The centrepiece of legislation is the Europol Regulation (ER). It has particular focus on operational personal data, i.e. all personal data processed for the purpose of meeting the objectives of the Agency. Additionally, Europol applies Regulation (EU) 45/2001 to administrative personal data.

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol).

Europol Regulation, art. 46.

Europol’s data protection legal framework is based on the principles contained in Convention 108 of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as on the Council of Europe Committee of Ministers Recommendation No R (87) 15 regulating the use of personal data in the police sector.

In particular, the ER is inspired by the Data Protection Directive for the police and criminal justice sector which was legislated in one package together with the General Data Protection Regulation (GDPR).

Directive (EU) 2016/680.

Regulation (EU) 2016/679.

One of the main rationales of Europol’s data protection regime is that personal data can only be processed if allowed by law. To ensure legal clarity and reliability in the sensitive area of law enforcement, the rules governing the processing of personal data have to be unequivocal and definitive.

The foundation for achieving this aim is clear terminology. Taking this into account, the Europol Regulation makes use of definitions that are common in the world of data protection.

So, what exactly is personal data? What is implied by the term processing?