In line with Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 (the Europol Regulation), the EDPS -the independent EU data protection authority - has the task to supervise the lawfulness of personal data processing by Europol since 1 May 2017.
Europol is the EU body actively cooperating with law enforcement authorities of the EU Member States to combat serious international crime and terrorism. Europol also works with many non-EU partner States and international organizations in particular in the fight against terrorism, cybercrime and people smuggling.
The Europol Regulation provides any individual the right to obtain information (Art. 36) on whether or not personal data relating to him or her are processed by Europol, to ask for rectification, erasure and restriction (Art. 37) of such data and, more in general, that his or her data are processed in accordance with data protection principles (Art. 28), notably in a fairly and lawful way.
At the same time, the Europol Regulation further reinforces the police cooperation in criminal matters in the area of Freedom, Security and Justice (AFSJ).
Taking over the data protection supervision of Europol, the EDPS - in full synergy and cooperation with national supervisory authorities - will ensure that the right balance is found between data protection rights and the key public interest of security.
The EDPS is committed to exercise his supervisory role, reinforcing safeguards in a practical and modern way in line with the new challenges for law enforcement.
To perform this supervision work, the EDPS implements different duties, also taking into account the cross-border dimension (at European and international level) of the data processing:
- One of the tools laid down under Europol Regulation to ensure compliance are Inspections to be carried out by the EDPS in cooperation with national supervisory authorities.
- The EDPS advices Europol, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular when it draws up internal rules or administrative measures relating to the protection of fundamental rights and freedoms with regard to the processing of personal data or with reference to the transfer and exchange of personal data.
- Where new types of processing operations by Europol (due in particular to the categories of data involved or the use of new technologies or procedures) present specific risks to individuals, these processing operations need to be submitted to the EDPS for prior consultation. Based on the facts submitted by Europol, the EDPS will examine the processing of personal data in relation to the data protection safeguards laid down under Europol Regulation and with all relevant data protection principles and rules. In most cases, this exercise leads to a set of recommendations that the controller has to implement so as to ensure compliance with data protection rules.
- The EDPS hears and investigates complaints from individuals who consider that their personal data have been mishandled by Europol. If a complaint is admissible, the EDPS carries out an inquiry. In cases relating to data originating from one or more Member States, the EDPS will consult the national supervisory authority or the Member State concerned. The EDPS then adopts a decision which is communicated to the complainant.
- Either as a follow up to a complaint or on his or her own initiative, for example on the basis on the information Europol has to provide to the EDPS under the Europol Regulation (about new operational analysis projects, data stored for more than 5 years, certain transfers to third countries or international organisations, etc.), the EDPS may carry out inquiries for the monitoring of compliance with reference to a specific topic.
- Europol has a specific duty to report operational data breaches to the EDPS, as well as to the competent authorities of Member States, without undue delay. Operational data are data processed by Europol in the framework of their core business of supporting Member States in preventing and combating cross-border crime and terrorism. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, Europol must also inform the individuals concerned without unnecessary delay. Europol must ensure that they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. They must also ensure that when they identify a personal data breach, they are able to respond effectively to mitigate the negative effects of the breach on the individuals whose data has been compromised. Europol must document operational data breaches, including all details about the breach, and the DPO must keep a register of all personal data breaches. For administrative data such a staff data for example, Europol is subject to the same rules as the other EU institutions under Regulation 2018/1275.
As mentioned, an essential aspect of this supervision is the cooperation with national supervisory authorities, in particular within the newly established Europol Cooperation Board, a forum with advisory function for discussion of common issues, working together to develop, for instance, guidelines and best practices.
In order to monitor compliance with the Europol Regulation, the EDPS cooperates with the Data Protection Officer (DPO) appointed in Europol.
As part of the annual report, the EDPS will publish an annual report on the supervisory activities on Europol including information on complaints, inquiries, inspections, transfers of personal data to third countries and international organizations, as well as prior consultations.
The EDPS is also accountable, for his or her supervision activity, before the Joint Parliamentary Scrutiny Group (JPSG), composed of representatives of the European and of national Parliament, established under the Europol Regulation.
Archived website of the former Joint Supervisory Body of Europol.