In the EU, different measures have been adopted with regard to the storage and exchange of personal data of third-country nationals for external border controls. Large-scale databases and risk assessment are used to facilitate the entry of those considered as ‘bona fide travelers’ and to identify those considered as a risk of irregular migration or security threat. The purposes of existing databases have been gradually extended, blurring the line between the objectives of immigration control and security and law enforcement. Emphasizing the non-discriminatory approach of data protection and applying criteria from the case-law of the Court of Justice of the European Union (CJEU), this contribution questions the legitimacy of these measures from the perspective of the principles of necessity and proportionality, purpose limitation, and the prohibition of automated-decision making.