Legal & Data Protection

The European Union Agency for Asylum (hereinafter ‘the EUAA’ or ‘the Agency’) is committed to protecting your privacy. The EUAA collects and further processes personal data pursuant to Regulation (EU) 2018/17251 (hereinafter ‘the EUDPR’).

This Data Protection Notice explains inter alia the reasons for the processing of your personal data, the way we collect, handle and ensure protection of your personal data and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, as well as of the Data Protection Officer (DPO) and the European Data Protection Supervisor (EDPS) to which you may have recourse as well to exercise the said rights.

Why and how do we process your personal data?

Your personal data are processed to facilitate the operation of the Referral Tool developed by the EUAA. The EUAA Referral Tool is meant to be used by the staff working in asylum and reception to facilitate the referral of applicants with special needs to adequate support. The referral of these cases is key to prevent the worsening of the applicants’ pre-existing condition or the emergence of new risk factors or needs. Referral to adequate support should be triggered as soon as the special needs of the person are identified. The Referral Toolkit is composed of three elements:

  1. Referral Form - A template aimed at facilitating the communication between actors involved in the referral of the applicant in a vulnerable situation.
  2. Service Providers Searching Tool - A feature helping users finding services providing support to applicants in a vulnerable situation. Before becoming fully functional, this part of the tool needs to be populated with information regarding authorised service providers in a specific area or region.
  3. Guidance - It aims to direct users on how to adequately conduct a referral, outlining the necessary conditions for a referral process, providing do’s and don'ts for users, and the links to a referral mechanism

A Focal Point is any person tasked by the authority in mapping the services available in a designated territory and keep them up to date. They can operate at central level or be assigned to a certain area. 

The Focal Points play a crucial role in ensuring the Referral Toolkit is functional, accurate, and trusted in their assigned country or region. 

The EUAA Referral Tool helps the user find relevant services providers available at national/regional level in the Service Providers Searching Tool. The tool contains a list of registered service providers per Member State.

The processing is limited to managing user account data, ensuring secure access to the tool, and maintaining functionality. This means that the EUAA acts as the data controller only as far as access management, security and maintenance are concerned. Data that are completed in the referral form are never transmitted or stored on EUAA servers. The data remain entirely within the user’s browser. 

We process your personal data as follows: 

  • Information about focal points is channelled to the EUAA via email to the Referral Tool functional mailbox (referral.tool@euaa.europa.eu). This information is used to create user accounts.
  • Information about service providers is collected via the EUAA Referral Tool, access to which is provided via the EU Login. This information is used to populate the repository of service providers that is contained in the Service Providers Searching Tool. It is noted that as far as the use of EU Login is concerned, the European Commission (DIGIT) is the controller for all processing operations related to keeping an EU Login account and to the authentication itself. For more information, please refer to the EU Login Privacy Statement

On what legal ground(s) do we process your personal data?

We process your personal data on the basis of Article 13 of Regulation (EU) 2021/2303 2 (hereinafter ‘the EUAA Regulation’), because processing is necessary for promoting a correct and effective implementation of Union law on asylum.

Consequently, the processing operation is lawful under Article 5(1) point (a) of the EUDPR, given that it is necessary for the performance of the tasks that the Agency has been vested with for the purpose of fulfilling its mandate by virtue of the EUAA Regulation. Given that service providers self-register to be included in the Searching Tool, the processing is lawful also under point (d) of Article 5(1) of the EUDPR that refers to consent. 

Which personal data do we collect and further process? 

The following (categories of) personal data may be processed:

  • For individuals acting as focal points:
    • Name;
    • Surname;
    • Corporate Email Address;
    • Country where they are located.
  • For service providers:
    • (Legal entity) name of the service provider
    • Address
    • Phone-number
    • Area of expertise (target group and service provided)

In most cases, this information is not linked to an individual however, at times it may be that the name of a service provider refers directly to an individual.

How long do we keep your personal data?

Personal data of focal points are kept as long as a user is active as a focal point. In order to delete their focal point accounts, they need to contact EUAA via referral.tool@euaa.europa.eu

Information about service providers is subject to periodical reviews to ensure accuracy. A service provider can delete their information from the referral tool and independently delete their account via EU Login. Deleting the EU Login account does not automatically remove the account and the information about services in the EUAA Referral Tool.

How do we protect and safeguard your personal data?

In order to protect your personal data, the EUAA has put in place a number of technical and organizational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorized access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organizational measures include restricting access to the personal data solely to authorized persons with a legitimate need to know for the purposes of this processing operation.

It is noted that authentication data of Service Providers are  protected by Multifactor Authentication (‘MFA’) enabled via EU Login, and authentication data of the Focal Points are protected by Microsoft Entra ID with MFA. 

Who has access to your personal data and to whom are they disclosed?

The following (categories of) recipients have access to your personal data:

  • Information about the focal points is only available on a need-to-know basis to EUAA personnel working for the Asylum and Reception Cooperation and Guidance Unit (‘ARCU’) as well as to authorised personnel of the Information and Communications Technology Unit (‘ICTU’) for maintenance and troubleshooting purposes.  
  • Information about service providers is publicly available.

Do we transfer any of your personal data to third countries or international organisations (outside the EU/EEA)?

No

Does this processing involve automated decision-making, including profiling?

No

What are your rights and how can you exercise them? 

According to the EUDPR, you are entitled to access your personal data and to rectify them in case the data are inaccurate or incomplete. If your personal data are no longer needed by the EUAA or if the processing operation is unlawful, you have the right to erase your data. Under certain circumstances, such as if you contest the accuracy of the processed data or if you are not sure if your data are lawfully processed, you may ask the Data Controller to restrict the data processing. You may also object, on compelling legitimate grounds, to the processing of data relating to you. Additionally, you have the right to data portability which allows you to obtain the data that the Data Controller holds on you and to transfer it from one Data Controller to another. Where relevant and technically feasible, the EUAA will do this work for you.

Should you have any queries/questions concerning the processing of your personal data or should you wish to exercise your rights, please contact the Data Controller, the Head of the Asylum and Reception Cooperation and Guidance Unit, by sending an e-mail to referral.tool@euaa.europa.eu

You may always submit queries, remarks or complaints relating to the processing of your personal data to the Data Protection Officer (DPO) of the EUAA using the following e-mail address: dpo@euaa.europa.eu

In case of conflict, complaints can be addressed to the European Data Protection Supervisor (EDPS) using the following e-mail address: supervision@edps.europa.eu.  

Adopted: 6 November 2025

  • 1

    Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39-98.

  • 2

    Regulation (EU) 2021/2303 of the European Parliament and of the Council of 15 December 2021 on the European Union Agency for Asylum and repealing Regulation (EU) No 439/2010, OJ L 468, 30.12.2021, p. 1-54.