On 12 June 2026, the regulation of the European Parliament and the Council of the European Union establishing the modernised Eurodac system began to apply. This is one of the most significant changes in EU migration and asylum policy in recent years. The new rules form part of the Pact on Migration and Asylum, which is intended to organise the management of migration in the European Union, improve asylum procedures and limit the unauthorised movement of third-country nationals between Member States.
Eurodac itself is not a new system, but its role is changing fundamentally. Until now, it was used primarily to compare the fingerprints of people applying for international protection and to help determine which Member State was responsible for examining an asylum application. Following the entry into application of the new regulations, the system is being transformed into a much broader tool used within the framework of EU migration, asylum and security policy.
Eurodac Gains a New Role in EU Migration Policy
The modernisation of Eurodac marks a departure from the narrow model of a database used mainly for the Dublin mechanism. The new system is designed to support the identification of people subject to migration and asylum procedures, the monitoring of migration flows and the implementation of new procedures introduced under the Pact on Migration and Asylum. In practice, this means that Eurodac will become one of the key large-scale information systems of the European Union.
The aim of the new rules is, among other things, to increase the efficiency of asylum proceedings, reduce so-called secondary movements and improve the monitoring of people who have entered the territory of the European Union in connection with migration. Secondary movements occur when a person who has applied for protection or has been registered in one Member State subsequently moves to another EU country outside the procedures provided for by law.
The new Eurodac system is intended to help Member States quickly establish whether a given person has already been registered in another EU country, whether they have applied for international protection, whether they have been subject to a screening procedure, and whether specific decisions have been taken in relation to them under migration or asylum procedures.
More Categories of Data in the System
One of the most important changes is the expansion of the range of data collected in the system. Eurodac will no longer be based solely on dactyloscopic data, meaning fingerprints. The new rules also provide for the processing of additional biometric and alphanumeric data, including facial images.
Alphanumeric data may include identifying information that makes it possible to link biometric data to a specific person and to the course of a particular procedure. In certain cases, the system may also record information concerning security risks and decisions taken by the competent authorities as part of migration and asylum procedures.
The broader scope of data is intended to improve the effectiveness of identifying third-country nationals and reduce the risk of multiple applications or registrations under different identities. From the perspective of personal data protection, however, this also means the need to ensure particularly strong legal, organisational and technical safeguards.
Biometric Data of Children from the Age of Six
A particularly important change is the inclusion in Eurodac of biometric data relating to children from the age of six. This is especially significant from the perspective of children’s rights, privacy and the principle of data minimisation.
The regulation provides for safeguards intended to protect children during the collection of biometric data. Such data should be collected with respect for the child’s dignity, age, psychological and physical condition, and in conditions that reduce stress and the risk of violating their rights. Authorities applying the rules must remember that a child subject to a migration or asylum procedure is often in a particularly vulnerable situation.
From the perspective of Member States, this means that officials and employees responsible for registering data must be properly prepared. It is not enough to provide the technical ability to collect data. Procedures must also be established that comply with fundamental rights, the principle of proportionality and the best interests of the child.
Poland Adapts Its National Legislation
The implementation of the modernised Eurodac system required the adaptation of Polish national legislation. During legislative work on the act concerning the participation of the Republic of Poland in the Eurodac system, the President of the Personal Data Protection Office expressed his position. The Polish supervisory authority pointed to the need to ensure effective mechanisms for exercising the rights of people whose data will be processed in the system.
This concerns, above all, the right of access to data, the right to information, the possibility of requesting the correction of inaccurate data and the need to ensure clear rules on the responsibility of national authorities. In the case of large-scale systems, it is particularly important that the person concerned knows which authority they can contact and how they can exercise their rights.
The President of the Personal Data Protection Office also emphasised the need to ensure full enforceability of the obligations arising from the Eurodac regulation and to create appropriate conditions for independent supervision of the system. Some of the proposals submitted by the supervisory authority were taken into account during the legislative process.
The Previous Supervisory Group Ends Its Work
With the start of application of the new rules, the Eurodac Supervision Coordination Group ceased its activities. For years, it served as a forum for cooperation between national data protection authorities and the European Data Protection Supervisor. Its role was to support consistent supervision of data processing within the Eurodac system.
In connection with the transition to the new supervisory model, Maria Jęda, Chief Coordinator for Large-Scale EU Information Systems at the Polish Personal Data Protection Office, also ended her term as Vice-Chair of the Group.
The new model provides that tasks related to coordinated supervision of Eurodac will be carried out within the Coordinated Supervision Committee operating under the European Data Protection Board. This is intended to ensure greater consistency of supervisory activities concerning large-scale EU information systems.
The Role of the Polish Data Protection Authority in Supervising Eurodac
The Polish Personal Data Protection Office has been involved for years in work related to the supervision of Eurodac. Its activities have included analysing the relationship between the Eurodac regulation and the rules on screening procedures. Another important area has been the exercise of the right of access to data by people whose information is processed in the system.
In 2025, the Polish authority also carried out supervisory activities concerning the fulfilment of obligations arising from the provisions governing Eurodac. Such activities are important not only formally, but also in practice. They make it possible to check whether national authorities are actually applying the rules in a lawful manner, whether they properly document data operations and whether people covered by the system have a real opportunity to exercise their rights.
The new regulation strengthens the role of national data protection authorities. The tasks of the President of the Polish Personal Data Protection Office include monitoring the lawfulness of personal data processing by competent national authorities. This applies both to the transmission of data to Eurodac and to the use of information stored in the system.
Access to Data for Law Enforcement Purposes
The rules concerning access to Eurodac data for the purposes of maintaining public order and prosecuting criminal offences are of particular importance. Biometric data is one of the most sensitive categories of personal data, which means that its use by law enforcement authorities must be subject to strict control.
Under the new rules, each Member State must ensure an annual independent audit of personal data processing in this area. The audit is to include an analysis of a sample of electronic requests submitted to the system. This means that not only the formal existence of procedures will be checked, but also how they are applied in practice.
The results of such audits will be included in annual reports submitted to the European Parliament, the Council and the European Commission. This is intended to increase the transparency of the use of the system and ensure that access to data for security purposes is not abused.
Migration, Security and Data Protection: A Difficult Balance
The modernisation of Eurodac shows how complex migration management in the European Union is becoming. On the one hand, Member States need effective tools for identification, information exchange and the conduct of asylum procedures. On the other hand, a system based on the extensive processing of biometric data must be constantly assessed from the perspective of fundamental rights, privacy and the principle of proportionality.
The greatest challenge will be to reconcile administrative efficiency with the protection of the individual. People subject to migration and asylum procedures often find themselves in particularly difficult life situations. They do not always know the language of the country in which they are staying, they do not always understand the procedures and they do not always have easy access to legal assistance. For this reason, the right to information and the right of access to data cannot remain merely formal provisions.
The modernised Eurodac system will require Member States not only to maintain efficient technical infrastructure, but also to introduce transparent procedures, provide training for officials and ensure effective supervision. Once biometric data is entered into the system, it may have a significant impact on the legal situation of a specific person. Errors in registration, incorrect attribution of data or unauthorised use of information may lead to serious consequences.
What Do the New Rules Mean in Practice?
For state authorities, the new rules mean a broader range of obligations related to registering, transmitting, using and protecting data. It will be necessary to ensure compliance with EU and national law, maintain documentation, handle the rights of data subjects and cooperate with supervisory authorities.
For people applying for international protection and migrants subject to procedures, this means that their data may be processed more extensively than before. This applies not only to fingerprints, but also to facial images and additional identifying information. In some cases, the system may also contain information related to decisions taken during migration and asylum procedures.
For data protection authorities, the new regulations mean greater responsibility for controlling the system. Supervision of Eurodac will be carried out both at national and European level. The Polish Personal Data Protection Office has announced its active participation in monitoring the application of the new rules and in the work of coordinated supervision.
A New Stage in the Functioning of Eurodac
The application of the regulation establishing the modernised Eurodac system opens a new stage in the management of migration and asylum in the European Union. The system is intended to be more comprehensive, more effective and better adapted to the new procedures provided for under the Pact on Migration and Asylum. At the same time, its expansion means a larger scale of personal data processing, including biometric data.
The coming years will therefore show whether Member States are able to maintain the right balance between security, procedural efficiency and the protection of human rights. In the case of Eurodac, the issue is not merely the technical comparison of data. It is a system that may influence the fate of people seeking protection, moving across the borders of the European Union and being subject to some of the most sensitive administrative procedures.
The Polish Personal Data Protection Office emphasises that it will actively participate in monitoring the application of the new rules both in Poland and at European level. The role of data protection authorities will be crucial in this process, as they are responsible for safeguarding the lawfulness of data processing and ensuring respect for the rights of people whose data is entered into the Eurodac system.
