What legal basis do EU member states use to process non-EU travelers' fingerprints and facial images in the EES?
Executive summary
EU member states collect fingerprints and facial images from non‑EU (third‑country) travellers under the Entry/Exit System (EES), a regulation that requires biometric enrolment at first crossing (four fingerprints and a facial image for most adults) and stores records centrally for typically three years (longer if no exit is recorded) [1] [2]. The legal basis is the EES regulatory framework and related EU instruments that oblige member states to implement enrolment and operational milestones managed by eu‑LISA; member states must follow the EES Regulation and interoperability rules referenced in EU legislation [3] [4] [5].
1. What law requires biometric enrolment at the border — and who runs it
The compulsory collection of fingerprints and facial images for short‑stay, non‑EU travellers flows from the Entry/Exit System regulation (EES) and associated EU acts that set up large‑scale IT systems and data‑sharing rules. The EES is an EU regulation that establishes what data are to be collected, how it is stored and for how long; the system is operated by the EU agency eu‑LISA and connects to other EU databases to verify identity and prevent fraud [3] [2] [4].
2. What exactly member states must collect and when
Under the EES regime member states collect a passport scan, a facial image and fingerprints on the traveller’s first crossing into the Schengen area; subsequent crossings in many cases require only a passport scan to match the stored biometrics (enrolment occurs at first entry) [4] [6] [1]. Most reporting cites four fingerprints plus a facial photograph for adults, with a fingerprint exemption for children under a defined age in some rules [1] [2].
3. Retention, purpose and legal framing in the regulation
The EES sets retention periods and purposes: most EES records are retained three years, and if an exit is not recorded a file can be kept up to five years from the end of the authorised stay — retention and processing are presented as tools to track overstays, improve identification and reduce identity fraud [2] [1]. Those retention and interoperability parameters are embedded in the EES and neighbouring EU legal acts cited on EUR‑Lex and in implementation agreements [3].
4. How member states justify processing under EU law
Member states rely on the EES Regulation as the direct legal basis for collecting and processing biometric and identity data at external borders: the Regulation obliges Member States to implement systems to register and verify identity by collecting fingerprints and facial biometrics for third‑country nationals and defines operational milestones and minimum coverage during rollout [7] [5]. Implementation detail and phased milestones were agreed by interior ministers and EU institutions to allow gradual technical roll‑out [5].
5. Implementation timeline and national variation
The EES launch has been phased: EU ministers approved gradual implementation milestones; member states can vary in speed and may deploy enrolment in stages (e.g., a period where not all crossings register biometrics, then minimum coverage targets after months) [5]. Reports record an October 2025 phased rollout with full operation expected by April 2026, but member states retain discretion over practical deployment and temporary suspensions in exceptional circumstances [6] [1].
6. Data‑protection context and competing perspectives
EU authorities frame the EES as enhancing security and efficient immigration control by reducing identity fraud and tracking overstays [4] [2]. Privacy and civil‑liberties concerns are implied in coverage of delays, the technical risk of biometric systems and legal safeguards: EU data‑protection bodies and guidance on facial recognition stress that biometric processing requires a solid legal basis and protective measures — the EES provides the legal basis, but independent sources note debates over automated recognition, accuracy and safeguards [8] [4]. Exact disputes or legal challenges are not detailed in the provided sources; available sources do not mention litigation outcomes or specific court rulings.
7. What is not addressed in current reporting
Sources here document the EES regulation, operational agency and rollout timing, and basic retention rules, but they do not provide exhaustive legal texts of every provision, national implementing acts, or the full set of data‑protection impact assessments for each member state — those documents are not included in the provided reporting [3] [6]. Available sources do not mention country‑by‑country legal instruments transposing operational steps or any specific judicial reviews against EES in national courts.
Conclusion — the legal basis for member states to process non‑EU travellers’ fingerprints and facial images is the EES regulation and linked EU legislation establishing large‑scale IT systems and retention/processing rules; eu‑LISA operates the system and member states implement enrolment under the obligations and phased milestones set out by the EU [3] [4] [5].