To improve Europol's effectiveness in providing accurate crime analysis to the competent authorities of the Member States, the legislator determined that the organisation should use new technologies to process data. Europol should be able to swiftly detect links between investigations and common modi operandi across different criminal groups, to check cross-matches of data and to have a clear overview of trends, while guaranteeing a high level of protection of personal data for individuals. Therefore, Europol databases should be structured in such a way as to allow Europol to choose the most efficient IT structure.
Recital 24 ER.
A core element of the ER is the introduction of an Integrated Data Management Concept (IDMC). The idea is to move away from specifically described systems towards defined purposes of processing operations which can be implemented in a technology-neutral manner. The concept is based on general data protection principles and specifically defined safeguards such as time-limits for storage of information, prior consultation and implementation of data protection by design as well as logging and documentation requirements.
See chapter VI ER.
Integrated data management can be defined as the possibility, deriving from the ER, to use crime-related information for multiple business purposes as indicated by the data owner, allowing for its management and processing in an integrated, technology-neutral manner. In this, it differs from previous legal frameworks that were system-centric in terms of data processing.
The IDMC hence grants Europol a certain degree of flexibility on how to technically design and implement its processing environment subject to full compliance with general data protection principles and safeguards.
The ultimate decision on whether or not a new type of processing operation on personal data is deemed necessary and proportionate does not lie with Europol but with the European Data Protection Supervisor (EDPS) - Europol’s competent external data protection supervisory authority.
See, for instance, Articles 39, 43 ER.
Europol may process personal data only for the purposes of:
(a) cross-checking aimed at identifying connections or other relevant links between information related to:
(b) analyses of a strategic or thematic nature;
(c) operational analyses;
(d) facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations.