In its Opinion published today on the European Commission’s Proposal for a Directive on recovery and confiscation of assets, the EDPS recognises that processing personal data in this context is liable to have a significant impact on the individuals concerned and constitutes an interference with individuals’ rights guaranteed by the EU Charter of Fundamental Rights, including the right to data protection. The EDPS therefore welcomes the fact that the Proposal explicitly underlines the particular importance that the protection of personal data, according to EU law, is ensured.
The Proposal aims to help EU Member States’ competent authorities to identify, freeze, manage, and confiscate assets obtained through criminal activities by organised crime groups. To achieve this, the Proposal aims to facilitate cooperation between relevant authorities involved in the ceasing of these assets.
Wojciech Wiewiórowski, EDPS, said: “While I support the objectives of the Proposal, which will contribute to combatting organised crime across the EU, its potentially significant impact on the individuals concerned is undeniable. Therefore, the European Parliament and the Council must ensure that the limitations to the right to data protection apply only in so far as is strictly necessary, and that robust data protection safeguards are present”.
In particular, the EDPS doubts whether certain special categories of personal data including, for example, DNA data, behavioural data, fingerprint data, dental information, would actually be relevant in the particular context of asset recovery and confiscation, and whether this data should be available for cross-border exchange between EU Member States’ asset recovery offices.
As a directive, this Proposal, when adopted, will have to be transposed by the EU Member States into national law. In this regard, the EDPS advises that national legislation transposing the Directive should identify the competent authority, or authorities, that will be responsible for the management of the registry of the frozen or confiscated assets.
Regarding the envisaged cooperation between EU Member States’ asset recovery offices and Europol, Eurojust, and the European Public Prosecutor Office (EPPO), the EDPS highlights that any exchanges of personal data must be carried out in full respect of the relevant rules on the processing of personal data laid down in the legal acts establishing the aforementioned EU Agencies.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.