Regulation (EU) 2024/1358 of the European Parliament and of the Council of 14 May 2024 on the establishment of ‘Eurodac’ for the comparison of biometric data in order to effectively apply Regulations (EU) 2024/1351 and (EU) 2024/1350 of the European Parliament and of the Council and Council Directive 2001/55/EC and to identify illegally staying third-country nationals and stateless persons and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, amending Regulations (EU) 2018/1240 and (EU) 2019/818 of the European Parliament and of the Council and repealing Regulation (EU) No 603/2013 of the European Parliament and of the Council
Regulation (EU) 2024/1358 of the European Parliament and of the Councilof 14 May 2024on the establishment of Eurodac for the comparison of biometric data in order to effectively apply Regulations (EU) 2024/1351 and (EU) 2024/1350 of the European Parliament and of the Council and Council Directive 2001/55/EC and to identify illegally staying third-country nationals and stateless persons and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, amending Regulations (EU) 2018/1240 and (EU) 2019/818 of the European Parliament and of the Council and repealing Regulation (EU) No 603/2013 of the European Parliament and of the CouncilTHE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,Having regard to the Treaty on the Functioning of the European Union, and in particular Article 78(2), points (c), (d), (e) and (g), Article 79(2), point (c), Article 87(2), point (a), and Article 88(2), point (a), thereof,Having regard to the proposal from the European Commission,After transmission of the draft legislative act to the national parliaments,Having regard to the opinions of the European Economic and Social CommitteeOJ C 34, 2.2.2017, p. 144 and OJ C 155, 30.4.2021, p. 64.,Having regard to the opinions of the Committee of the RegionsOJ C 185, 9.6.2017, p. 91 and OJ C 175, 7.5.2021, p. 32.,Acting in accordance with the ordinary legislative procedurePosition of the European Parliament of 10 April 2024 (not yet published in the Official Journal) and decision of the Council of 14 May 2024.,Whereas:(1)A common policy on asylum, including a Common European Asylum System, is a constituent part of the Union’s objective of progressively establishing an area of freedom, security and justice open to those who, forced by circumstances, seek international protection in the Union.(2)For the purpose of applying Regulation (EU) 2024/1351 of the European Parliament and of the CouncilRegulation (EU) 2024/1351 of the European Parliament and the Council of 14 May 2024 on asylum and migration management, amending Regulations (EU) 2021/1147 and (EU) 2021/1060 and repealing Regulation (EU) No 604/2013 (OJ L, 2024/1351, 22.5.2024, ELI: http://data.europa.eu/eli/reg/2024/1351/oj)., it is necessary to establish the identity of applicants for international protection and of persons apprehended in connection with the irregular crossing of the external borders of the Member States. In order to apply that Regulation effectively, it is also desirable to allow each Member State to check whether a third-country national or stateless person found to be illegally staying on its territory has applied for international protection in another Member State.(3)Moreover, for the purpose of applying Regulation (EU) 2024/1351 effectively, it is necessary to clearly record in Eurodac the fact that there has been a shift of responsibility between Member States, including in cases of relocation.(4)In order to apply Regulation (EU) 2024/1351 effectively and to detect any secondary movements within the Union, it is also necessary to allow each Member State to check whether a third-country national or a stateless person who is found to be illegally staying on its territory or who applies for international protection has been granted international protection or humanitarian status under national law by another Member State in accordance with Regulation (EU) 2024/1350 of the European Parliament and of the CouncilRegulation (EU) 2024/1350 of the European Parliament and the Council of 14 May 2024 establishing a Union Resettlement and Humanitarian Admission Framework, and amending Regulation (EU) 2021/1147 (OJ L, 2024/1350, 22.5.2024, ELI: http://data.europa.eu/eli/reg/2024/1350/oj). or in accordance with a national resettlement scheme. For that purpose, the biometric data of persons registered for the purpose of conducting an admission procedure should be stored in Eurodac as soon as the international protection or humanitarian status under national law is granted, and no later than 72 hours thereafter.(5)In order to apply Regulation (EU) 2024/1350 efficiently, it is necessary to allow each Member State to check whether a third-country national or a stateless person has been granted international protection or humanitarian status under national law in accordance with that Regulation by another Member State or has been admitted to the territory of a Member State in accordance with a national resettlement scheme. In order to be able to apply the relevant grounds for refusal provided for in that Regulation within the context of a new admission procedure, Member States also need information on the conclusion of previous admission procedures and information on any decision on granting international protection or humanitarian status under national law. Furthermore, information on a decision on granting international protection or humanitarian status under national law is necessary to identify the Member State that concluded the procedure and thus enable other Member States to seek supplementary information from that Member State.(6)Furthermore, in order to reflect accurately the obligations Member States have under international law to conduct search and rescue operations and to provide a more accurate picture of the composition of migratory flows in the Union, it is also necessary to record in Eurodac the fact that the third-country nationals or stateless persons were disembarked following search and rescue operations, including for statistical purposes. Without prejudice to the application of Regulation (EU) 2024/1351, the recording of that fact should not result in any difference of treatment of persons registered in Eurodac upon apprehension in connection with the irregular crossing of an external border. That should be without prejudice to the rules under Union law applicable to third-country nationals or stateless persons disembarked following search and rescue operations.(7)Furthermore, for the purpose of supporting the asylum system by applying Regulations (EU) 2024/1351, (EU) 2024/1348Regulation (EU) 2024/1348 of the European Parliament and the Council of 14 May 2024 establishing a common procedure for international protection in the Union and repealing Directive 2013/32/EU (OJ L, 2024/1348, 22.5.2024, ELI: http://data.europa.eu/eli/reg/2024/1348/oj). and (EU) 2024/1347 of the European Parliament and of the CouncilRegulation (EU) 2024/1347 of the European Parliament and the Council of 14 May 2024 on standards for the qualification of third-country nationals or stateless persons as beneficiaries of international protection, for a uniform status for refugees or for persons eligible for subsidiary protection and for the content of the protection granted, amending Council Directive 2003/109/EC and repealing Directive 2011/95/EU of the European Parliament and of the Council (OJ L, 2024/1347, 22.5.2024, ELI: http://data.europa.eu/eli/reg/2024/1347/oj). and Directive (EU) 2024/1346 of the European Parliament and of the CouncilDirective (EU) 2024/1346 of the European Parliament and the Council of 14 May 2024 laying down standards for the reception of applicants for international protection (OJ L, 2024/1346, 22.5.2024, ELI: http://data.europa.eu/eli/dir/2024/1346/oj)., it is necessary to record whether, following security checks referred to in this Regulation, it appears that a person could pose a threat to internal security. That recording should be carried out by the Member State of origin. The existence of such a record in Eurodac is without prejudice to the requirement of an individual examination under Regulations (EU) 2024/1347 and (EU) 2024/1348. The record should be erased if the investigation shows that there are insufficient grounds for considering that the person concerned represents a threat to internal security.(8)Following the security checks referred to in this Regulation, the fact that a person could pose a threat to internal security ("security flag") should only be recorded in Eurodac if the person is violent or unlawfully armed or where there are clear indications that the person is involved in any of the offences referred to in Directive (EU) 2017/541 of the European Parliament and of the CouncilDirective (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). or in any of the offences referred to in Council Framework Decision 2002/584/JHACouncil Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).. When assessing whether a person is unlawfully armed, it is necessary that a Member State determine whether the person is carrying a firearm without a valid permit or authorisation or any other type of prohibited weapon as defined under national law. When assessing whether a person is violent, it is necessary that a Member State determine whether the person has displayed behaviour that results in physical harm to other persons that would amount to a criminal offence under national law.(9)Council Directive 2001/55/ECCouncil Directive 2001/55/EC of 20 July 2001 on minimum standards for giving temporary protection in the event of a mass influx of displaced persons and on measures promoting a balance of efforts between Member States in receiving such persons and bearing the consequences thereof (OJ L 212, 7.8.2001, p. 12). provides for a system of temporary protection which was activated for the first time by means of Council Implementing Decision (EU) 2022/382Council Implementing Decision (EU) 2022/382 of 4 March 2022 establishing the existence of a mass influx of displaced persons from Ukraine within the meaning of Article 5 of Directive 2001/55/EC, and having the effect of introducing temporary protection (OJ L 71, 4.3.2022, p. 1). in response to the war in Ukraine. Pursuant to that system of temporary protection, Member States are to register persons enjoying temporary protection on their territory. Member States are also required, inter alia, to reunite family members and to cooperate with each other with regard to the transferral of the residence of persons enjoying temporary protection from one Member State to another. It is appropriate to supplement the data collection provisions in Directive 2001/55/EC by including persons enjoying temporary protection in Eurodac. In that regard, biometric data are an important element in establishing such persons’ identity or family relationships, and thus protecting a substantial public interest within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the CouncilRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).. Moreover, by including the biometric data of beneficiaries of temporary protection in Eurodac rather than in a peer-to-peer system between Member States, such persons will benefit from the safeguards and protections laid down in this Regulation, in particular with regard to data retention periods, which should be as short as possible.(10)However, in view of the fact that a platform has already been set up by the Commission, in cooperation with the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), established by Regulation (EU) 2018/1726 of the European Parliament and of the CouncilRegulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99)., and the Member States, to deal with the information exchanges necessary pursuant to Directive 2001/55/EC, it is appropriate to exclude from Eurodac persons enjoying temporary protection pursuant to Implementing Decision (EU) 2022/382 and any other equivalent national protection pursuant thereto. Such exclusion should also apply in respect of any future amendments to Implementing Decision (EU) 2022/382 and any extensions of that temporary protection.(11)It is appropriate to defer the collection and transmission of biometric data of third-country nationals or stateless persons registered as a beneficiary of temporary protection to three years after the entry into application of the other provisions of this Regulation, in order to ensure sufficient time for the Commission to assess the functioning and the operational efficiency of any IT system used to exchange the data of beneficiaries of temporary protection and the expected impact of such collection and transmission in the event that Directive 2001/55/EC is activated.(12)Biometrics constitute an important element in establishing the exact identity of the persons falling under the scope of this Regulation because they ensure a high level of accuracy of identification. Therefore, it is necessary to set up a system for the comparison of such persons’ biometric data.(13)It is also necessary to ensure that the system for the comparison of biometric data functions within the interoperability framework established by Regulations (EU) 2019/817Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27). and (EU) 2019/818Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85). of the European Parliament and of the Council in accordance with this Regulation and with Regulation (EU) 2016/679, in particular with the principles of necessity and proportionality and with the principle of purpose limitation set out in Regulation (EU) 2016/679.(14)The reuse by Member States of the biometric data of third-country nationals or stateless persons that have already been taken pursuant to this Regulation for the purposes of transmission to Eurodac in accordance with the conditions set out in this Regulation should be encouraged.(15)Furthermore, it is necessary to introduce provisions that frame the access of European Travel Information and Authorization System (ETIAS) national units and of competent visa authorities to Eurodac in accordance with Regulations (EU) 2018/1240Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1). and (EC) No 767/2008Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60). of the European Parliament and of the Council, respectively.(16)For the purpose of assisting in the control of irregular immigration and of providing statistics to support evidence-based policy making, eu-LISA should be able to produce cross-system statistics using data from Eurodac, the Visa Information System (VIS), ETIAS and the Entry/Exit System (EES), established by Regulation (EU) 2017/2226 of the European Parliament and of the CouncilRegulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20).. In order to specify the content of those cross-system statistics, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the CouncilRegulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..(17)It is therefore necessary to set up a system known as "Eurodac", consisting of a Central System and the Common Identity Repository (CIR) established by Regulation (EU) 2019/818, which will operate a computerised central database of biometric data, alphanumeric data and, where available, a scanned colour copy of an identity or travel document, as well as the electronic means of transmission between Eurodac and the Member States (the "Communication Infrastructure").(18)In its communication of 13 May 2015 entitled "A European Agenda on Migration", the Commission noted that Member States must also implement fully the rules on taking migrants’ fingerprints at the borders, and further proposed that it will also explore how more biometric identifiers, such as using facial recognition techniques through digital photos, can be used through Eurodac.(19)For the purpose of obtaining a high level of accuracy of identification, fingerprints should always be preferred over facial images. To that end, Member States should exhaust all avenues for ensuring that fingerprints can be taken from the data subject before carrying out a comparison using exclusively a facial image. To assist Member States in overcoming challenges, where it is impossible to take the fingerprints of the third-country national or stateless person because his or her fingertips are damaged, whether intentionally or not, or amputated, this Regulation should allow Member States to carry out a comparison using a facial image without taking fingerprints.(20)The return of third-country nationals or stateless persons who do not have a right to stay in the Union, in accordance with fundamental rights as a general principle of Union law, as well as international law, including refugee protection, the principle of non-refoulement and human rights obligations, and in compliance with Directive 2008/115/EC of the European Parliament and of the CouncilDirective 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, p. 98)., is an important part of the comprehensive efforts to address migration in a fair and efficient way and, in particular, to reduce and deter irregular immigration. An increase in the effectiveness of the Union system to return illegally staying third-country nationals or stateless persons is necessary in order to maintain public trust in the Union migration and asylum system, and should go hand in hand with efforts to protect those in need of protection.(21)For that purpose, it is also necessary to clearly record in Eurodac the fact that an application for international protection has been rejected where the third-country national or stateless person has no right to remain and has not been allowed to remain in accordance with Regulation (EU) 2024/1348.(22)National authorities in the Member States experience difficulties in identifying illegally staying third-country nationals or stateless persons with a view to their return and readmission. It is therefore essential to ensure that data on third-country nationals or stateless persons who are staying illegally in the Union are collected and transmitted to Eurodac and are also compared with data collected and transmitted for the purpose of establishing the identity of applicants for international protection and of third-country nationals or stateless persons apprehended in connection with the irregular crossing of the external borders of the Member States, in order to facilitate their identification and re-documentation, to ensure their return and readmission, and to reduce identity fraud. That collection, transmission and comparison of data should also contribute to reducing the length of the administrative procedures necessary for ensuring the return and readmission of illegally staying third-country nationals or stateless persons, including the period during which they may be kept in administrative detention awaiting removal. It should also enable the identification of third countries of transit, where the illegally staying third-country national or stateless person may be readmitted.(23)With a view to facilitating the procedures for the identification and the issuance of travel documents for return purposes of illegally staying third-country nationals or stateless persons, a scanned colour copy of an identity or travel document should be recorded in Eurodac, where available, along with an indication of its authenticity. If such an identity or travel document is not available, only one other available document identifying the third-country national or stateless person should be recorded in Eurodac along with an indication of its authenticity. In order to facilitate the procedures for the identification and the issuance of travel documents for return purposes of illegally staying third-country nationals or stateless persons, and in order not to populate the system with counterfeit documents, only documents validated as authentic or the authenticity of which cannot be established due to the absence of security features should be kept in the system.(24)In its conclusions on the future of return policy of 8 October 2015, the Council endorsed the initiative announced by the Commission to explore an extension of the scope and purpose of Eurodac to enable the use of data for return purposes. Member States should have the necessary tools at their disposal to be able to control illegal migration to the Union and to detect secondary movements within the Union and illegally staying third-country nationals and stateless persons in the Union. Therefore, the data in Eurodac should be available, subject to the conditions set out in this Regulation, for comparison by the Member States’ designated authorities.(25)The European Border and Coast Guard Agency, established by Regulation (EU) 2019/1896 of the European Parliament and of the CouncilRegulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (OJ L 295, 14.11.2019, p. 1)., supports Member States in their efforts to better manage the external borders and control illegal immigration. The European Union Agency for Asylum, established by Regulation (EU) 2021/2303 of the European Parliament and of the CouncilRegulation (EU) 2021/2303 of the European Parliament and of the Council of 15 December 2021 on the European Union Agency for Asylum and repealing Regulation (EU) No 439/2010 (OJ L 468, 30.12.2021, p. 1)., provides operational and technical assistance to Member States. Consequently, authorised users of those agencies, as well as of other agencies acting in the field of Justice and Home Affairs, should be provided with access to the central repository if such access is relevant for the implementation of their tasks in line with relevant data protection safeguards.(26)As members of the European Border and Coast Guard Teams and experts of the asylum support teams referred to in Regulations (EU) 2019/1896 and (EU) 2021/2303, respectively, may, upon request of the host Member State, take and transmit biometric data, adequate technological solutions should be developed to ensure that efficient and effective assistance is provided to the host Member State.(27)Moreover, in order for Eurodac to effectively assist in the control of irregular immigration to the Union and in the detection of secondary movements within the Union, it is necessary to allow the system to count applicants, as well as applications, by linking all datasets corresponding to one person, regardless of their category, in one sequence. Where a dataset registered in Eurodac is erased, any link to that dataset should be automatically erased.(28)In the fight against terrorist offences and other serious criminal offences, it is essential for law enforcement authorities to have the fullest and most up-to-date information if they are to perform their tasks. The information contained in Eurodac is necessary for the purposes of the prevention, detection or investigation of terrorist offences as referred to in Directive (EU) 2017/541 or of other serious criminal offences as referred to in Framework Decision 2002/584/JHA. Therefore, the data in Eurodac should be available, subject to the conditions set out in this Regulation, for comparison by Member States’ designated authorities and the designated authority of the European Union Agency for Law Enforcement Cooperation (Europol), established by Regulation (EU) 2016/794 of the European Parliament and of the CouncilRegulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53)..(29)The powers granted to law enforcement authorities to access Eurodac should be without prejudice to the right of an applicant for international protection to have his or her application processed in due course in accordance with the relevant law. Furthermore, any subsequent follow-up after obtaining a "hit" from Eurodac should also be without prejudice to that right.(30)In its communication to the Council and the European Parliament of 24 November 2005 on improved effectiveness, enhanced interoperability and synergies among European databases in the area of Justice and Home Affairs, the Commission outlined that authorities responsible for internal security could have access to Eurodac in well-defined cases, when there is a substantiated suspicion that the perpetrator of a terrorist offence or other serious criminal offence has applied for international protection. In that communication, the Commission stated that the proportionality principle requires that Eurodac be queried for such purposes only if there is an overriding public security concern, that is, if the act committed by the criminal or terrorist to be identified is so reprehensible that it justifies querying a database that registers persons with a clean criminal record, and concluded that the threshold for authorities responsible for internal security to query Eurodac must therefore always be significantly higher than the threshold for querying criminal databases.(31)Moreover, Europol plays a key role with respect to cooperation between Member States’ authorities in the field of cross-border crime investigation in supporting Union-wide crime prevention, analyses and investigation. Consequently, Europol should also have access to Eurodac within the framework of its tasks and in accordance with Regulation (EU) 2016/794.(32)Requests for comparison of Eurodac data by Europol should be allowed only in specific cases, under specific circumstances and under strict conditions, in line with the principles of necessity and proportionality enshrined in Article 52(1) of the Charter of Fundamental Rights of the European Union (the "Charter") and as interpreted by the Court of Justice of the European Union (the "Court of Justice")Judgment of the Court of Justice of 8 April 2014, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined cases C-293/12 and C-594/12, ECLI:EU:C:2014:238; Judgment of the Court of Justice of 21 December 2016, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, Joined cases C-203/15 and C-698/15, ECLI:EU:C:2016:970..(33)Since Eurodac was originally established to facilitate the application of the Dublin ConventionConvention determining the State responsible for examining applications for asylum lodged in one of the Member States of the European Communities — Dublin Convention (OJ C 254, 19.8.1997, p. 1)., access to Eurodac for the purpose of preventing, detecting or investigating terrorist offences or other serious criminal offences constitutes a further development to the original purpose of Eurodac. In line with Article 52(1) of the Charter, any limitation on the exercise of the fundamental right to respect for the private life of individuals whose personal data are processed in Eurodac must be provided for by law, which must be formulated with sufficient precision to allow individuals to adjust their conduct, and must protect individuals against arbitrariness and indicate with sufficient clarity the scope of discretion conferred on the competent authorities and the manner of its exercise. Subject to the principle of proportionality, any such limitation must be necessary and genuinely meet objectives of general interest recognised by the Union.(34)Although the original purpose of the establishment of Eurodac did not require the possibility of requesting comparisons of data with the database on the basis of a latent fingerprint, which is the dactyloscopic trace which may be found at a crime scene, such a feature is fundamental in the field of police cooperation. The possibility to compare a latent fingerprint with the fingerprint data which is stored in Eurodac in cases where there are reasonable grounds for believing that the perpetrator or victim might fall under one of the categories covered by this Regulation would provide the Member States’ designated authorities with a very valuable tool in preventing, detecting or investigating terrorist offences or other serious criminal offences when, for example, the only evidence available at a crime scene are latent fingerprints.(35)This Regulation also lays down the conditions under which requests for the comparison of biometric or alphanumeric data with Eurodac data for the purpose of preventing, detecting, or investigating terrorist offences or other serious criminal offences should be allowed and the necessary safeguards to ensure the protection of the fundamental right to respect for the private life of individuals whose personal data are processed in Eurodac. The strictness of those conditions reflects the fact that the Eurodac database registers biometric and alphanumeric data of persons who are not presumed to have committed a terrorist offence or other serious criminal offence. It is acknowledged that law enforcement authorities and Europol do not always have the biometric data of the suspect or victim whose case they are investigating, which might hamper their ability to check biometric matching databases such as Eurodac. It is important to equip law enforcement authorities and Europol with the necessary tools to prevent, detect and investigate terrorist offences or other serious criminal offences where it is necessary to do so. In order to contribute further to the investigations carried out by those authorities and Europol, searches based on alphanumeric data should be allowed in Eurodac, in particular in cases where no biometric evidence can be found but where those authorities and Europol possess evidence of the personal details or identity documents of the suspect or victim.(36)The expansion of the scope of and simplification of the access to Eurodac for law enforcement purposes should help Member States deal with the increasingly complicated operational situations and cases involving cross-border crimes and terrorism with a direct impact on the security situation in the Union. The conditions for access to Eurodac for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences should also allow the law enforcement authorities of the Member States to tackle cases of suspects using multiple identities. For that purpose, obtaining a hit during a consultation of a relevant database prior to accessing Eurodac should not prevent such access. It can also be a useful tool to respond to the threat from radicalised persons or terrorists who might have been registered in Eurodac. A broader and simpler access to Eurodac for law enforcement authorities of the Member States should, while guaranteeing full respect for fundamental rights, enable Member States to use all existing tools to ensure an area of freedom, security and justice.(37)With a view to ensuring equal treatment for all applicants and beneficiaries of international protection, as well as in order to ensure consistency with the current Union asylum acquis, in particular with Regulations (EU) 2024/1347, (EU) 2024/1350 and (EU) 2024/1351, this Regulation includes in its scope applicants for subsidiary protection and persons eligible for subsidiary protection.(38)It is also necessary that Member States promptly take and transmit the biometric data of every applicant for international protection, of every person for whom Member States intend to conduct an admission procedure in accordance with Regulation (EU) 2024/1350, of every third-country national or stateless person who is apprehended in connection with the irregular crossing of an external border of a Member State or is found to be staying illegally in a Member State, and of every person disembarked following a search and rescue operation, provided that they are at least six years of age.(39)The obligation to take the biometric data of illegally staying third-country nationals or stateless persons of at least six years of age does not affect Member States’ right to extend a third-country national or stateless person’s stay on their territory pursuant to Article 20(2) of the Convention implementing the Schengen AgreementConvention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (OJ L 239, 22.9.2000, p. 19)..(40)The fact that the application for international protection follows or is made simultaneously with the apprehension of the third-country national or stateless person in connection with the irregular crossing of the external borders does not exempt Member States from registering those persons as persons apprehended in connection with the irregular crossing of the external border.(41)The fact that the application for international protection follows or is made simultaneously with the apprehension of the third-country national or stateless person illegally staying on the territory of Member States, does not exempt Member States from registering those persons as persons found to be illegally staying on the territory of the Member States.(42)The fact that the application for international protection follows or is made simultaneously with the disembarkation following a search and rescue operation of the third-country national or stateless person does not exempt Member States from registering those persons as persons disembarked following a search and rescue operation.(43)The fact that an application for international protection follows or is made simultaneously with the registration of the beneficiary of temporary protection does not exempt Member States from registering those persons as beneficiaries of temporary protection.(44)With a view to strengthening the protection of all children falling under the scope of this Regulation, including unaccompanied minors who have not applied for international protection and children who might become separated from their families, it is also necessary to take biometric data for storage in Eurodac to help establish the identity of children and to assist Member States in tracing any of their family members in, or links they might have with, another Member State, as well as in tracing missing children, including for law enforcement purposes, by complementing the existing instruments, in particular the Schengen Information System (SIS) established by Regulation (EU) 2018/1862 of the European Parliament and of the CouncilRegulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).. Effective identification procedures will assist Member States in guaranteeing the adequate protection of children. Establishing family links is a key element in restoring family unity and must be closely linked to the determination of the best interests of the child and, eventually, the determination of a sustainable solution in accordance with national practices following a needs assessment by the competent national child protection authorities.(45)The official responsible for taking the biometric data of a minor should receive training so that sufficient care is taken to ensure an adequate quality of biometric data of the minor and to guarantee that the process is child friendly so that the minor, particularly a very young minor, feels safe and can readily cooperate in the process of having his or her biometric data taken.(46)Any minor from the age of six years old and above should be accompanied by, where present, an adult family member throughout the time when his or her biometric data are taken. The unaccompanied minor should be accompanied by a representative or, where a representative has not been designated, a person trained to safeguard the best interests of the child and his or her general wellbeing, throughout the time his or her biometric data are taken. Such a trained person should not be the official responsible for taking the biometric data, should act independently and should not receive orders either from the official or the service responsible for taking the biometric data. Such a trained person should be the person designated to provisionally act as a representative under Directive (EU) 2024/1346 where that person has been designated.(47)The best interests of the child should be a primary consideration for Member States when applying this Regulation. Where the requesting Member State establishes that Eurodac data pertain to a child, those data may only be used for law enforcement purposes, in particular those relating to the prevention, detection and investigation of child trafficking and other serious crimes against children, by the requesting Member State and in accordance with that Member State’s laws applicable to minors and in accordance with the obligation to give primary consideration to the best interests of the child.(48)It is necessary to lay down precise rules for the transmission of such biometric data and of other relevant personal data in Eurodac, their storage, their comparison with other biometric data, the transmission of the results of such comparisons and the marking and erasure of the recorded data. Such rules may be different for, and should be specifically adapted to, the situation of different categories of third-country nationals or stateless persons.(49)Member States should ensure the transmission of biometric data of an appropriate quality for the purposes of comparison by means of the computerised fingerprint and facial recognition system. All authorities with a right of access to Eurodac should invest in adequate training and in the necessary technological equipment. The authorities with a right of access to Eurodac should inform eu-LISA of specific difficulties encountered with regard to the quality of data in order to resolve them.(50)The fact that it is temporarily or permanently impossible to take or to transmit the biometric data of a person, due to, inter alia, insufficient quality of the data for appropriate comparison, technical problems, reasons linked to the protection of health or the data subject being unfit or unable to have his or her biometric data taken owing to circumstances beyond his or her control, should not adversely affect the examination of or the decision on that person’s application for international protection.(51)Member States should take into account the Commission Staff Working Document on Implementation of the Eurodac Regulation as regards the obligation to take fingerprints, which the Council, on 20 July 2015, invited Member States to follow. It sets out a best-practice approach to taking fingerprints. Where relevant, Member States should also take into account the Checklist to act in compliance with fundamental rights when obtaining fingerprints for Eurodac, published by the European Union Agency for Fundamental Rights, which aims to assist them with complying with fundamental rights obligations when taking fingerprints.(52)Member States should inform all persons required by this Regulation to give biometric data of their obligation to do so. Member States should also explain to those persons that it is in their interests to fully and immediately cooperate with the procedure by providing their biometric data. Where a Member State’s national law lays down administrative measures that provide for the possibility of taking biometric data by means of coercion as a last resort, those measures are to fully respect the Charter. Only in duly justified circumstances and as a last resort, having exhausted other possibilities, can a proportionate degree of coercion be used to ensure the compliance of third-country nationals or stateless persons who are deemed to be vulnerable persons, and minors, with the obligation to provide biometric data.(53)Where detention is used in order to determine or verify a third-country national’s or stateless person’s identity, it should only be used by Member States as a means of last resort and in full respect of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in compliance with relevant Union law, including the Charter.(54)Where necessary, hits should be checked by a trained fingerprint expert in order to ensure the accurate determination of responsibility under Regulation (EU) 2024/1351, the exact identification of the third-country national or stateless person and the exact identification of the criminal suspect or victim of crime whose data might be stored in Eurodac. Checks by a trained expert should be considered necessary where there is doubt as to whether the result of the comparison of the fingerprint data relates to the same person, in particular where the data corresponding to a fingerprint hit belong to a person of a different sex or where the facial image data do not correspond to the facial feature of the person whose biometric data were taken. Hits obtained from Eurodac based on facial images should also be checked by an expert trained in accordance with national practice, where the comparison is made with facial image data only. Where a fingerprint and facial image data comparison is carried out simultaneously and hits are returned for both biometric datasets, Member States should be able to check the result of the comparison of the facial image data.(55)Third-country nationals or stateless persons who have requested international protection in one Member State might try to request international protection in another Member State for many years to come. The maximum period during which the biometric data of third-country nationals or stateless persons who have requested international protection can be kept in Eurodac should be strictly limited to the extent necessary and should be proportionate, in line with the principle of proportionality enshrined in Article 52(1) of the Charter and as interpreted by the Court of Justice. Given that most third-country nationals or stateless persons who have stayed in the Union for several years will have obtained a settled status or even citizenship of a Member State after that period, a period of 10 years should be considered a reasonable period for the storage of biometric and alphanumeric data.(56)In its conclusions on Statelessness of 4 December 2015, the Council and the Representatives of the Governments of the Member States recalled the Union’s pledge of September 2012 that all Member States were to accede to the Convention relating to the Status of Stateless Persons done at New York on 28 September 1954 and were to consider acceding to the Convention on the Reduction of Statelessness done at New York on 30 August 1961.(57)For the purpose of applying the grounds for refusal under Regulation (EU) 2024/1350, the biometric data of third-country nationals or stateless persons registered for the purpose of conducting an admission procedure under that Regulation should be taken, transmitted to Eurodac and compared against the data stored in Eurodac of beneficiaries of international protection, of persons who have been granted international protection or humanitarian status under national law in accordance with that Regulation, of persons who have been refused admission to a Member State on one of the grounds referred to in that Regulation, namely that there were reasonable grounds for considering that third-country national or stateless person as a danger to the community, public policy, security or public health of the Member State concerned or the ground that an alert has been issued in the SIS or in a national database of a Member State for the purpose of refusing entry, or in respect of whom that admission procedure has been discontinued because they have not given or have withdrawn their consent, and of persons who have been admitted under a national resettlement scheme. Therefore, those categories of data should be stored in Eurodac and made available for comparison.(58)For the purpose of applying Regulations (EU) 2024/1350 and (EU) 2024/1351, the biometric data of third-country nationals or stateless persons granted international protection or humanitarian status under national law in accordance with Regulation (EU) 2024/1350 should be stored in Eurodac for five years from the date on which they were taken. Such a period should be sufficient given the fact that the majority of such persons will have resided for several years in the Union and will have obtained a long-term resident status or even citizenship of a Member State.(59)Where a third-country national or a stateless person has been refused admission to a Member State on one of the grounds set out in Regulation (EU) 2024/1350, namely that there were reasonable grounds for considering that third-country national or stateless person as a danger to the community, public policy, security or public health of the Member State concerned or the ground that an alert has been issued in the SIS or in a national database of a Member State for the purpose of refusing entry, the related data should be stored for a period of three years from the date on which the negative conclusion on admission was reached. It is necessary to store such data for that length of time in order to allow other Member States conducting an admission procedure to receive information, including any information on the marking of data by other Member States, from Eurodac throughout the admission procedure, where necessary, by applying the grounds for refusal set out in Regulation (EU) 2024/1350. In addition, data on admission procedures that have previously been discontinued because the third-country nationals or stateless persons have not given or have withdrawn their consent should be stored for three years in Eurodac in order to allow the other Member States conducting an admission procedure to reach a negative conclusion, as permitted by that Regulation.(60)The transmission of data of persons registered for the purpose of conducting an admission procedure in Eurodac should contribute to limiting the number of Member States that exchange those persons’ personal data during a subsequent admission procedure, and should thus contribute to ensuring compliance with the principle of data minimisation.(61)Where a hit is received by a Member State from Eurodac that can assist that Member State in carrying out its obligations necessary for the application of the grounds for refusing admission under Regulation (EU) 2024/1350, the Member State of origin which had previously refused to admit a third-country national or a stateless person should promptly exchange supplementary information with the Member State that received the hit in accordance with the principle of sincere cooperation and subject to the principles of data protection. Such an exchange of data should allow the Member State that received the hit to reach a conclusion on the admission within the time limit set in that Regulation for concluding the admission procedure.(62)The obligation to take and transmit the biometric data of persons registered for the purpose of conducting an admission procedure should not apply where the Member State in question discontinues the procedure before the biometric data were taken.(63)With a view to successfully preventing and monitoring unauthorised movements of third-country nationals or stateless persons who do not have a right to stay in the Union and to taking the necessary measures for successfully enforcing effective return and readmission to third countries in accordance with Directive 2008/115/EC and in view of the right to protection of personal data, a period of five years should be considered necessary for the storage of biometric and alphanumeric data.(64)In order to support Member States in their administrative cooperation during the implementation of Directive 2001/55/EC, data of beneficiaries of temporary protection should be kept in Eurodac for a period of one year from the date of entry into force of the relevant Council Implementing Decision. The retention period should be extended every year for the duration of the temporary protection.(65)The storage period should be shorter in certain special situations where there is no need to keep biometric data or any other personal data for that length of time. Biometric data and all other personal data belonging to third-country nationals or stateless persons should be erased immediately and permanently once third-country nationals or stateless persons obtain citizenship of a Member State.(66)It is appropriate to store data relating to those data subjects whose biometric data were recorded in Eurodac upon making or registering their applications for international protection and who have been granted international protection in a Member State in order to make it possible for data recorded upon registering or making another application for international protection to be compared against the data previously recorded.(67)eu-LISA has been entrusted with the Commission’s tasks relating to the operational management of Eurodac in accordance with this Regulation and with certain tasks relating to the Communication Infrastructure as from 1 December 2012, the date on which eu-LISA took up its responsibilities. In addition, Europol should have observer status at the meetings of the Management Board of eu-LISA when a question in relation to the application of this Regulation concerning access to Eurodac for consultation by the Member States’ designated authorities and the Europol designated authority for the purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences is on the agenda. Europol should be able to appoint a representative to the Eurodac Advisory Group of eu-LISA.(68)It is necessary to lay down clearly the responsibilities of the Commission and eu-LISA as regards Eurodac and the Communication Infrastructure and the responsibilities of the Member States as regards data processing, data security, access to, and rectification of, recorded data.(69)It is necessary to designate the competent authorities of the Member States as well as the National Access Point through which the requests for comparison with Eurodac data are made and to keep a list of the operating units within the designated authorities that are authorised to request such comparison for the specific purposes of the prevention, detection or investigation of terrorist offences or of other serious criminal offences.(70)It is necessary to designate and keep a list of the operating units of Europol that are authorised to request comparisons with Eurodac data through the Europol Access Point. Such units, including units dealing with trafficking in human beings, sexual abuse and sexual exploitation, in particular where victims are minors, should be authorised to request comparisons with Eurodac data through the Europol Access Point in order to support and strengthen action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling within Europol’s mandate.(71)Requests for comparison with data stored in Eurodac should be made by the operating units within the designated authorities to the National Access Point, through the verifying authority, and should be reasoned. The operating units within the designated authorities that are authorised to request comparisons with Eurodac data should not act as a verifying authority. The verifying authorities should act independently of the designated authorities and should be responsible for ensuring, in an independent manner, strict compliance with the conditions for access laid down in this Regulation. The verifying authorities should then forward the request, without forwarding the reasons for it, for comparison through the National Access Point to Eurodac following verification that all the conditions for access have been fulfilled. In exceptional cases of urgency where early access is necessary to respond to a specific and actual threat related to terrorist offences or other serious criminal offences, it should be possible for the verifying authority to forward the request immediately and only carry out the verification afterwards.(72)It should be possible for the designated authority and the verifying authority to be part of the same organisation, if permitted under national law, but the verifying authority should act independently when performing its tasks under this Regulation.(73)For the purpose of protecting personal data, and to exclude systematic comparisons which should be forbidden, the processing of Eurodac data should only take place in specific cases and when it is necessary for the purpose of preventing, detecting or investigating terrorist offences or other serious criminal offences. A specific case exists, in particular, when the request for comparison is connected to a specific and concrete situation, to a specific and concrete danger associated with a terrorist offence or other serious criminal offence, or to specific persons in respect of whom there are serious grounds for believing that they will commit or have committed any such offence. A specific case also exists when the request for comparison is connected to a person who is the victim of a terrorist offence or other serious criminal offence. The Member States’ designated authorities and the Europol designated authority should thus only request a comparison with Eurodac when they have reasonable grounds to believe that such a comparison will provide information that will substantially assist them in preventing, detecting or investigating a terrorist offence or other serious criminal offence.(74)In addition, access should be allowed on condition that a prior search in the national biometric databases of the Member State and in the automated fingerprinting identification systems of all other Member States under Council Decision 2008/615/JHACouncil Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 1). has been conducted, unless the consultation of CIR in accordance with Article 22(2) of Regulation (EU) 2019/818 indicates that the data of the person concerned are stored in Eurodac. That condition requires the requesting Member State to conduct comparisons with the automated fingerprinting identification systems of all other Member States under Decision 2008/615/JHA which are technically available, unless that Member State can justify that there are reasonable grounds to believe that it would not lead to the establishment of the identity of the data subject. Such reasonable grounds exist, in particular, where the specific case does not present any operational or investigative link to a given Member State. That condition requires the prior legal and technical implementation of Decision 2008/615/JHA by the requesting Member State in the area of fingerprint data, as it should not be permitted to conduct a Eurodac check for law enforcement purposes where the requirements for meeting that condition have not been fulfilled. In addition to the prior check of the databases, designated authorities should also be able to conduct a simultaneous check in the VIS, provided that the conditions for a comparison with the data stored therein, as laid down in Council Decision 2008/633/JHACouncil Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (OJ L 218, 13.8.2008, p. 129)., have been met.(75)For the purposes of the efficient comparison and exchange of personal data, Member States should fully implement and make use of existing international agreements and of Union law concerning the exchange of personal data already in force, in particular Decision 2008/615/JHA.(76)While the non-contractual liability of the Union in connection with the operation of Eurodac is governed by the relevant provisions of the Treaty on the Functioning of the European Union (TFEU), it is necessary to lay down specific rules for the non-contractual liability of the Member States in connection with the operation of Eurodac.(77)Regulation (EU) 2016/679 applies to the processing of personal data by Member States carried out in application of this Regulation unless such processing is carried out by the designated or verifying competent authorities of the Member States for the purposes of the prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences, including safeguarding against, and the prevention of, threats to public security.(78)National rules adopted pursuant to Directive (EU) 2016/680 of the European Parliament and of the CouncilDirective (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89). apply to the processing of personal data by competent authorities of the Member States for the purposes of the prevention, investigation, detection or prosecution of terrorist offences or of other serious criminal offences pursuant to this Regulation.(79)Regulation (EU) 2016/794 applies to the processing of personal data by Europol for the purposes of the prevention, investigation or detection of terrorist offences or of other serious criminal offences pursuant to this Regulation.(80)The rules set out in Regulation (EU) 2016/679 regarding the protection of the rights and freedoms of individuals, in particular their right to the protection of personal data concerning them, should be specified in this Regulation with regard to the responsibility for the processing of the data, safeguarding the rights of data subjects and supervising data protection, in particular as far as certain sectors are concerned.(81)A person’s right to privacy and to data protection should be safeguarded in accordance with this Regulation at all times, both with regard to access by the Member States’ authorities and by the Union’s authorised agencies to Eurodac.(82)Data subjects should have the right of access to, and rectification and erasure of, personal data concerning them and the right of restriction of the processing thereof. Taking into account the purposes for which the data are processed, data subjects should have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Those rights should be exercised pursuant to Regulation (EU) 2016/679 and in accordance with the procedures set out in this Regulation, Directive (EU) 2016/680 and Regulation (EU) 2016/794 as regards the processing of personal data for law enforcement purposes pursuant to this Regulation. In relation to the processing of personal data in Eurodac by national authorities, each Member State, for reasons of legal certainty and transparency, should designate the authority which is to be considered as controller in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 and which should have central responsibility for the processing of data by that Member State. Each Member State should communicate the details of that authority to the Commission.(83)It is also important that factually incorrect data recorded in Eurodac be rectified in order to ensure that statistics produced in accordance with this Regulation are accurate.(84)Transfers of personal data obtained by a Member State or Europol pursuant to this Regulation from Eurodac to any third country or international organisation or private entity established in or outside the Union should be prohibited in order to ensure the right to asylum and to safeguard persons whose data are processed under this Regulation from having their data disclosed to a third country. That implies that Member States should not transfer information obtained from Eurodac concerning: the name(s); date of birth; nationality; the Member State(s) of origin, Member State of relocation or Member State of resettlement; the details of the identity or travel document; the place and date of resettlement or of the application for international protection; the reference number used by the Member State of origin; the date on which the biometric data were taken and the date on which the Member State(s) transmitted the data to Eurodac; the operator user ID; and any information relating to any transfer of the data subject under Regulation (EU) 2024/1351. That prohibition should be without prejudice to the right of Member States to transfer such data to third countries to which Regulation (EU) 2024/1351 applies, in accordance with Regulation (EU) 2016/679 and with the national rules adopted pursuant to Directive (EU) 2016/680, in order to ensure that Member States have the possibility of cooperating with such third countries for the purposes of this Regulation.(85)By way of derogation from the rule that no personal data obtained by a Member State pursuant to this Regulation should be transferred or made available to any third country, it should be possible to transfer such personal data to a third country where such a transfer is subject to strict conditions and is necessary in individual cases in order to assist with the identification of a third-country national in relation to his or her return. The transfer of any personal data should be subject to strict conditions. Where such personal data are transferred, information relating to the fact that an application for international protection has been made by that third-country national should not be disclosed to a third-country. The transfer of any personal data to third countries should be carried out in accordance with Regulation (EU) 2016/679 and be conducted with the agreement of the Member State of origin. Third countries of return are often not subject to adequacy decisions adopted by the Commission under Regulation (EU) 2016/679. Furthermore, the extensive efforts of the Union in cooperating with the main countries of origin of illegally staying third-country nationals subject to an obligation to return have not ensured the systematic fulfilment by such third countries of the obligation established by international law to readmit their own nationals. Readmission agreements, concluded or being negotiated by the Union or the Member States and providing for appropriate safeguards for the transfer of data to third countries pursuant to Article 46 of Regulation (EU) 2016/679, cover a limited number of such third countries and the conclusion of new readmission agreements remains uncertain. In such situations, and as an exception to the requirement of an adequacy decision or appropriate safeguards, the transfer of personal data to third-country authorities pursuant to this Regulation should be allowed for the purpose of implementing the return policy of the Union, and it should be possible to use the derogation provided for in Regulation (EU) 2016/679, provided that the conditions laid down in that Regulation are met. The implementation of Regulation (EU) 2016/679, including with regard to transfers of personal data to third countries pursuant to this Regulation, is subject to monitoring by the national independent supervisory authority. Regulation (EU) 2016/679 applies with regard to the responsibility of the Member States’ authorities as controllers within the meaning of that Regulation.(86)Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39)., and in particular Article 33 thereof concerning the confidentiality and security of processing, applies to the processing of personal data by Union institutions, bodies, offices and agencies carried out in the application of this Regulation, without prejudice to Regulation (EU) 2016/794, which should apply to the processing of personal data by Europol. However, certain points should be clarified in respect of the responsibility for the processing of data and of the supervision of data protection, bearing in mind that data protection is a key factor in the successful operation of Eurodac and that data security, high technical quality and the lawfulness of consultations are essential to ensure the smooth and proper functioning of Eurodac and to facilitate the application of Regulations (EU) 2024/1351 and (EU) 2024/1350.(87)The data subject should be informed in particular of the purpose for which his or her data will be processed within Eurodac, including a description of the aims of Regulations (EU) 2024/1351 and (EU) 2024/1350, and of the use to which law enforcement authorities may put his or her data.(88)It is appropriate that national supervisory authorities established in accordance with Regulation (EU) 2016/679 monitor the lawfulness of the processing of personal data by the Member States, while the European Data Protection Supervisor, established by Regulation (EU) 2018/1725, monitors the activities of the Union institutions, bodies, offices and agencies in relation to the processing of personal data carried out in the application of this Regulation. Those supervisory authorities and the European Data Protection Supervisor should cooperate with each other in the monitoring of the processing of personal data, including in the context of the Coordinated Supervision Committee established within the framework of the European Data Protection Board.(89)Member States, the European Parliament, the Council and the Commission should ensure that the national supervisory authorities and the European Data Protection Supervisor are able to supervise the use of and access to Eurodac data adequately.(90)It is appropriate to monitor and evaluate the performance of Eurodac at regular intervals, including in terms of whether the access for law enforcement purposes has led to indirect discrimination against applicants for international protection, as raised in the Commission’s evaluation of the compliance of this Regulation with the Charter. eu-LISA should submit an annual report on the activities of Eurodac to the European Parliament and to the Council.(91)Member States should provide for a system of effective, proportionate and dissuasive penalties to sanction the unlawful processing of data recorded in Eurodac contrary to its purpose.(92)It is necessary that Member States be informed of the status of particular asylum procedures, with a view to facilitating the adequate application of Regulation (EU) 2024/1351.(93)This Regulation should be without prejudice to the application of Directive 2004/38/EC of the European Parliament and of the CouncilDirective 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77)..(94)This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter. In particular, this Regulation seeks to ensure full respect for the protection of personal data and for the right to seek international protection, and to promote the application of Articles 8 and 18 of the Charter. This Regulation should therefore be applied accordingly.(95)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 and delivered opinions on 21 September 2016 and on 30 November 2020.(96)Since the objective of this Regulation, namely the creation of a system for the comparison of biometric data to assist the implementation of Union asylum and migration policy, cannot, by its very nature, be sufficiently achieved by the Member States, but can rather be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.(97)It is appropriate to restrict the territorial scope of this Regulation so as to align it to the territorial scope of Regulation (EU) 2024/1351, with the exception of the provisions related to data collected to assist with the application of Regulation (EU) 2024/1350 under the conditions set out in this Regulation,(98)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(99)In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application,HAVE ADOPTED THIS REGULATION: