In line with Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 (the Europol Regulation), the EDPS has the task of supervising the lawfulness of personal data processing by Europol as of 1 May 2017.
Europol is an EU body which actively cooperates with the law enforcement authorities of the EU Member States to combat serious international crime and terrorism. Europol also works with many non-EU partner States and international organisations, particularly regarding the fight against terrorism, cybercrime and people smuggling.
The Europol Regulation applies to the processing of operational data, namely data processed by Europol to support the Member States in preventing and combating serious crime and terrorism.
The Europol Regulation provides any individual with the right to obtain information (Art. 36) on whether or not personal data relating to him or her are processed by Europol, to ask for rectification, erasure and restriction (Art. 37) of such data and, more in general, that his or her data are processed in accordance with data protection principles (Art. 28), notably in a fairly and lawful way.
At the same time, the Europol Regulation further reinforces police cooperation in criminal matters in the area of Freedom, Security and Justice (AFSJ).
Taking over the data protection supervision of Europol, the EDPS - in full synergy and cooperation with national supervisory authorities - will ensure that the right balance is found between data protection rights and the key public interest of security.
The EDPS is committed to exercise our supervisory role, reinforcing safeguards in a practical and modern way in line with the new challenges for law enforcement.
To perform this supervision work, the EDPS takes on different duties, also taking into account the cross-border dimension (at European and international level) of the data processing:
- One of the tools laid down under Europol Regulation to ensure compliance are Inspections, to be carried out by the EDPS in cooperation with national supervisory authorities.
- The EDPS advises Europol, either on our own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular when it draws up internal rules or administrative measures relating to the protection of fundamental rights and freedoms with regard to the processing of personal data or with reference to the transfer and exchange of personal data.
- Where new types of processing operations by Europol (due in particular to the categories of data involved or the use of new technologies or procedures) present specific risks to individuals, these processing operations need to be submitted to the EDPS for prior consultation. Based on the facts submitted by Europol, the EDPS will examine the processing of personal data in relation to the data protection safeguards laid down under Europol Regulation and with all relevant data protection principles and rules. In most cases, this exercise leads to a set of recommendations that the controller has to implement so as to ensure compliance with data protection rules.
- The EDPS hears and investigates complaints from individuals who consider that their personal data have been mishandled by Europol. If a complaint is admissible, the EDPS carries out an inquiry. In cases relating to data originating from one or more Member States, the EDPS will consult the national supervisory authority of the Member State concerned. The EDPS then adopts a decision which is communicated to the complainant.
- The EDPS may carry out inquiries for the monitoring of compliance with reference to a specific topic, either as a follow up to a complaint or on our own initiative, for example on the basis on the information Europol has to provide to the EDPS under the Europol Regulation (about new operational analysis projects, data stored for over 5 years, certain transfers to third countries or international organisations, etc.).
- Europol has a specific duty to report operational data breaches to the EDPS, as well as to the competent authorities of Member States, without undue delay. Operational data are data processed by Europol in the framework of their core business of supporting Member States in preventing and combating cross-border crime and terrorism. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, Europol must also inform the individuals concerned without unnecessary delay. Europol must ensure that they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. They must also ensure that when they identify a personal data breach, they are able to respond effectively to mitigate the negative effects of the breach on the individuals whose data has been compromised. Europol must document operational data breaches, including all details about the breach, and the DPO must keep a register of all personal data breaches. For administrative data, Europol is subject to the same rules as the other EU institutions under Regulation 2018/1275.
As mentioned, an essential aspect of this supervision is the cooperation with national supervisory authorities, in particular within the newly established Europol Cooperation Board, a forum with advisory function for discussion of common issues, working together to develop guidelines and best practices, for example.
In order to monitor compliance with the Europol Regulation, the EDPS cooperates with the Data Protection Officer (DPO) appointed in Europol.
As part of its annual report, the EDPS will publish a summary of its supervisory activities on Europol including information on complaints, inquiries, inspections, transfers of personal data to third countries and international organisations, as well as prior consultations.
The EDPS is also accountable for our supervisory activities before the Joint Parliamentary Scrutiny Group (JPSG), composed of representatives of the European and of national Parliament, established under the Europol Regulation.
Archived website of the former Joint Supervisory Body of Europol.
Regulation 2018/1725 applies to Europol's processing of administrative data, which includes data on staff and visitors, for example.
EDPS Decision on the own initiative inquiry on Europol’s big data challenge.