For more information on data protection and the Data Protection Office at Europol please visit our dedicated DPO e-magazine.
Europol provides for an innovative technology-enabled inter-connected platform that connects over 500 law enforcement agencies from Europe and beyond. That platform operates through its ability to connect and collect across a large community and by applying the power of data analytics at the hub of this information at Europol Headquarters.
Evidently, the collection and processing of data, foremost personal data, are at the centre of Europol’s activities. That on its part calls for the application of the highest standards of data protection and data security. Therefore, the agency has emplaced one the most robust data protection frameworks in the world of law enforcement. This is an asset, but at the same time a responsibility as the tailor-made set of rules has to be duly applied to both the operational needs of Europol and the individual’s fundamental right to effective data protection.
In this context, the main challenge is the application of the data protection framework to the day-to-day operations of the agency. The Data Protection Function (DPF) within Europol is in the ideal position to ensure the lawfulness and compliance of data processing operations with the applicable legal framework. In addition to the assurance activities of the Data Protection Officer (DPO), there is also the supervision exercised by the European Data Protection Supervisor (EDPS).
Data Protection Function
The Data Protection Function is an integral part of Europol and the initial point of contact for all data protection issues. The unit is headed by the Data Protection Officer (DPO), who is appointed by Europol’s Management Board.
The DPF, which acts with functional independence, works closely with Europol staff, offering advice and guidance in line with best practices on the processing of personal data. With respect to the processing and exchange of data among Europol and EU Member States, the Data Protection Officer ensures that the applicable data protection rules are applied to all forms of personal data exchange.
The DPF has access to all data processed by Europol as well as all Europol premises. Its main activity is to ensure compliance with the mandate-setting legal instrument of Europol. Up until 1 May 2017, the Europol Council Decision (ECD) of 6 April 2009 defined Europol’s mandate as regards the processing of personal data, including also Europol staff data. As of 1 May 2017, the Europol Regulation (ER) repeals the ECD and subsequently reinforces the robust data protection regime applicable to Europol’s activities with respect to the processing of both operational and administrative data.
The need to reflect upon present day challenges, technological developments, and globalisation, and in ideal synchronisation with the overall EU data protection reform, has led to the modification of the legal regime at Europol. Under the Europol Regulation, the agency not only steps up its efforts to fight terrorism, cybercrime and other forms of serious and organised crime, but also increases data protection safeguards, democratic control, parliamentary scrutiny, as well as its role as the central hub for criminal intelligence and information exchange.
Additionally, in the context of its activities, Europol’s DPF has also established an online collaboration platform – the Europol Data Protection Experts Network (EDEN). EDEN’s main aim is the exchange of expertise and best practices among a community of various stakeholders, ranging from law enforcement experts to representatives of relevant private parties, academia, NGOs, etc.
If you are interested in contributing to the discussions on effective data protection safeguards applicable in law enforcement context, please apply to become a member of our expert community via email@example.com
Accessing personal data at Europol
Any individual can obtain information on whether personal data related to them are processed by Europol. The agency has a legal obligation to provide the data subject with information on whether personal data relating to him/her are processed at Europol. In order to exercise the right of access, the individual can submit a request to Europol via the competent authority of a Member State. At Europol, the DPF undertakes the necessary checks.
European Data Protection Supervisor (EDPS)
While the Data Protection Officer, though independent in the performance of his tasks, is an integral part of the organisation, the European Data Protection Supervisor (EDPS) is responsible for external supervision. The EDPS respectively provides advice on data protection matters to Europol, carries out inspections and investigates complaints from individuals.
The EDPS is the European Union’s independent data protection authority that serves as an impartial centre of excellence for enforcing and reinforcing EU data protection and privacy standards, both in practice and in law. The EDPS is headed by a Supervisor and Assistant Supervisor and supported by lawyers, IT specialists and administrators. These experts are highly experienced in data processing and they supervise Europol’s activities from a data protection perspective.
To this end, the EDPS has the power to inspect all Europol files at any time. The inspection visits of Europol’s premises are carried out in close cooperation with the DPF at Europol. The EDPS inspections cover all of Europol’s data processing operations. On the basis of these inspections, the EDPS delivers extensive and detailed reports on the supervisory activities of Europol, which include findings and recommendations.
In addition to the aforementioned checks by the DPF and the EDPS, each Member State has its own national supervisory body. In accordance with its national law, each Member State checks the transmission of personal data to and from Europol. Members of each of these national supervisory bodies also have access to the documents and premises of their Liaison Officers at Europol.
Furthermore, under the Europol Regulation, a Cooperation Board with an advisory function is established. It acts independently and is composed of a representative of a national supervisory authority of each Member State and of the EDPS.