While the DPO is an integral part of Europol, the European Data Protection Supervisor (EDPS) has the task to “externally” supervise the EU law enforcement agency.
// 5.2. EXTERNAL SUPERVISION BY THE EDPS
The EDPS is responsible for monitoring and ensuring the application of the provisions of the Europol Regulation relating to the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of personal data.
The EDPS has the following duties:
(a) hearing and investigating complaints, and informing the data subject of the outcome within a reasonable period;
(b) conducting inquiries either on his or her own initiative or on the basis of a complaint, and informing the data subject of the outcome within a reasonable period;
(c) monitoring and ensuring the application of the ER and any other Union act relating to the protection of natural persons with regard to the processing of personal data by Europol;
(d) advising Europol, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular before it draws up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal data;
(e) keeping a register of new types of processing operations notified to him or her by virtue of Article 39(1) and registered in accordance with Article 39(4) ER;
(f) carrying out a prior consultation on processing notified to him or her.
In order to fulfil these duties the EDPS has full enforcement rights in the sense that he may:
(a) give advice to data subjects on the exercise of their rights;
(b) refer a matter to Europol in the event of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the data subjects;
(c) order that requests to exercise certain rights in relation to data be complied with where such requests have been refused in breach of Articles 36 and 37 ER.
(d) warn or admonish Europol;
(e) order Europol to carry out the rectification, restriction, erasure or destruction of personal data which have been processed in breach of the provisions governing the processing of personal data and to notify such actions to third parties to whom such data have been disclosed;
(f) impose a temporary or definitive ban on processing operations by Europol which are in breach of the provisions governing the processing of personal data;
(g) refer a matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;
(h) refer a matter to the Court of Justice of the European Union under the conditions provided for in the TFEU;
(i) intervene in actions brought before the Court of Justice of the European Union.
In particular, the processing ban referred to in point (f) above grants the EDPS an instrument which has been described as “the right to pull the plug” with a view to the fact that it constitutes a very efficient and powerful measure to address any non-compliant processing operations.
Ellermann, Terror won’t kill the privacy star – tackling terrorism propaganda online in a data protection compliant manner, chapter 5, in: ERA Forum DOI 10.1007/s12027-016-0446-z
Furthermore, the EDPS has the power to obtain from Europol access to all personal data and to all information necessary for his or her enquiries as well as obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for presuming that an activity covered by the ER is being carried out there.