What are the steps for travelers to request deletion of EU biometric data?
Executive summary
Travelers who want their biometric data erased from the EU’s new Entry/Exit System (EES) must use the EU’s existing data‑protection framework: invoke the GDPR right to erasure (Article 17), identify and contact the correct data controller or data protection officer in the Member State that processed their record, and — if necessary — escalate to supervisory authorities (national DPAs or the EDPS) when deletion is refused or delayed [1] [2]. The practical reality is shaped by EES rules (mandatory collection, typical retention periods) and lawful‑basis limits that can mean deletion requests are rejected or subject to exemptions [3] [4] [5].
1. Know the legal leverage: the GDPR’s “right to erasure” and its limits
The core legal tool is Article 17 of the GDPR: a data subject “shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay” where grounds such as data no longer being necessary or unlawful processing apply, but the right is not absolute and exceptions exist where other lawful bases or overriding public‑interest grounds apply [1]; guidance from national data protection authorities reiterates that controllers must evaluate requests and that some lawful processing (e.g., public security, border control obligations) can override erasure claims [6] [5].
2. Identify who to contact: controllers, DPOs and eu‑LISA
Practical deletion begins by identifying the responsible data controller: EES is operated centrally by eu‑LISA but national border authorities are typically the first point of contact for a traveler’s record, and the EU guidance explicitly instructs travelers to contact the data controller or data protection officer of the Member State where they were processed — preferably the country where they travelled [2] [4]. Official portals maintained by the EU and national DPAs list contact points; travellers should ask for the name of the controller, the DPO contact and the EES reference for their file.
3. Make a clear, documented erasure request: what to include and how to send it
A deletion request should be written, identify the requester unambiguously (passport/details), cite Article 17 (right to erasure) and explain the grounds (e.g., data outdated, unlawfully processed, no longer necessary), and request information about recipients of the data and confirmation that backups and copies will be deleted or marked — the controller must inform other controllers where appropriate [1] [6]. Use traceable channels (email with read receipt or registered post) and keep copies of all correspondence; EU guidance and travel guides stress contacting staffed lanes or border counters immediately if the issue arises at arrival, since kiosks and officers are the operational points that hold or finish registration records [7] [4].
4. Expect operational realities: retention windows, mandatory collection and backup copies
Travelers must factor in that EES is mandatory for third‑country nationals and that refusal to provide biometrics can lead to denial of entry, while EES records are maintained for security and immigration purposes with typical retention—reported in press coverage—around three years in common cases [3] [8]. UK and EU operators note that biometric templates feed shared matching services and other systems (sBMS, VIS, Europol links), which complicates deletion because controllers must take reasonable steps to inform other controllers and remove copies in backups where no exemption applies [9] [2] [6].
5. If deleted is refused: complaints, appeals and supervisory oversight
When a controller refuses or fails to act “without undue delay,” the GDPR gives the right to lodge a complaint with the relevant national supervisory authority—each Member State’s DPA—or, for agency processing, the European Data Protection Supervisor (EDPS); EU materials point travelers to national DPA contacts and note that independent regulators will monitor compliance [2] [10]. Legal routes and specialist legal assistance are available in complex cases involving systems like Europol or VIS, and practitioners advertise services to challenge or negotiate deletions where cross‑system sharing creates obstacles [11].
Bottom line: an enforceable right that intersects operational and security constraints
The pathway to deletion is clear on paper—contact the responsible controller/DPO, cite Article 17, document the request, and escalate to the national DPA or EDPS if necessary—but the practical outcome depends on EES’s security purposes, statutory retention rules, and linked systems that may lawfully block erasure in many cases; sources outline both the procedure and the friction travelers should expect when seeking deletion [1] [2] [3].