The Data Protection Officer (DPO) is a staff member appointed by the Management Board. The main task of the staff member is to provide objective assurance and independent guidance, which is designed to add value and to improve Europol’s data processing operations. The DPO has to ensure that the processing of personal data by Europol, including personal data relating to staff members, is done in a way that is compliant with the organisation’s data protection legal framework.

In the performance of his tasks, the DPO acts independently and shall not receive any instructions. The Data Protection Function (DPF), next to the Head of Unit, includes a Senior Specialist, three Specialists, one contract agent and an Administrative Assistant. The skillset of the DPF comprises legal expertise as well as professional knowledge in the area of information security and confidentiality, computer sciences, digital forensics, cybercrime investigation and crime analysis.

Article 41(1), (5) ER.

The DPF is an integral part of Europol and the initial point of contact for all data protection issues.

The independence of the DPO concerns his professional judgment. This facilitates providing advice as an assurance provider which serves as a basis for decisions made by management to implement effective data protection safeguards.

To enable the DPO to fulfil his tasks he has the right to access all the data processed by Europol and all Europol premises. An escalation procedure known as ultima ratio, which involves the Executive Director of Europol, the MB and the EDPS, lends power to this model of functional independence.

It is important to note that the role of the DPO is of an advisory nature, as it is in other European agencies and institutions. The responsibility for compliance with the legal framework of data protection lies with the controller of the single data processing operation.

The core tasks of the DPO include:

ensuring, in an independent manner, the internal application of this Regulation concerning the processing of personal data;

ensuring that a record of the transfer and receipt of personal data is kept in accordance with the ER;

ensuring that data subjects are informed of their rights under this Regulation at their request;

cooperating with Europol staff responsible for procedures, training and advice on data processing;

cooperating with the EDPS

preparing an annual report and communicating that report to the MB and to the EDPS;

keeping a register of personal data breaches.

Also, the handling of data subject access requests in practice constitutes an important aspect of the daily work of the DPF. A decision on the provision of data is in each case reached in close cooperation with the relevant Europol officials and the Member State(s) which provided the data. The provision of information in response to any request may only be refused or restricted if such refusal or restriction constitutes a measure that is necessary in order to ena ble Europol to fulfil its tasks properly, protect security and public order or prevent crime, guarantee that any national investigation will not be jeopardised or to protect the rights and freedoms of third parties. When the applicability of an exemption is assessed, the fundamental rights and interests of the data subject shall be taken into account.

See Articles 36, 39 ER.

The DPO also plays an important role in supporting data controllers in the preparation of data protection impact assessments. In fact, Europol is probably one of the first entities which has already established and documented the respective process according to which the data controller brings to the attention of the DPF all initiatives that entail the processing of personal data. This process is designed in a way which reduces the impact on Europol’s development lifecycle to the necessary minimum. By requiring the cross-reference of already existing relevant documentation, the chosen approach avoids bureaucratic duplication of efforts and at the same time provides a comprehensive overview of the envisaged processing operation and its data protection implications for scrutiny by the external data protection supervisory authority whenever this is legally required or deemed helpful. Additionally the DPF provides training and awareness sessions for the organisation.