The European Data Protection Board's Coordinated Supervision Committee has extended its mandate to cover Eurodac, the EU's fingerprint database for asylum seekers and irregular migrants. The move places one of the bloc's most sensitive systems under joint oversight by national regulators and the European Data Protection Supervisor, a response to a reformed Eurodac that will soon hold far more personal data on far more people.
The European Data Protection Board has confirmed that its Coordinated Supervision Committee (CSC) is extending its scope to include Eurodac, the large-scale EU information system that stores biometric data on asylum seekers and people who cross the bloc's external borders without authorization. The decision brings one of the most sensitive databases in the European Union under a single coordinated supervision model, shared between national data protection authorities and the European Data Protection Supervisor (EDPS).
For people whose fingerprints and, increasingly, facial images end up in Eurodac, the change matters. It determines who watches over how that data is collected, who can access it, and what recourse exists when something goes wrong.
What happened
The Coordinated Supervision Committee is the body that brings together the EU's national data protection regulators and the EDPS to jointly oversee the bloc's centralized IT systems. Rather than each of the 27 member states supervising the national portion of a database in isolation, the CSC model coordinates that work so that supervision is consistent across borders. The committee already covers systems including the Schengen Information System, the Visa Information System, the Internal Market Information System, Eurojust, and the European Public Prosecutor's Office.
With this latest decision, Eurodac joins that list. The committee will coordinate inspections, share methodology, align on how the relevant data protection rules are interpreted, and produce joint reports on how the system is operating in practice.
Eurodac, short for European Asylum Dactyloscopy, has existed since 2003. Its original purpose was narrow: store the fingerprints of asylum applicants so that authorities could determine which member state was responsible for examining a claim under the Dublin rules, and detect when someone had already applied elsewhere. In its original form it was, in effect, a fingerprint-matching tool.
The legal basis
Supervision of Eurodac sits at the intersection of two regimes. National authorities supervise processing carried out by member state agencies under the General Data Protection Regulation (GDPR) and, where law enforcement access is involved, the Law Enforcement Directive. The EDPS supervises the EU agency that operates the central system, eu-LISA. The Coordinated Supervision Committee is the mechanism that stitches those two layers together so neither operates blind to the other.
The timing is not incidental. Eurodac is being substantially overhauled as part of the EU's Pact on Migration and Asylum, the package of reformed asylum and migration legislation agreed in 2024. The recast Eurodac Regulation widens the database well beyond its origins. It lowers the age at which biometric data is collected from 14 to 6 years old. It adds facial images alongside fingerprints. It expands the categories of people recorded to include those resettled or disembarked after search-and-rescue operations. And it broadens the purposes for which the data can be used, including links to return and migration management.
In plain terms, the database is set to hold more types of data, on more people, including young children, and to be queried for a wider range of reasons. A system designed as a fingerprint index is becoming a much broader biometric register. Extending coordinated supervision is the regulators' answer to that expansion: a recognition that a bigger, more intrusive system needs oversight that can keep pace across every country that feeds into it.
Why it matters for the people in the database
The individuals recorded in Eurodac are among the least able to assert their data protection rights. Asylum seekers and migrants often do not speak the language of the country processing them, may not know which authority holds their data, and are frequently navigating the system from a position of acute vulnerability. The GDPR gives them rights of access, rectification, and erasure, and the right to lodge a complaint with a supervisory authority. In practice, exercising those rights against a cross-border database operated partly by an EU agency and partly by national bodies is daunting.
Coordinated supervision is meant to narrow that gap. When regulators inspect on a common timetable and against a shared methodology, problems that would otherwise surface in only one country, an overly long retention period, weak access controls, or law enforcement queries that exceed what the law permits, become visible across the whole system. Joint reporting also creates a public record that advocacy groups, lawyers, and the European Parliament can use to hold operators accountable.
The biometric nature of the data raises the stakes. Fingerprints and facial images are immutable. A person cannot change their face the way they can change a leaked password. Errors, unauthorized access, or function creep, where data collected for one purpose is gradually used for others, carry consequences that follow people for years. The expansion to children as young as six sharpens those concerns considerably.
Impact on the agencies and member states
For eu-LISA, the agency that runs the central infrastructure, and for the national authorities that collect and enter data, coordinated supervision means a more demanding and more consistent compliance environment. Inspections coordinated across borders are harder to treat as box-ticking exercises. Authorities will be expected to demonstrate that retention limits are enforced, that access logs are kept and reviewed, that law enforcement access requests meet the strict necessity and proportionality tests the regulation requires, and that data quality is maintained so that people are not wrongly matched.
The coordinated model also reduces the risk of divergent interpretations. Without it, one member state might read the rules on retention or law enforcement access differently from another, producing uneven protection depending on where a person happened to be fingerprinted. A single committee working from shared positions pushes toward uniformity.
What changes next
The practical work now begins. The Coordinated Supervision Committee will fold Eurodac into its program of coordinated inspections and is expected to publish joint supervision reports covering the system, as it does for the other databases under its remit. Those reports are typically the documents where structural problems first reach the public.
The extension also positions regulators ahead of the recast regulation's full application, so that oversight structures are in place before the expanded database goes fully live rather than after problems emerge. For digital rights advocates who have warned for years about the steady growth of EU biometric databases and the blurring of lines between migration management and law enforcement, putting Eurodac under coordinated supervision is a necessary safeguard, even if they will argue it does not address their deeper objections to the scope of the system itself.
The broader pattern is clear enough. The EU is building ever larger interoperable systems that pool biometric and identity data across borders. Whether oversight can scale alongside that ambition is the open question, and the decision to bring Eurodac under coordinated supervision is one test of the answer. More information on the committee's work is available through the EDPB's coordinated supervision pages.
Comments
Please log in or register to join the discussion