facial image hit, Member States may check the result of the comparison of the facial image data.

For the purposes laid down in Article 1(1), points (a), (b), (c) and (j), of this Regulation, final identification shall be made by the Member State of origin in cooperation with the other Member States concerned.

5.   The result of the comparison of facial image data carried out pursuant to Article 27, where a hit based only on a facial image is received, and Article 28 shall be immediately checked and verified in the receiving Member State by an expert trained in accordance with national practice.

For the purposes laid down in Article 1(1), points (a), (b), (c) and (j), of this Regulation, final identification shall be made by the Member State of origin in cooperation with the other Member States concerned.

Information received from Eurodac relating to other data found to be unreliable shall be erased as soon as the unreliability of the data is established.

6.   Where final identification in accordance with paragraphs 4 and 5 reveals that the result of the comparison received from Eurodac does not correspond to the biometric data sent for comparison, Member States shall immediately erase the result of the comparison and communicate that fact as soon as possible, and no later than three working days after the receipt of the result, to eu-LISA and inform it of the reference number of the Member State of origin and the reference number of the Member State that received the result.

1.   The Member State of origin shall have access to data which it has transmitted and which are recorded in Eurodac in accordance with this Regulation.

Member States shall not conduct searches of the data transmitted by another Member State or receive such data with the exception of data resulting from the comparison referred to in Articles 27 and 28.

2.   The authorities of Member States which, pursuant to paragraph 1 of this Article, have access to data recorded in Eurodac shall be those designated by each Member State for the purposes laid down in Article 1(1), points (a), (b), (c) and (j). That designation shall specify the exact unit responsible for carrying out tasks related to the application of this Regulation. Each Member State shall without delay communicate to the Commission and eu-LISA a list of those units and any amendments thereto. eu-LISA shall publish the consolidated list in the Official Journal of the European Union. Where there are amendments to that list, eu-LISA shall publish once a year an updated consolidated list online.

3.   Only the Member State of origin shall have the right to amend the data which it has transmitted to Eurodac by rectifying or supplementing such data, or to erase them, without prejudice to erasure carried out pursuant to Article 29.

4.   Access for the purpose of consulting the Eurodac data stored in the CIR shall be granted to the duly authorised staff of the national authorities of each Member State and to the duly authorised staff of the Union bodies competent for the purposes laid down in Articles 20 and 21 of Regulation (EU) 2019/818. That access shall be limited to the extent necessary for the performance of the tasks of those national authorities and Union bodies and for the achievement of those purposes and shall be proportionate to the objectives pursued.

5.   If a Member State or eu-LISA has evidence to suggest that data recorded in Eurodac are factually inaccurate, it shall, without prejudice to the notification of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, inform the Member State of origin thereof as soon as possible.

If a Member State has evidence to suggest that data were recorded in Eurodac in breach of this Regulation, it shall inform eu-LISA, the Commission and the Member State of origin thereof as soon as possible. The Member State of origin shall check the data concerned and, if necessary, amend or erase them without delay.

6.   eu-LISA shall not transfer or make available data recorded in Eurodac to the authorities of any third country. That prohibition shall not apply to transfers of such data to third countries to which Regulation (EU) 2024/1351 applies.

1.   eu-LISA shall keep records of all data processing operations within Eurodac. Those records shall show the purpose, date and time of access, the data transmitted, the data used for querying and the name of both the unit entering or retrieving the data and the persons responsible.

2.   For the purposes of Article 8 of this Regulation, eu-LISA shall keep records of each data processing operation carried out within Eurodac. Records of such type of operations shall include the elements provided for in paragraph 1 of this Article and the hits triggered while carrying out the automated processing laid down in Article 20 of Regulation (EU) 2018/1240.

3.   For the purposes of Article 10 of this Regulation, Member States and eu-LISA shall keep records of each data processing operation carried out within Eurodac and the VIS in accordance with this Article and Article 34 of Regulation (EC) No 767/2008.

4.   The records referred to in paragraph 1 of this Article may be used only for the data protection monitoring of the admissibility of data processing and to ensure data security pursuant to Article 46. Those records shall be protected by appropriate measures against unauthorised access and erased after a period of one year after the storage period referred to in Article 29 has expired, unless they are required for monitoring procedures which have already begun.

5.   For the purposes laid down in Article 1(1), points (a), (b), (c), (g), (h) and (j), each Member State shall take the necessary measures in order to achieve the objectives set out in paragraphs 1 to 4 of this Article in relation to its national system. In addition, each Member State shall keep a record of the staff duly authorised to enter or retrieve the data.

1.   The Member State of origin shall inform a person covered by Article 15(1), Article 18(1) and (2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) or Article 26(1) of this Regulation, in writing, and where necessary, orally, in a language that he or she understands or is reasonably supposed to understand, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, of the following:

2.   In relation to a person covered by Article 15(1), Article 18(1) and (2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) and Article 26(1), the information referred to in paragraph 1 of this Article shall be provided at the time when his or her biometric data are taken.

Where a person covered by Article 15(1), Article 18(1) and (2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) and Article 26(1), is a minor, the information shall be provided by Member States in an age-appropriate manner.

The procedure to capture biometric data shall be explained to minors by using leaflets, infographics or demonstrations, or a combination of any of the three, as appropriate, specifically designed in such a way as to ensure that minors understand it.

3.   A common leaflet, containing at least the information referred to in paragraph 1 of this Article and the information referred to in Article 19(1) of Regulation (EU) 2024/1351, shall be drawn up in accordance with the procedure referred to in Article 77(2) of that Regulation.

The leaflet shall be clear and simple, drafted in a concise, transparent, intelligible and easily accessible form and in a language that the person concerned understands or is reasonably supposed to understand.

The leaflet shall be drawn up in such a manner as to enable Member States to complete it with additional Member State-specific information. That Member State-specific information shall include at least the administrative measures for ensuring compliance with the obligation to provide biometric data, the rights of the data subject, the possibility of information and assistance by the national supervisory authorities, the contact details of the office of the controller and of the data protection officer, and the contact details of the national supervisory authorities.

1.   For the purposes laid down in Article 1(1), points (a), (b), (c) and (j), of this Regulation, the data subject’s rights of access to, rectification, completion, erasure and restriction of the processing of personal data shall be exercised in accordance with Chapter III of Regulation (EU) 2016/679 and applied as set out in this Article.

2.   The right of access of the data subject in each Member State shall include the right to have communicated to him or her the personal data relating to him or her recorded in Eurodac, including any record indicating that the person could pose a threat to internal security, and the Member State which transmitted them to Eurodac under the conditions set out in Regulation (EU) 2016/679 and in national law adopted pursuant thereto. Such access to personal data may be granted only by a Member State.

When the rights of rectification and erasure of personal data are exercised in a Member State other than that, or those, which transmitted the data, the authorities of that Member State shall contact the authorities of the Member State or Member States which transmitted the data so that they can check the accuracy of the data and the lawfulness of their transmission to and recording in Eurodac.

3.   With regard to a record indicating that the person could pose a threat to internal security, Member States may restrict the data subject’s rights referred to in this Article in accordance with Article 23 of Regulation (EU) 2016/679.

4.   If it emerges that data recorded in Eurodac are factually inaccurate or have been recorded unlawfully, the Member State which transmitted them shall rectify or erase the data in accordance with Article 40(3). That Member State shall confirm in writing to the data subject that it has taken action to rectify, complete, erase or restrict the processing of personal data relating to that data subject.

5.   If the Member State which has transmitted the data does not agree that the data recorded in Eurodac are factually inaccurate or have been recorded unlawfully, it shall explain in writing to the data subject why it does not intend to rectify or erase the data.

That Member State shall also provide the data subject with information explaining the steps which can be taken if he or she does not accept the explanation provided. That shall include information on how to bring an action or, if appropriate, a complaint before the competent authorities or courts of that Member State and on any financial or other assistance that is available in accordance with the laws, regulations and procedures of that Member State.

6.   Any request under paragraphs 1 and 2 for access to, rectification, completion, erasure or restriction of the processing of personal data shall contain all the necessary particulars to identify the data subject, including biometric data. Such data shall be used exclusively to permit the exercise of the data subject’s rights as referred to in paragraphs 1 and 2 and shall be erased immediately afterwards.

7.   The competent authorities of the Member States shall cooperate actively to enforce promptly the data subject’s rights to access, rectification, completion, erasure and restriction of the processing of personal data.

8.   Whenever a person requests access to data relating to him or her, the competent authority shall keep a record in the form of a written document that such a request was made and how it was addressed, and shall make that document available to the national supervisory authorities without delay.

9.   The national supervisory authority of the Member State which has transmitted the data and the national supervisory authority of the Member State in which the data subject is present shall, where requested, provide information to the data subject concerning the exercise of his or her right to request from the data controller access to, rectification, completion, erasure or the restriction of the processing of personal data concerning him or her. The supervisory authorities shall cooperate in accordance with Chapter VII of Regulation (EU) 2016/679.

1.   Each Member State shall provide that its supervisory authority or authorities, as referred to in Article 51(1) of Regulation (EU) 2016/679, are to monitor the lawfulness of the processing of personal data by the Member State in question for the purposes laid down in Article 1(1), points (a), (b), (c) and (j), of this Regulation, including their transmission to Eurodac.

2.   Each Member State shall ensure that its supervisory authority has access to advice from persons with sufficient knowledge of biometric data.

1.   The European Data Protection Supervisor shall ensure that all the personal data processing activities concerning Eurodac, in particular by eu-LISA, are carried out in accordance with Regulations (EU) 2018/1725 and with this Regulation.

2.   The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with international auditing standards at least every three years. A report of such audits shall be sent to the European Parliament, to the Council, to the Commission, to eu-LISA, and to the national supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

1.   In accordance with Article 62 of Regulation (EU) 2018/1725, the national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively in the framework of their responsibilities and ensure the coordinated supervision of Eurodac.

2.   Member States shall ensure that every year an audit of the processing of personal data for law enforcement purposes is carried out by an independent body, in accordance with Article 47(1), including an analysis of a sample of reasoned electronic requests.

The audit shall be attached to the annual report by the Member States referred to in Article 57(8).

3.   The national supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties in the interpretation or application of this Regulation, study problems with regard to the exercise of independent supervision or in the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary.

4.   For the purposes of paragraph 3, the national supervisory authorities and the European Data Protection Supervisor shall meet at least twice a year within the framework of the European Data Protection Board. The costs and servicing of the meetings shall be covered by the European Data Protection Board. The rules of procedure for the meetings shall be adopted at the first such meeting. Further working methods shall be developed jointly as necessary. The European Data Protection Board shall send a joint report of activities to the European Parliament, to the Council and to the Commission every two years. That report shall include a chapter with regard to each Member State prepared by the national supervisory authority of that Member State.

1.   The supervisory authority or authorities of each Member State, as referred to in Article 41(1) of Directive (EU) 2016/680, shall monitor the lawfulness of the processing of personal data under this Regulation by the Member States for law enforcement purposes, including their transmission to and from Eurodac.

2.   The processing of personal data by Europol pursuant to this Regulation shall be in accordance with Regulation (EU) 2016/794 and shall be supervised by the European Data Protection Supervisor.

3.   Personal data obtained pursuant to this Regulation from Eurodac for law enforcement purposes shall only be processed for the purposes of the prevention, detection or investigation of the specific case for which the data have been requested by a Member State or by Europol.

4.   Without prejudice to Article 24 of Directive (EU) 2016/680, Eurodac, the designated and verifying authorities and Europol shall keep records of searches for the purpose of permitting the national supervisory authorities and the European Data Protection Supervisor to monitor the compliance of data processing with Union data protection rules, including for the purpose of maintaining records in order to prepare the annual reports referred to in Article 57(8) of this Regulation. Other than for such purposes, personal data, as well as the records of the searches, shall be erased in all national and Europol files after a period of one month, unless the data are required for the purposes of the specific ongoing criminal investigation for which they were requested by a Member State or by Europol.

1.   The Member State of origin shall ensure the security of data before and during transmission to Eurodac.

2.   Each Member State shall, in relation to all data processed by its competent authorities pursuant to this Regulation, adopt the necessary measures, including a data security plan, in order to:

3.   Member States and Europol shall inform eu-LISA of security incidents related to Eurodac detected on their systems without prejudice to the notification and communication of a personal data breach, pursuant to Articles 33 and 34 of Regulation (EU) 2016/679 and Articles 30 and 31 of Directive (EU) 2016/680, as well as Articles 34 and 35 of Regulation (EU) 2016/794, respectively. eu-LISA shall inform the Member States, Europol and the European Data Protection Supervisor, without undue delay, of security incidents related to Eurodac detected on their systems without prejudice to Articles 34 and 35 of Regulation (EU) 2018/1725. The Member States concerned, eu-LISA and Europol shall collaborate during a security incident.

4.   eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 2 of this Article as regards the operation of Eurodac, including the adoption of a data security plan.

Prior to the start of the operational use of Eurodac, the security framework for Eurodac’s business and technical environment shall be updated, in accordance with Article 33 of Regulation (EU) 2018/1725.

5.   The European Union Agency for Asylum shall take necessary measures in order to implement Article 18(4), including the adoption of a data security plan as referred to in paragraph 2 of this Article.

1.   Personal data obtained by a Member State or by Europol from Eurodac pursuant to this Regulation shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. That prohibition shall also apply if those data are further processed within the meaning of Article 4, point (2), of Regulation (EU) 2016/679 and Article 3, point (2), of Directive (EU) 2016/680, at national level or between Member States.

2.   Personal data which originate in a Member State and are exchanged between Member States following a hit obtained for law enforcement purposes shall not be transferred to third countries if there is a real risk that, as a result of such a transfer, the data subject might be subjected to torture, inhuman and degrading treatment or punishment or any other violation of his or her fundamental rights.

3.   Personal data which originate in a Member State and are exchanged between a Member State and Europol following a hit obtained for law enforcement purposes shall not be transferred to third countries if there is a real risk that, as a result of such a transfer, the data subject might be subjected to torture, inhuman and degrading treatment or punishment or any other violation of his or her fundamental rights. In addition, any transfers shall only be carried out when they are necessary and proportionate in cases falling within Europol’s mandate, in accordance with Chapter V of Regulation (EU) 2016/794 and subject to the consent of the Member State of origin.

4.   No information regarding the fact that an application for international protection has been made or that a person has been subject to an admission procedure in a Member State shall be disclosed to any third country with regard to persons as referred to in Article 15(1), Article 18(1) and (2) or Article 20(1).

5.   The prohibitions set out in paragraphs 1 and 2 of this Article shall be without prejudice to the right of Member States to transfer such data in accordance with Chapter V of Regulation (EU) 2016/679 or with the national rules adopted pursuant to Chapter V of Directive (EU) 2016/680, as appropriate, to third countries to which Regulation (EU) 2024/1351 applies.

1.   By way of derogation from Article 49, the personal data relating to persons as referred to in Article 15(1), Article 18(2)(a), Article 20(1), Article 22(2), Article 23(1), Article 24(1) and Article 26(1) obtained by a Member State following a hit for the purposes laid down in Article 1(1), point (a), (b), (c) or (j), may be transferred or made available to a third country with the agreement of the Member State of origin.

2.   Transfers of data to a third country pursuant to paragraph 1 of this Article shall be carried out in accordance with the relevant provisions of Union law, in particular provisions on data protection, including Chapter V of Regulation (EU) 2016/679, and, where applicable, readmission agreements, and the national law of the Member State transferring the data.

3.   Transfers of data to a third country pursuant to paragraph 1 shall take place only where the following conditions have been met:

4.   The implementation of Regulation (EU) 2016/679, including with regard to the transfer of personal data to third countries pursuant to this Article, and, in particular, the use, proportionality and necessity of transfers based on Article 49(1), point (d), of that Regulation, shall be subject to monitoring by the independent supervisory authority set up pursuant to Chapter VI of Regulation (EU) 2016/679.

5.   Transfers of personal data to third countries pursuant to this Article shall not prejudice the rights of persons as referred to in Article 15(1), Article 18(2)(a), Article 20(1), Article 22(2), Article 23(1), Article 24(1) and Article 26(1) of this Regulation, in particular as regards non-refoulement, or the prohibition to disclose or obtain information in accordance with Article 7 of Regulation (EU) 2024/1348.

6.   A third country shall not have direct access to Eurodac to compare or transmit biometric data or any other personal data of a third-country national or stateless person and shall not be granted access to Eurodac via a Member State’s National Access Point.

1.   Member States and Europol shall ensure that all data processing operations resulting from requests for comparison with Eurodac data for law enforcement purposes are logged or documented for the purpose of checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security and for the purposes of self-monitoring.

2.   The log or documentation shall show in all cases:

3.   Logs and documentation shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Logs which contain personal data shall not be used for the monitoring and evaluation referred to in Article 57.

The national supervisory authorities responsible for checking the admissibility of the request and monitoring the lawfulness of the data processing and data integrity and security shall have access to those logs at their request for the purpose of fulfilling their tasks.

1.   Any person who, or Member State which, has suffered material or non-material damage as a result of an unlawful processing operation or any other act incompatible with this Regulation shall be entitled to receive compensation from the Member State responsible for the damage suffered, or from eu-LISA if it is responsible for the damage suffered and in so far as it has not complied with obligations on it pursuant to this Regulation specifically directed to it or where it has acted outside or contrary to lawful instructions of that Member State. The Member State responsible or eu-LISA shall be exempt from its liability, in whole or in part, if it proves that it is not in any way responsible for the event giving rise to the damage.

2.   If any failure of a Member State to comply with its obligations under this Regulation causes damage to Eurodac, that Member State shall be held liable for such damage, unless and in so far as eu-LISA or another Member State failed to take reasonable steps to prevent the damage from occurring or to minimise its impact..

3.   Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 of this Article shall be governed by the provisions of national law of the defendant Member State in accordance with Articles 79 and 80 of Regulation (EU) 2016/679 and Articles 54 and 55 of Directive (EU) 2016/680. Claims for compensation against eu-LISA for the damage referred to in paragraphs 1 and 2 of this Article shall be subject to the conditions provided for in the Treaties.

1.   The costs incurred in connection with the establishment and operation of Eurodac and the Communication Infrastructure shall be borne by the general budget of the Union.

2.   The costs incurred by National Access Points and the Europol Access Point and their costs for connection to Eurodac shall be borne by each Member State and Europol respectively.

3.   Each Member State and Europol shall set up and maintain at their expense the technical infrastructure necessary to implement this Regulation, and shall be responsible for bearing its costs resulting from requests for comparison with Eurodac data for law enforcement purposes.

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

3.   Where the Committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), third subparagraph, of Regulation (EU) No 182/2011 shall apply.

1.   eu-LISA shall submit to the European Parliament, to the Council, to the Commission and to the European Data Protection Supervisor an annual report on the activities of Eurodac, including on its technical functioning and security. The annual report shall include information on the management and performance of Eurodac against pre-defined quantitative indicators for the objectives relating to output, cost-effectiveness and quality of service.

2.   eu-LISA shall ensure that procedures are in place to monitor the functioning of Eurodac against the objectives referred to in paragraph 1.

3.   For the purposes of technical maintenance, reporting and statistics, eu-LISA shall have access to the necessary information relating to the processing operations performed in Eurodac.

4.   By 12 June 2027, eu-LISA shall conduct a study on the technical feasibility of adding facial recognition software to Eurodac for the purpose of comparing facial images, including of minors. The study shall evaluate the reliability and accuracy of the results produced from facial recognition software for the purposes of Eurodac and shall make any necessary recommendations prior to the introduction of the facial recognition technology to Eurodac.

5.   By 12 June 2029 and every four years thereafter, the Commission shall produce an overall evaluation of Eurodac, examining the results achieved against objectives and the impact on fundamental rights, in particular data protection and privacy rights including whether the access for law enforcement purposes has led to indirect discrimination against persons covered by this Regulation, and assessing the continuing validity of the underlying rationale including the use of facial recognition software, and any implications for future operations, and shall make any necessary recommendations. That evaluation shall also include an assessment of the synergies between this Regulation and Regulation (EU) 2018/1862. The Commission shall transmit the evaluation to the European Parliament and to the Council.

6.   Member States shall provide eu-LISA and the Commission with the information necessary to draft the annual report referred to in paragraph 1.

7.   eu-LISA, Member States and Europol shall provide the Commission with the information necessary to draft the overall evaluation provided for in paragraph 5. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations of the designated authorities.

8.   While respecting the provisions of national law on the publication of sensitive information, each Member State and Europol shall prepare reports every two years on the effectiveness of the comparison of biometric data with Eurodac data for law enforcement purposes, containing information and statistics on:

The reports by Member States and Europol referred to in the first subparagraph shall be transmitted to the Commission by 30 June of the subsequent year.

9.   On the basis of the reports by Member States and Europol referred to in paragraph 8, and in addition to the overall evaluation provided for in paragraph 5, the Commission shall compile a report every two years on the access to Eurodac for law enforcement purposes and shall transmit it to the European Parliament, to the Council and to the European Data Protection Supervisor.

1.   By 12 June 2028, the Commission shall assess the functioning and the operational efficiency of any IT system used to exchange the data of beneficiaries of temporary protection for the purposes of the administrative cooperation referred to in Article 27 of Directive 2001/55/EC.

2.   The Commission shall also assess the expected impact of applying Article 26 of this Regulation in the event that Directive 2001/55/EC is activated, taking into consideration:

3.   Depending on the outcome of the assessments referred to in paragraphs 1 and 2 of this Article, the Commission shall make a legislative proposal amending or repealing Article 26, if appropriate.

1.   By 12 September 2024, each Member State shall notify the Commission of its designated authorities, of the operating units referred to in Article 5(3) and of its verifying authority and shall notify it without delay of any amendment thereto.

2.   By 12 September 2024, Europol shall notify the Commission of its designated authority and of its verifying authority and shall notify it without delay of any amendment thereto.

3.   The Commission shall publish the information referred to in paragraphs 1 and 2 in the Official Journal of the European Union on an annual basis and via an electronic publication that shall be available online and updated without delay.

1.   This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.   This Regulation shall apply from 12 June 2026.

However, Article 26 shall apply from 12 June 2029.

3.   This Regulation shall not apply to persons enjoying temporary protection pursuant to Implementing Decision (EU) 2022/382 and any other equivalent national protection pursuant thereto, any future amendments to Implementing Decision (EU) 2022/382, and any extensions to that temporary protection.

4.   The Interface Control Document shall be agreed between Member States and eu-LISA no later than 12 December 2024.

5.   Comparisons of facial images with the use of facial recognition software as set out in Articles 15 and 16 of this Regulation shall apply from the date upon which the facial recognition technology has been introduced into Eurodac. Facial recognition software shall be introduced into Eurodac within one year of the conclusion of the study on the introduction of facial recognition software referred to in Article 57(4). Until that date, facial image shall be stored in Eurodac as part of the data subject’s datasets and transmitted to a Member State following the comparison of fingerprints where there is a hit result.

6.   Member States shall notify the Commission and eu-LISA as soon as they have made the technical arrangements to transmit data to Eurodac, no later than 12 June 2026.