The purpose of operational analysis is to support criminal investigations and criminal intelligence operations through all methods and techniques by which information is collected, stored, processed and assessed. From a data protection perspective this is the most interesting but also most intrusive processing operation – which is why the strongest data protection safeguards apply.

Operational analysis may be performed on suspects, convicted persons and potential future criminals but where necessary also on contacts and associates. Furthermore, only if it is strictly necessary and proportionate, personal data relating to witnesses, victims, informants and minors can also be included.

Article 30(1) ER.

The processing of personal data, by automated or other means, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and processing of genetic data or data concerning a person's health or sex life is even prohibited, unless it is strictly necessary and proportionate for preventing or combating crime that falls within Europol's objectives and if those data supplement other personal data processed by Europol. The selection of a particular group of persons solely on the basis of such personal data is not allowed.

Article 30(2) ER

But how does all of this work in practice? And how would a Europol analyst know if something is considered necessary – or even strictly necessary – for the purpose of a particular analysis project? The answer lies in the fact that such more intrusive processing operations with particular focus on individuals may only be performed within so-called operational analysis projects (APs):

For every AP, the Executive Director of Europol shall define the specific purpose, categories of personal data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of the data concerned, and shall inform the Management Board (MB) and the EDPS thereof. This happens by means of an Analysis Project Portfolio including specifically defined data category tables for all operational analysis projects at Europol.

Personal data may only be collected and processed for the purpose of the specified operational analysis project. Where it becomes apparent that personal data may be relevant for another operational analysis project, further processing of that personal data shall only be permitted insofar as such further processing is necessary and proportionate and the personal data are compatible with data category tables that apply to the other analysis project.

Only authorised staff may access and process the data of the relevant project.

Article 18(3) ER.

In order for the APs to function and allow for efficient analysis, the data in the files must be thoroughly checked: high quality information respectively generates high quality analysis. Law enforcement authorities have to be able to rely on the information provided by Europol to be correct and valid. As a result, Europol may only process data if accurate and up to date. After an initial check when inputting the data, regular reviews take place to ensure that the data continue to fulfil these requirements. Also regular compliance checks for the purpose of verifying the lawfulness of data processing and ensuring proper data integrity and security contribute to ensuring highest data protection standards.

Articles 28 f., 40 ER.