Regulation (EU) 2024/1358 of the European Parliament and of the Council of 14 May 2024 on the establishment of Eurodac for the comparison of biometric data in order to effectively apply Regulations (EU) 2024/1351 and (EU) 2024/1350 of the European Parliament and of the Council and Council Directive 2001/55/EC and to identify illegally staying third-country nationals and stateless persons and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, amending Regulations (EU) 2018/1240 and (EU) 2019/818 of the European Parliament and of the Council and repealing Regulation (EU) No 603/2013 of the European Parliament and of the Council

A system known as ‘Eurodac’ is hereby established. Its purpose is to:

1. support the asylum system, including by assisting in determining which Member State is to be responsible pursuant to Regulation (EU) 2024/1351 for examining an application for international protection registered in a Member State by a third-country national or a stateless person and by facilitating the application of that Regulation under the conditions set out in this Regulation;

2. assist with the application of Regulation (EU) 2024/1350 under the conditions set out in this Regulation;

3. assist with the control of irregular immigration to the Union, with the detection of secondary movements within the Union and with the identification of illegally staying third-country nationals and stateless persons for the purpose of determining the appropriate measures to be taken by Member States;

4. assist with the protection of children, including in the context of law enforcement;

5. lay down the conditions under which Member States’ designated authorities and the Europol designated authority may request the comparison of biometric or alphanumeric data with those stored in Eurodac for law enforcement purposes for the prevention, detection or investigation of terrorist offences or of other serious criminal offences;

6. assist in the correct identification of persons registered in Eurodac in accordance with Article 20 of Regulation (EU) 2019/818 by storing identity data, travel document data and biometric data in the common identity repository (CIR);

7. support the objectives of the European Travel Information and Authorisation System (ETIAS) established by Regulation (EU) 2018/1240;

8. support the objectives of the Visa Information System (VIS) referred to in Regulation (EC) No 767/2008;

9. support evidence-based policy making through the production of statistics;

10. assist with the implementation of Directive 2001/55/EC.

Without prejudice to the processing of data intended for Eurodac by the Member State of origin in databases set up under that Member State’s national law, biometric data and other personal data may be processed in Eurodac only for the purposes set out in this Regulation, in Regulations (EC) No 767/2008, (EU) 2018/1240, (EU) 2019/818, (EU) 2024/1351 and (EU) 2024/1350 and in Directive 2001/55/EC.

This Regulation fully respects human dignity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union (the ‘Charter’), including the right to respect for private life, the right to the protection of personal data, the right to asylum and the prohibition of torture and inhuman or degrading treatment. In that respect, the processing of personal data in accordance with this Regulation shall not result in any discrimination against persons covered by this Regulation based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

A person’s right to privacy and to data protection shall be safeguarded in accordance with this Regulation, both with regard to access by the Member States’ authorities and by the Union’s authorised agencies to Eurodac.

For the purposes of this Regulation:

1. ‘applicant for international protection’ means a third-country national or a stateless person who has made an application for international protection as defined in Article 3, point (7), of Regulation (EU) 2024/1347 in respect of which a final decision has not yet been taken;

2. ‘person registered for the purpose of conducting an admission procedure’ means a person who has been registered for the purpose of conducting a resettlement or humanitarian admission procedure in accordance with Article 9(3) of Regulation (EU) 2024/1350;

3. ‘person admitted in accordance with a national resettlement scheme’ means a person resettled by a Member State outside the framework of Regulation (EU) 2024/1350, where that person is granted international protection as defined in Article 3, point (3), of Regulation (EU) 2024/1347 or humanitarian status under national law within the meaning of Article 2(3), point (c), of Regulation (EU) 2024/1350 in accordance with the rules governing the national resettlement scheme;

4. ‘humanitarian status under national law’ means a humanitarian status under national law that provides for rights and obligations equivalent to the rights and obligations set out in Articles 20 to 26 and 28 to 35 of Regulation (EU) 2024/1347;

5. ‘Member State of origin’ means:

   1. in relation to a person covered by Article 15(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

   2. in relation to a person covered by Article 18(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

   3. in relation to a person covered by Article 18(2), the Member State which transmits the personal data to Eurodac;

   4. in relation to a person covered by Article 20(1), the Member State which transmits the personal data to Eurodac;

   5. in relation to a person covered by Article 22(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

   6. in relation to a person covered by Article 23(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

   7. in relation to a person covered by Article 24(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

   8. in relation to a person covered by Article 26(1), the Member State which transmits the personal data to Eurodac and receives the results of the comparison;

6. ‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20(1) TFEU and who is not a national of a state which participates in the application of this Regulation by virtue of an agreement with the Union;

7. ‘illegal stay’ means the presence on the territory of a Member State of a third-country national or a stateless person who does not fulfil or no longer fulfils the conditions of entry set out in Article 6 of Regulation (EU) 2016/399 of the European Parliament and of the Council⁽¹⁾ or other conditions for entry, stay or residence in that Member State;

8. ‘beneficiary of international protection’ means a person who has been granted refugee status as defined in Article 3, point (1), of Regulation (EU) 2024/1347 or subsidiary protection status as defined in Article 3, point (2), of that Regulation;

9. ‘beneficiary of temporary protection’ means a person who enjoys temporary protection as defined in Article 2, point (a), of Directive 2001/55/EC and in a Council Implementing Decision introducing temporary protection or any other equivalent national protection introduced in response to the same event as that Council Implementing Decision;

10. ‘hit’ means the existence of a match or matches established by Eurodac by means of a comparison between biometric data recorded in the computerised central database and those transmitted by a Member State with regard to a person, without prejudice to the requirement that Member States immediately check the results of the comparison pursuant to Article 38(4);

11. ‘National Access Point’ means the designated national system which communicates with Eurodac;

12. ‘Europol Access Point’ means the designated Europol system which communicates with Eurodac;

13. ‘Eurodac data’ means all data stored in Eurodac in accordance with Article 17(1) and (2), Article 19(1), Article 21(1), Article 22(2) and (3), Article 23(2) and (3), Article 24(2) and (3) and Article 26(2);

14. ‘law enforcement’ means the prevention, detection or investigation of terrorist offences or of other serious criminal offences;

15. ‘terrorist offence’ means an offence under national law which corresponds or is equivalent to one of the offences referred to in Directive (EU) 2017/541;

16. ‘serious criminal offence’ means an offence which corresponds or is equivalent to those referred to in Article 2(2) of Framework Decision 2002/584/JHA, if it is punishable under national law by a custodial sentence or a detention order for a maximum period of at least three years;

17. ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of all ten fingers, where present, or a latent fingerprint;

18. ‘facial image data’ means digital images of the face with sufficient image resolution and quality to be used in automatic biometric matching;

19. ‘biometric data’ means fingerprint data or facial image data;

20. ‘alphanumeric data’ means data represented by letters, digits, special characters, space or punctuation marks;

21. ‘residence document’ means any authorisation issued by the authorities of a Member State authorising a third-country national or a stateless person to stay on its territory, including the documents substantiating the authorisation to remain on the territory under temporary protection arrangements or until the circumstances preventing a removal order from being carried out no longer apply, with the exception of visas and residence authorisations issued during the period required to determine the Member State responsible as established in Regulation (EU) 2024/1351 or during the examination of an application for international protection or an application for a residence permit;

22. ‘interface control document’ means a technical document that specifies the necessary requirements with which the National Access Points or the Europol Access Point are to comply in order to be able to communicate electronically with Eurodac, in particular by detailing the format and possible content of the information to be exchanged between Eurodac and the National Access Points or the Europol Access Point;

23. ‘CIR’ means the common identity repository as established by Article 17(1) and (2) of Regulation (EU) 2019/818;

24. ‘identity data’ means the data referred to in Article 17(1), points (c) to (f) and (h), Article 19(1), points (c) to (f) and (h), Article 21(1), points (c) to (f) and (h), Article 22(2), points (c) to (f) and (h), Article 23(2), points (c) to (f) and (h), Article 24(2), points (c) to (f) and (h), and Article 26(2), points (c) to (f) and (h);

25. ‘dataset’ means the set of information recorded in Eurodac on the basis of Article 17, 19, 21, 22, 23, 24 or 26, corresponding to one set of fingerprints of a data subject and composed of biometric data, alphanumeric data and, where available, a scanned colour copy of an identity or travel document;

26. ‘child’ or ‘minor’ means a third-country national or a stateless person below the age of 18 years.

The definitions set out in Article 4 of Regulation (EU) 2016/679 shall apply to this Regulation in so far as personal data are processed by the authorities of the Member States for the purposes laid down in Article 1(1), points (a), (b), (c) and (j) of this Regulation.

Unless stated otherwise, the definitions set out in Article 2 of Regulation (EU) 2024/1351 shall apply to this Regulation.

The definitions set out in Article 3 of Directive (EU) 2016/680 shall apply to this Regulation in so far as personal data are processed by the competent authorities of the Member States for law enforcement purposes.

Eurodac shall consist of:

1. a Central System composed of:

   1. a Central Unit,

   2. a business continuity plan and system;

2. a communication infrastructure between the Central System and Member States that provides a secure and encrypted communication channel for Eurodac data (the ‘Communication Infrastructure’);

3. the CIR;

4. a secure communication infrastructure between the Central System and the central infrastructures of the European search portal and between the Central System and the CIR.

The CIR shall contain the data referred to in Article 17(1), points (a) to (f), (h) and (i), Article 19(1), points (a) to (f), (h) and (i), Article 21(1), points (a) to (f), (h) and (i), Article 22(2), points (a) to (f), (h) and (i), Article 23(2), points (a) to (f), (h) and (i), Article 24, paragraph (2), points (a) to (f) and (h), and paragraph (3), point (a), and Article 26(2), points (a) to (f), (h) and (i). The remaining Eurodac data shall be stored in the Central System.

The Communication Infrastructure shall use the existing ‘Secure Trans European Services for Telematics between Administrations’ (TESTA) network. In order to ensure confidentiality, personal data transmitted to or from Eurodac shall be encrypted.

Each Member State shall have a single National Access Point. Europol shall have a single access point (the Europol Access Point).

Data relating to persons covered by Article 15(1), Article 18(2), Article 20(1), Article 22(1), Article 23(1), Article 24(1) and Article 26(1) which are processed in Eurodac shall be processed on behalf of the Member State of origin under the conditions set out in this Regulation and separated by appropriate technical means.

All datasets registered in Eurodac corresponding to the same third-country national or stateless person shall be linked in a sequence. Where an automatic comparison is carried out in accordance with Articles 27 and 28 and a hit is obtained against at least one other set of fingerprints or, where those fingerprints are of a quality which does not ensure appropriate comparison or are not available, facial image data in another dataset corresponding to that same third-country national or stateless person, Eurodac shall automatically link those datasets on the basis of the comparison. Where necessary, an expert shall check, in accordance with Article 38(4) and (5), the result of an automatic comparison carried out in accordance with Articles 27 and 28. When the receiving Member State confirms the hit, it shall send a notification confirming the linking of those datasets to eu-LISA.

The rules governing Eurodac shall also apply to operations carried out by the Member States as from the transmission of data to Eurodac until use is made of the results of the comparison.

eu-LISA shall be responsible for the operational management of Eurodac.

The operational management of Eurodac shall consist of all the tasks necessary to keep Eurodac functioning 24 hours a day, 7 days a week in accordance with this Regulation, in particular the maintenance work and technical developments necessary to ensure that the system functions at a satisfactory level of operational quality, in particular as regards the time required to query Eurodac. eu-LISA shall develop a business continuity plan and system, taking into account maintenance needs and unforeseen downtime of Eurodac, including the impact of business continuity measures on data protection and security.

eu-LISA shall ensure, in cooperation with the Member States, that the best available and most secure technology and techniques, subject to a cost-benefit analysis, are used for Eurodac.

eu-LISA may use real personal data from the Eurodac production system for testing purposes, in accordance with Regulation (EU) 2016/679, in the following cases:

1. for diagnostics and repair when faults are discovered in Eurodac; or

2. for testing new technologies and techniques relevant to enhancing the performance of Eurodac or the transmission of data to it.

In the cases referred to in points (a) and (b) of the first subparagraph, the security measures, access control and logging activities at the testing environment shall be equal to the ones for the Eurodac production system. Processing of real personal data adapted for testing shall be subject to stringent conditions and rendered anonymous in such a way that the data subject is no longer identifiable. Once the purpose for which the testing was carried out has been achieved or the tests have been completed, the real personal data shall be immediately and permanently erased from the testing environment.

eu-LISA shall be responsible for the following tasks relating to the Communication Infrastructure:

1. supervision;

2. security;

3. the coordination of relations between the Member States and the provider.

The Commission shall be responsible for all tasks relating to the Communication Infrastructure, other than those referred to in paragraph 3, in particular:

1. implementation of the budget;

2. acquisition and renewal;

3. contractual matters.

Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Regulation (EEC, Euratom, ECSC) No 259/68 of the Council⁽²⁾, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to all its staff required to work with Eurodac data. This paragraph shall also apply after such staff leave office or employment or after the termination of their duties.