52005PC0475

[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES |

Brussels, 4.10.2005

COM(2005) 475 final

2005/0202 (CNS)

Proposal for a

COUNCIL FRAMEWORK DECISION

on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters {SEC(2005) 1241}

(presented by the Commission)

EXPLANATORY MEMORANDUM

1) Context of the proposal

- Grounds for and objectives of the proposal

On 4 November 2004, the European Council adopted The Hague Programme on strengthening freedom, security and justice in the European Union.[1] In this programme the Commission is invited to submit proposals by the end of 2005 at the latest for the implementation of the principle of availability in order to improve the cross-border exchange of law-enforcement information between the Member States. The Hague Programme stresses that key conditions in the area of data protection should be strictly observed in these proposals.

In June 2005, the Council and the Commission adopted the Action Plan implementing the Hague Programme.[2] It was based on the Communication from the Commission to the Council and the European Parliament - The Hague Programme: Ten priorities for the next five years. The Partnership for European renewal in the field of Freedom, Security and Justice.[3] According to the Action Plan the Commission shall submit proposals in 2005 on (1) the establishment of a principle of availability of law enforcement relevant information and (2) on adequate safeguards and effective legal remedies for the transfer of personal data for the purpose of police and judicial cooperation in criminal matters. On 13 July 2005, the Council (Justice and Home Affairs) in its Declaration on the EU response to the London bombings[4] called on the Commission to present these proposals by October 2005.

This Framework Decision shall ensure the protection of personal data processed in the framework of police and judicial co-operation in criminal matters between the Member States of the European Union (TEU, Title VI). It aims at improving this cooperation, in particular regarding preventing and combating terrorism, and with the strict observance of key conditions in the area of data protection. It shall ensure that fundamental rights, with special attention to the right to privacy and to the protection of personal data, will be respected throughout the European Union, in particular, in view of the implementation of the principle of availability. It shall also ensure that the exchange of relevant information between the Member States will not be hampered by different levels of data protection in the Member States.

- General context

Further to the initiative of Italy[5] the protection of personal data in the third pillar was already discussed in 1998. At that time, the Justice and Home Affairs Council adopted the so-called Vienna Action Plan.[6] It stipulated that - with regard to horizontal problems in the context of police and judicial cooperation in criminal matters - the possibilities for harmonised rules on data protection should be examined within two years from the entry into force of the Treaty. However, in 2001 a draft resolution on the personal data protection rules in instruments under the third pillar of the European Union failed to be adopted.[7] In June 2003 the Greek Presidency proposed a set of general principles on the protection of personal data in the third pillar[8] that were inspired by the Data Protection Directive 95/46/EC and the Charter of Fundamental Rights of the European Union. In 2005, the Data Protection Authorities of the Member States of the European Union and the European Data Protection Supervisor (hereafter: EDPS) expressed strong support for a new legal instrument for the protection of personal data in the third pillar[9]. The European Parliament recommended harmonising existing rules on the protection of personal data in the instruments of the third pillar, bringing them together in a single instrument that guarantees the same level of data protection as provided for under the first pillar[10].

According to The Hague Programme, the introduction of the principle of availability is dependent on key conditions in the area of data protection. Obviously, the European Council acknowledged that data protection provisions presently existing at European level would not be sufficient in view of the implementation of the principle of availability, which might include modalities such as reciprocal access to or interoperability of national databases or direct (on-line) access.

Concerns about a sufficient level of data protection were also reflected in a cooperation agreement signed by seven Member States on 27 May 2005 in Prüm (Germany, Austria, Belgium, the Netherlands, Luxembourg, France, and Spain) and which they recommend as a model for the exchange of information between the Member States of the Union in general. The agreement provides, subject to specific conditions, for direct automated access for the law enforcement authorities of one Contracting Party to personal data held by another Contracting Party. But this form of cooperation shall not apply until the data protection provisions of the agreement have been transposed into the national law of the Parties.

- Existing provisions in the area of the proposal

The Charter of Fundamental Rights of the European Union[11] explicitly recognises the right to privacy (Article 7) and the right to the protection of personal data (Article 8). Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.

The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[12] contains fundamental rules on the lawfulness of the processing of personal data as well as on the rights of the data subject. It includes provisions concerning judicial remedies, liability and sanctions, the transfer of personal data to third countries, codes of conduct, specific supervisory authorities and a working party and finally community implementing rules. However, the Directive does not apply to activities that fall outside the scope of Community law such as those provided for by Title VI of the Treaty on European Union (TEU). Accordingly Member States are allowed to decide themselves on appropriate standards for data processing and protection. In the context of Title VI TEU the protection of personal data is set out in different specific instruments. In particular, in instruments that establish common information systems at European level, such as: the Convention implementing the Schengen Agreement of 1990 including specific data protection provisions applicable to the Schengen Information System;[13] the Europol Convention of 1995[14] and, inter alia, the Rules governing the transmission of personal data by Europol to third States and third bodies;[15] the Decision setting up Eurojust of 2002[16] and the Rules of procedure on the processing and protection of personal data at Eurojust;[17] the Convention on the use of information technology for customs purposes of 1995, including personal data protection provisions applicable to the Customs Information System;[18] and the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union of 2000, in particular Article 23.[19] With regard to the Schengen Information System particular attention has to be paid to the establishment, operation and use of the second generation Schengen information system (SIS II), for which the Commission already submitted proposals for a Council Decision[20] and for two Regulations.[21]

Furthermore, attention has to be paid to Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms and to the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981, to its Additional Protocol of 2001 regarding supervisory authorities and transborder data flows and to the Recommendation No. R (87) 15 of 1987 regulating the use of personal data in the police sector. All Member States are parties to the Convention but not all are parties to the Additional Protocol.

- Consistency with the other policies and objectives of the Union

The specificities of data processing and data protection in the framework of Title VI of the Treaty on European Union have to be recognised. On the one hand, they should not hamper consistency with the general policy of the Union in the area of privacy and data protection on the basis of the EU Charter for Fundamental Rights and of Directive 95/46/EC. The fundamental principles of data protection apply to data processing in the first and in the third pillar. Moreover, consistency must be ensured with other instruments providing for specific obligations related to information that is likely to be relevant for the purpose of preventing and combating crime. Attention has to be paid to the development regarding the retention of data processed and stored in connection with the provision of publicly available electronic communications services or data on public communications networks for the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism. Particular reference has to be made to the close relation between the proposed Framework Decision and the Commission’s Proposal for a Directive of the European Parliament and of the Council on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC.[22]

2) Consultation of interested parties and impact assessment

- Consultation of interested parties

Consultation methods, main sectors targeted and general profile of respondents

On 22 November 2004 and on 21 June 2005, the Commission invited and consulted experts of the Governments of the Member States, Iceland, Norway and Switzerland, and on 11 January 2005 experts of the Data Protection Authorities of these States. The EDPS, Europol, Eurojust, and the Secretariat of the Joint Supervisory Bodies were also represented. The main purpose of the consultations was to find out the need for a legal instrument on the processing and protection of personal data in the third pillar and, if so, what the main content of such an instrument should be. The Commission asked the consulted parties, inter alia, on the basis of a questionnaire and a discussion paper, about their position concerning the general approach of a new legal instrument and its relation to existing instruments, the legal basis, the possible scope, the principles relating to data quality, the criteria for making data processing by police or judicial authorities legitimate, personal data of non-suspects, the requirements for the transmission of personal data to competent authorities in other Member States and in third countries, the rights of the data subject, supervisory authorities and a possible advisory body for data protection in the third pillar.

The Working Party set up according to Article 29 of Directive 95/46/EC was regularly informed about the ongoing developments. On 12 April and 21 June 2005, the Commission attended meetings of the Police Working Party of the Conference of the European Data Protection Authorities. On 31 January 2005, the Commission participated in a "Public Seminar: Data protection and citizens' security: what principles for the European Union?” held by the Committee on Civil Liberties, Justice and Home Affairs. The Commission took into account the results of the Spring Conference of the European Data Protection Authorities, Krakow, 25-26 April 2005, and the position of the European Parliament as set out, inter alia, in the European Parliament recommendation to the European Council and the Council on the exchange of information and cooperation concerning terrorist offences (2005/2046(INI)), adopted on 7 June 2005.2

Summary of responses and how they have been taken into account

Both the European Parliament and the Data Protection Authorities in the European Union strongly support a legal instrument on the protection of personal data in the third pillar. Representatives of the Governments of the Member States and of Iceland, Norway and Switzerland, and of Europol and Eurojust did not express a common position in that regard. However, the Commission could conclude that there was no principal opposition to the idea of such an instrument. There seemed to be agreement that the implementation of the principle of availability has to be accompanied by appropriate counterbalancing rules in the area of data protection. Some Member States stated that the way information is exchanged in the future should be defined first and that rules for the protection of personal data should be laid down subsequently. Some preferred a set of specific provisions to be included in the act on the principle of availability.

Having weighed up the different positions the Commission takes the position that the implementation of the principle of availability will further develop and fundamentally change the quality and intensity of the exchange of information between the Member States. Such development will greatly affect personal data and the right to data protection. It needs to be appropriately counterbalanced. Recent initiatives aiming at direct automated access, at least, on a hit/no hit basis are likely to increase the risk of exchanging illegitimate, inaccurate or non up-dated data and have to be taken into account. These initiatives imply that the data controller will no longer be able to verify in each individual case the legitimacy of a transmission and the accuracy of the data concerned. Consequently, this has to be accompanied by strict obligations to constantly ensure and verify the quality of data to which direct automated access is granted.

With special attention being paid to the impact of the implementation of the principle of availability, provisions just addressing individual aspects of data protection are not sufficient. A legal instrument on the protection of personal data in the third pillar can, in principle, contribute to fostering police and judicial cooperation in criminal matters with regard to its efficiency as well as its legitimacy and compliance with fundamental rights, in particular the right to protection of personal data.

In particular with a view to the implementation of the principle of availability such an instrument is particularly necessary and must be developed hand in hand with the implementation of this principle. The Framework Decision should follow the spirit and structure of Directive 95/46/EC as far as possible while taking into account the specific needs of police and judicial cooperation in criminal matters and in the light of the principle of proportionality. The Recommendation Nr R(87)15 regulating the use of personal data in the police sector of the Council of Europe of 1987 has been taken into account in order to transpose its main principles into legally binding provisions at EU level. Clear rules should be established for the protection of personal data that shall be or have been made available to competent authorities of other Member States. This implies a system ensuring the quality of processing of the data concerned. Such a system must include provisions laying down appropriate rights of the data subject and powers of the supervisory authorities as exercising those rights and powers is likely to contribute to the quality of the data concerned.

- Impact assessment

The following options were considered: applicability of Directive 95/46/EC; no or later proposal for provisions on the protection of personal data in the third pillar; limited set of specific provisions in a legal act concerning the exchange of information under the principle of availability; Framework Decision on the protection of personal data in the third pillar. With regard to the latter it has been examined if such an instrument should also apply to the exchange of information through information systems and by bodies established at EU level.

The fundamental and comprehensive provisions of Directive 95/46/EC are not applicable in the third pillar as set out in its Article 3(2). Even the deletion of this article could not automatically result in the applicability of the Directive on police and judicial cooperation in criminal matters. Firstly, the specificities of this cooperation are not fully taken into account in the Directive and would require some more precision. Secondly, the requirements for legislation, falling within the ambit of Title VI of the Treaty of the European Union, which aims at fostering police and judicial cooperation in criminal matters, have to be respected The option of no or a later proposal for provisions on the processing and protection of personal data in the third pillar has to be excluded. This option is likely to imply that new forms of exchange of information are introduced with the implementation of the principle of availability without ensuring strict observance of key conditions in the area of data protection. A limited set of specific provisions in a legal act concerning the exchange of information under the principle of availability is not sufficient given the probable impact of the latter. A Framework Decision on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters is the only fully satisfying option. This option is unlikely to generate considerable, if any, administrative costs for the Member States.

The Commission carried out an impact assessment; which is listed in the Work Programme and the impact assessment report is available on http://europa.eu.int/comm/dgs/justice_home/evaluation/dg_coordination_evaluation_annexe_en.htm.

3) LEGAL ELEMENTS OF THE PROPOSAL

- Summary of the proposed action

The proposed Framework Decision includes general rules on the lawfulness of processing of personal data, provisions concerning specific forms of processing (transmission and making available of personal data to the competent authorities of other Member States, further processing, in particular further transmission, of data received from or made available by the competent authorities of other Member States), rights of the data subject, confidentiality and security of processing, judicial remedies, liability, sanctions, supervisory authorities and a working party on the protection of individuals with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences. Particular attention must be paid to the principle that personal data are only transferred to those third countries and international bodies that ensure an adequate level of protection. The Framework Decision provides for a mechanism aiming at EU wide compliance with this principle.

- Legal basis

This Framework Decision shall be based on Articles 30, 31 and 34 (2) (b) of the Treaty on European Union. In particular in the light of the implementation of the principle of availability, appropriate provisions regarding the processing and protection of personal data, including common standards for the transmission of personal data to third countries and international bodies, are essential to improve police and judicial cooperation in criminal matters, in particular for the fight against terrorism and serious crimes. Moreover, Member States will only fully trust each other if there are clear and common rules for the possible further transmission of exchanged data to other parties, in particular to third countries. The proposed provisions will ensure that the exchange of information between the competent authorities is not prejudiced by different levels of data protection in the Member States.

- Subsidiarity and proportionality principle

This Framework Decision addresses situations that are particularly relevant for police and judicial cooperation in criminal matters between the Member States, in particular for the exchange of information in order to ensure and promote efficient and lawful measures to prevent and combat crime, in particular serious crime and terrorism, in all Member States. National, bilateral or multilateral solutions might be helpful for individual Member States but would disregard the necessity of ensuring internal security for the whole Union. The information need of law enforcement authorities is largely determined by the level of integration between countries. The exchange of information for law-enforcement purposes between Member States is estimated to increase and therefore needs to be complemented by consistent rules on data processing and data protection. This Framework Decision respects the principle of subsidiarity provided for by Article 2 of the Treaty on European Union and Article 5 of the Treaty establishing the European Community insofar as it aims to approximate the laws and regulations of the Member States, which cannot be done adequately by the Member States acting unilaterally and requires concerted action within the European Union. In accordance with the principle of proportionality, as set out in the latter Article, this Decision does not go beyond what is necessary in order to achieve that objective. In particular, this decision only refers to the processing of personal data as far as relevant for police and judicial co-operation in criminal matters.

- Choice of instruments

Proposed instrument: framework decision. This legal instrument aims at the approximation of the laws and regulations of the Member States regarding the protection of personal data processed for the purpose of preventing and combating crime.

4) Budgetary implication

The implementation of the proposed Framework Decision would entail only low additional administrative expenditure, to be charged to the budget of the European Communities, for meetings of and the secretarial services for the committee and the advisory body to be established according to Articles 16 and 31.

2005/0202 (CNS)

Proposal for a

COUNCIL FRAMEWORK DECISION

on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Article 30, Article 31 and Article 34 (2)(b) thereof,

Having regard to the proposal from the Commission,[23]

Having regard to the opinion of the European Parliament,[24]

Whereas:

(1) The European Union has set itself the objective to maintain and develop the Union as an area of freedom, security and justice; a high level of safety shall be provided by common action among the Member States in the fields of police and judicial cooperation in criminal matters.

(2) Common action in the field of police cooperation according to Article 30(1)(b) of the Treaty on European Union and common action on judicial cooperation in criminal matters according to Article 31 (1)(a) of the Treaty on European Union imply the necessity of the processing of relevant information which should be subject to appropriate provisions on the protection of personal data.

(3) Legislation falling within the ambit of Title VI of the Treaty on European Union should foster police and judicial cooperation in criminal matters with regard to its efficiency as well as its legitimacy and compliance with fundamental rights, in particular the right to privacy and to protection of personal data. Common standards regarding the processing and protection of personal data processed for the purpose of preventing and combating crime can contribute to achieving both aims.

(4) The Hague Programme on strengthening freedom, security and justice in the European Union, adopted by the European Council on 4 November 2004, stressed the need for an innovative approach to the cross-border exchange of law-enforcement information under strict observation of key conditions in the area of data protection and invited the Commission to submit proposals in this regard by the end of 2005 at the latest. This was reflected in the Council and Commission Action Plan implementing the Hague Programme on strengthening freedom, security and justice in the European Union [25].

(5) The exchange of personal data in the framework of police and judicial cooperation in criminal matters, notably under the principle of availability of information as laid down in the Hague Programme, should be supported by clear binding rules enhancing mutual trust between the competent authorities and ensuring that the relevant information is protected in a way excluding any obstruction of this cooperation between the Member States while fully respecting fundamental rights of individuals. Existing instruments at the European level do not suffice. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[26] does not apply to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law.

(6) A legal instrument on common standards for the protection of personal data processed for the purpose of preventing and combating crime should be consistent with the overall policy of the European Union in the area of privacy and data protection. Wherever possible, taking into account the necessity of improving the efficiency of legitimate activities of the police, customs, judicial and other competent authorities, it should therefore follow existing and proven principles and definitions, notably those laid down in Directive 95/46/EC of the European Parliament and of the Council or relating to the exchange of information by Europol, Eurojust, or processed via the Customs Information System or other comparable instruments.

(7) The approximation of Member States’ laws should not result in any lessening of the data protection they afford but should, on the contrary, seek to ensure a high level of protection within the Union.

(8) It is necessary to specify the objectives of data protection in the framework of police and judicial activities and to lay down rules concerning the lawfulness of processing of personal data in order to ensure that any information that might be exchanged has been processed legitimately and in accordance with fundamental principles relating to data quality. At the same time the legitimate activities of the police, customs, judicial and other competent authorities should not be jeopardized in any way.

(9) Ensuring a high level of protection of the personal data of European citizens requires common provisions to determine the lawfulness and the quality of data processed by competent authorities in other Member States.

(10) It is appropriate to lay down at the European level the conditions under which competent authorities of the Member States should be allowed to transmit and make available personal data to authorities and private parties in other Member States.

(11) The further processing of personal data received from or made available by the competent authority of another Member State, in particular the further transmission of or making available such data, should be subject to common rules at European level.

(12) Where personal data are transferred from a Member State of the European Union to third countries or international bodies, these data should, in principle, benefit from an adequate level of protection.

(13) This Framework Decision should define the procedure for the adoption of the measures necessary in order to assess the level of data protection in a third country or international body.

(14) In order to ensure the protection of personal data without jeopardising the purpose of criminal investigations, it is necessary to define the rights of the data subject.

(15) It is appropriate to establish common rules on the confidentiality and security of the processing, on liability and sanctions for unlawful use by competent authorities as well as judicial remedies available for the data subject. Furthermore, it is necessary that Member States provide for criminal sanctions for particularly serious and intentionally committed infringements of data protection provisions.

(16) The establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of personal data processed in the framework of police and judicial cooperation between the Member States.

(17) Such authorities should have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings. These authorities should help to ensure transparency of processing in the Member States within whose jurisdiction they fall. However, the powers of these authorities should not interfere with specific rules set out for criminal proceedings and the independence of the judiciary.

(18) A Working Party on the protection of individuals with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences should be set up and be completely independent in the performance of its functions. It should advise the Commission and the Member States and, in particular, contribute to a uniform application of the national rules adopted pursuant to this Framework Decision.

(19) Article 47 of the Treaty on European Union provides that none of its provisions shall affect the Treaties establishing the European Communities or the subsequent Treaties and Acts modifying or supplementing them. Accordingly, this Framework Decision does not affect the protection of personal data under Community law, in particular, as provided for in Directive 95/46/EC of the European Parliament and of the Council , in Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data[27] and in Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)[28].

(20) The present Framework Decision is without prejudice to the specific data protection provisions laid down in the relevant legal instruments relating to the processing and protection of personal data by Europol, Eurojust and the Customs Information System.

(21) The provisions regarding the protection of personal data, provided for under Title IV of the Convention of 1990 implementing the Schengen Agreement of 14 June 1985 on the gradual abolition of checks at the common borders[29] (hereinafter referred to as the “Schengen Convention”) and integrated into the framework of the European Union pursuant to the Protocol annexed to the Treaty on European Union and the Treaty establishing the European Community, should be replaced by the rules of this Framework Decision for the purposes of matters falling within the scope of the EU Treaty.

(22) It is appropriate that this Framework Decision applies to the personal data which are processed in the framework of the second generation of the Schengen Information System and the related exchange of supplementary information pursuant to Decision JHA/2006/ … on the establishment, operation and use of the second generation Schengen information system.

(23) This Framework Decision is without prejudice to the rules pertaining to illicit access to data as foreseen in the Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems[30].

(24) It is appropriate to replace Article 23 of the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union[31].

(25) Any reference to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal data should be read as reference to this Framework Decision.

(26) Since the objectives of the action to be taken, namely the determination of common rules for the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, cannot be sufficiently achieved by the Member States acting alone, and can therefore, by reason of the scale and effects of the action, be better achieved at the level of the European Union, the Council may adopt measures in accordance with the principle of subsidiarity, as set out in Article 5 of the EC Treaty and referred to in Article 2 of the EU Treaty. In accordance with the principle of proportionality as set out in Article 5 of the EC Treaty, this Framework Decision does not go beyond what is necessary to achieve those objectives.

(27) The United Kingdom is taking part in this Framework Decision, in accordance with Article 5 of the Protocol integrating the Schengen acquis into the framework of the European Union annexed to the EU Treaty and to the EC Treaty, and Article 8 (2) of Council Decision 2000/365/EC of 29 May 2000, concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis [32].

(28) Ireland is taking part in this Framework Decision in accordance with Article 5 of the Protocol integrating the Schengen acquis into the framework of the European Union annexed to the EU Treaty and to the EC Treaty, and Article 6 (2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis.

(29) As regards Iceland and Norway, this Framework Decision constitutes a development of provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis, which fall within the area referred to in Article 1(H) of Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of that Agreement[33].

(30) As regards Switzerland, this Framework Decision constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement signed by the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis which fall within the area referred to in Article 1 (H) of Council Decision 1999/437/EC of 17 May 1999 read in conjunction with Article 4 (1) of the Council Decision 2004/849/EC on the signing, on behalf of the European Union, and on the provisional application of certain provisions of that Agreement[34].

(31) This Framework Decision constitutes an act building on the Schengen acquis or otherwise related to it within the meaning of Article 3(1) of the 2003 Act of Accession.

(32) This Framework Decision respects the fundamental rights and observes the principles recognized, in particular by the Charter of Fundamental Rights of the European Union. This Framework Decision seeks to ensure full respect for the rights to privacy and the protection of personal data in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union,

HAS ADOPTED THIS FRAMEWORK DECISION:

CHAPTER I OBJECT, DEFINITIONS AND SCOPE

Article 1Object

1. This Framework Decision determines common standards to ensure the protection of individuals with regard to the processing of personal data in the framework of police and judicial co-operation in criminal matters, provided for by Title VI of the Treaty on European Union.

2. Member States shall ensure that the disclosure of personal data to the competent authorities of other Member States is neither restricted nor prohibited for reasons connected with the protection of personal data as provided for in this Framework Decision.

Article 2Definitions

For the purposes of this Framework Decision:

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(c) 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(d) 'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by national law or by law adopted in accordance with Title VI of the Treaty on European Union, the controller or the specific criteria for his nomination may be designated by national law or by law under Title VI of the Treaty on European Union;

(e) ‘processor’ shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(f) 'third party' shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;

(g) 'recipient' shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not;;

(h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed;

(i) ‘international bodies’ shall mean bodies or organisations established by international agreements;

(j) ‘competent authorities’ shall mean police forces, customs, judicial and other competent authorities of the Member States within the meaning of Article 29 of the Treaty on European Union.

Article 3Scope

1. This Framework Decision shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system by a competent authority for the purpose of the prevention, investigation, detection and prosecution of criminal offences.

2. This Framework Decision shall not apply to the processing of personal data by

- the European Police Office (Europol),

- the European Judicial Cooperation Unit (Eurojust),

- the Customs Information System as set up according to the Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on the use of information technology for customs purposes, and any amendments made thereto.

CHAPTER II GENERAL RULES ON THE LAWFULNESS OF PROCESSING OF PERSONAL DATA

Article 4Principles relating to data quality

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified. Member States may provide for the processing of data to varying degrees of accuracy and reliability in which case they must provide that data are distinguished in accordance with their degree of accuracy and reliability, and in particular that data based on facts are distinguished from data based on opinions or personal assessments;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

3. Member States shall provide for a clear distinction to be made between personal data of

- a person who is suspected of having committed or having taken part in a criminal offence,

- a person who has been convicted of a criminal offence,

- a person with regard to whom there are serious grounds for believing that he or she will commit a criminal offence,

- a person who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings,

- a person who has been the victim of a criminal offence or with regard to whom certain facts give reasons for believing that he or she could be the victim of a criminal offence,

- a person who can provide information on criminal offences,

- a contact or associate to one of the persons mentioned above, and

- a person who does not fall within any of the categories referred to above.

4. Member States shall provide that processing of personal data is only necessary if

- there are, based on established facts, reasonable grounds to believe that the personal data concerned would make possible, facilitate or accelerate the prevention, investigation, detection or prosecution of a criminal offence, and

- there is no other means less affecting the data subject and

- the processing of the data is not excessive in relation to the offence concerned.

Article 5Criteria for making data processing legitimate

Member States shall provide that personal data may be processed by the competent authorities only if provided for by a law setting out that the processing is necessary for the fulfilment of the legitimate task of the authority concerned and for the purpose of the prevention, investigation, detection or prosecution of criminal offences.

Article 6 Processing of special categories of data

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

2. Paragraph 1 shall not apply where

- processing is provided for by a law and absolutely necessary for the fulfilment of the legitimate task of the authority concerned for the purpose of the prevention, investigation, detection or prosecution of criminal offences or if the data subject has given his or her explicit consent to the processing, and

- Member States provide for suitable specific safeguards, for example access to the data concerned only for personnel that are responsible for the fulfilment of the legitimate task that justifies the processing.

Article 7 Time limits for the storage of personal data

1. Member States shall provide that personal data shall be stored for no longer than necessary for the purpose for which it was collected, unless otherwise provided by national law. Personal data of persons referred to in Article 4(3) last indent shall be stored for only as long as is absolutely necessary for the purpose for which it was collected.

2. Member States shall provide for appropriate procedural and technical measures ensuring that time limits for the storage of personal data are observed. Compliance with such time limits shall be regularly reviewed.

CHAPTER III – Specific Forms of Processing

SECTION I – TRANSMISSION OF AND MAKING AVAILABLE PERSONAL DATA TO THE COMPETENT AUTHORITIES OF OTHER MEMBER STATES

ARTICLE 8 TRANSMISSION OF AND MAKING AVAILABLE PERSONAL DATA TO THE COMPETENT AUTHORITIES OF OTHER MEMBER STATES

Member States shall provide that personal data shall only be transmitted or made available to the competent authorities of other Member States if necessary for the fulfilment of a legitimate task of the transmitting or receiving authority and for the purpose of the prevention, investigation, detection or prosecution of criminal offences.

Article 9Verification of quality of data that are transmitted or made available

1. Member States shall provide that the quality of personal data is verified at the latest before they are transmitted or made available. As far as possible, in all transmissions of data, judicial decisions as well as decisions not to prosecute should be indicated and data based on opinions or personal assessments checked at source before being transmitted and their degree of accuracy or reliability indicated.

2. Member States shall provide that the quality of personal data, which are made available by direct automated access to the competent authorities of other Member States, are regularly verified in order to ensure that accurate and updated data are accessed.

3. Member States shall provide that personal data which are no longer accurate or up to date shall not be transmitted or made available.

4. Member States shall provide that a competent authority that transmitted or made available personal data to a competent authority of another Member State shall inform the latter immediately if it should establish, either on its own initiative or further to a request by the data subject, that the data concerned should not have been transmitted or made available or that inaccurate or outdated data were transmitted or made available.

5. Member States shall provide that a competent authority that has been informed according to paragraph 4 shall delete or rectify the data concerned. Furthermore, that authority shall rectify the data concerned if it detects that these data are inaccurate. If that authority has reasonable grounds to believe that received personal data are inaccurate or to be deleted, it shall inform without delay the competent authority that transmitted or made available the data concerned.

6. Member States shall, without prejudice to national criminal procedure, provide that personal data are marked on request of the data subject if their accuracy is denied by the data subject and if their accuracy or inaccuracy cannot be ascertained. Such mark shall only be deleted with the consent of the data subject or on the basis of a decision of the competent court or of the competent supervisory authority.

7. Member States shall provide that personal data received from the authority of another Member State are deleted

- if these data should not have been transmitted, made available or received,

- after a time limit laid down in the law of the other Member State if the authority that transmitted or made available the data concerned has informed the receiving authority of such a time limit when the data concerned were transmitted or made available, unless the personal data are further needed for judicial proceedings,

- if these data are not or no longer necessary for the purpose for which they were transmitted or made available.

8. If personal data were transmitted without request the receiving authority shall verify without delay whether these data are necessary for the purpose for which they were transmitted.

9. Personal data shall not be deleted but blocked in accordance with national law if there are reasonable grounds to believe that the deletion could affect the interests of the data subject worthy of protection. Blocked data shall only be used or transmitted for the purpose they were not deleted for.

Article 10Logging and documentation

1. Member States shall provide that each automated transmission and reception of personal data, in particular by direct automated access, is logged in order to ensure the subsequent verification of the reasons for the transmission, the transmitted data, the time of transmission, the authorities involved and, as far as the receiving authority is concerned, the persons who have received the data and who have given rise to their reception.

2. Member States shall provide that each non automated transmission and reception of personal data is documented in order to ensure the subsequent verification of the reasons for the transmission, the transmitted data, the time of transmission, the authorities involved and, as far as the receiving authority is concerned, the persons who have received the data and who have given rise to their reception.

3. The authority that has logged or documented such information shall communicate it without delay to the competent supervisory authority on request of the latter. The information shall only be used for the control of data protection and for ensuring proper data processing as well as data integrity and security.

Section II – Further processing, in particular further Transmission and Transfer, of Data received from or made available by the competent authorities of other Member States

ARTICLE 11 FURTHER PROCESSING OF PERSONAL DATA RECEIVED FROM OR MADE AVAILABLE BY THE COMPETENT AUTHORITY OF ANOTHER MEMBER STATE

1. Member States shall provide that personal data received from or made available by the competent authority of another Member State are only further processed, in accordance with this Framework Decision, in particular its Articles 4, 5 and 6,

(a) for the specific purpose they were transmitted or made available or

(b) if necessary for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

2. The personal data concerned shall be further processed for the purposes referred to in paragraph 1 (b) of this article only with the prior consent of the authority that transmitted or made available the personal data.

3. Paragraph 1 (b) shall not apply if specific legislation under Title VI of the Treaty on European Union explicitly stipulates that personal data received from or made available by the competent authority of another Member State shall only be further processed for the purposes they were transmitted or made available for.

Article 12 Transmission to other competent authorities

Member States shall provide that personal data received from or made available by the competent authority of another Member State are further transmitted or made available to other competent authorities of a Member State only if all of the following requirements are met:

(a) the transmission or making available is provided for by law clearly obliging or authorising it.

(b) the transmission or making available is necessary for the fulfilment of the legitimate task of the authority that has received the data concerned or of the authority to which they shall be further transmitted.

(c) the transmission or making available is necessary for the specific purpose they were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

(d) the competent authority of the Member State that has transmitted or made available the data concerned to the competent authority that intends to further transmit them or make them available has given its prior consent to their further transmission or making available.

Article 13 Transmission to authorities other than competent authorities

Member States shall provide that personal data received from or made available by the competent authority of another Member State are further transmitted to authorities, other than competent authorities, of a Member State only in particular cases and if all of the following requirements are met:

(a) the transmission is provided for by law clearly obliging or authorising it and

(b) the transmission is

necessary for the specific purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject,

or

necessary because the data concerned are indispensable to the authority to which the data shall be further transmitted to enable it to fulfil its own lawful task and provided that the aim of the collection or processing to be carried out by that authority is not incompatible with the original processing, and the legal obligations of the competent authority which intends to transmit the data are not contrary to this,

or

undoubtedly in the interest of the data subject and either the data subject has consented or circumstances are such as to allow a clear presumption of such consent.

(c) The competent authority of the Member State that has transmitted or made available the data concerned to the competent authority that intends to further transmit them has given its prior consent to their further transmission.

Article 14Transmission to private parties

Member States shall, without prejudice to national criminal procedural rules, provide that personal data received from or made available by the competent authority of another Member State can be further transmitted to private parties in a Member State only in particular cases and if all of the following requirements are met:

(a) the transmission is provided for by law clearly obliging or authorising it, and

(b) the transmission is necessary for the purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject, and

(c) the competent authority of the Member State that has transmitted or made available the data concerned to the competent authority that intends to further transmit them has given its prior consent to their further transmission to private parties.

Article 15Transfer to competent authorities in third countries or to international bodies

1. Member States shall provide that personal data received from or made available by the competent authority of another Member State are not further transferred to competent authorities of third countries or to international bodies except if such transfer is in compliance with this Framework Decision and, in particular, all the following requirements are met.

(a) The transfer is provided for by law clearly obliging or authorising it.

(b) The transfer is necessary for the purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

(c) The competent authority of another Member State that has transmitted or made available the data concerned to the competent authority that intends to further transfer them has given its prior consent to their further transfer.

(d) An adequate level of data protection is ensured in the third country or by the international body to which the data concerned shall be transferred.

2. Member States shall ensure that the adequacy of the level of protection afforded by a third country or international body shall be assessed in the light of all the circumstances for each transfer or category of transfers. In particular, the assessment shall result from an examination of the following elements: the type of data, the purposes and duration of processing for which the data are transferred, the country of origin and the country of final destination, the general and sectoral rules of law applicable in the third country or body in question, the professional and security rules which are applicable there, as well as the existence of sufficient safeguards put in place by the recipient of the transfer.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country or an international body does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where, under the procedure provided for in Article 16, it is established that a third country or international body does not ensure an adequate level of protection within the meaning of paragraph 2, Member States shall take the measures necessary to prevent any transfer of personal data to the third country or international body in question.

5. In accordance with the procedure referred to in Article 16, it may be established that a third country or international body ensures an adequate level of protection within the meaning of paragraph 2, by reason of its domestic law or of the international commitments it has entered into, for the protection of the private lives and basic freedoms and rights of individuals.

6. Exceptionally, personal data received from the competent authority of another Member State may be further transferred to competent authorities of third countries or to international bodies in or by which an adequate level of data protection is not ensured if absolutely necessary in order to safeguard the essential interests of a Member State or for the prevention of imminent serious danger threatening public security or a specific person or persons.

Article 16

Committee

1. Where reference is made to this Article, the Commission shall be assisted by a Committee composed of the representatives of the Member States and chaired by the representative of the Commission.

2. The Committee shall adopt its rules of procedure on a proposal made by the Chair on the basis of standard rules of procedure which have been published in the Official Journal of the European Union.

3. The representative of the Commission shall submit to the committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft within a time limit which the chairperson may lay down according to the urgency of the matter. The opinion shall be delivered by the majority laid down in Article 205(2) of the Treaty establishing the European Community, in the case of decisions which the Council is required to adopt on a proposal from the Commission. The votes of the representatives of the Member States within the committee shall be weighted in the manner set out in that Article. The chairperson shall not vote.

4. The Commission shall adopt the measures envisaged if they are in accordance with the opinion of the Committee. If the measures envisaged are not in accordance with the opinion of the Committee, or if no opinion is delivered, the Commission shall, without delay, submit to the Council a proposal relating to the measures to be taken and shall inform the European Parliament thereof.

5. The Council may act by qualified majority on the proposal, within two months from the date of referral to the Council.

If within that period, the Council has indicated by qualified majority that it opposes the proposal, the Commission shall re-examine it. It may submit an amended proposal to the Council, resubmit its proposal or present a legislative proposal. If on the expiry of that period the Council has neither adopted the proposed implementing act nor indicated its opposition to the proposal for implementing measures, the proposed implementing act shall be adopted by the Commission.

Article 17 Exceptions from Articles 12, 13, 14 and 15

Articles 12, 13, 14 and 15 shall not apply if specific legislation under Title VI of the Treaty on European Union explicitly stipulates that personal data received from or made available by the competent authority of another Member State shall not be further transmitted or only be further transmitted under more specific conditions.

Article 1 8 Information on request of the competent authority

Member States shall provide that the competent authority from or by whom personal data were received or made available will be informed on request about their further processing and the achieved results.

CHAPTER IVRIGHTS OF THE DATA SUBJECT

Article 1 9 Right of information in cases of collection of data from the data subject with his knowledge

1. Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with his knowledge with at least the following information free of cost, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as

- the legal basis of the processing,

- the recipients or categories of recipients of the data,

- whether replies to questions or other forms of cooperation are obligatory or voluntary, as well as the possible consequences of failure to reply or to cooperate,

- the existence of the right of access to and the right to rectify the data concerning him or her

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.

2. The provision of the information laid down in paragraph 1 shall be refused or restricted only if necessary

(a) to enable the controller to fulfil its lawful duties properly,

(b) to avoid prejudicing of ongoing investigations, inquiries or proceedings or the fulfilment of the lawful duties of the competent authorities,

(c) to protect public security and public order in a Member State,

(d) to protect the rights and freedoms of third parties,

except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

3. If the information referred to in paragraph 1 is refused or restricted, the controller shall inform the data subject that he may appeal to the competent supervisory authority, without prejudice to any judicial remedy and without prejudice to national criminal procedure.

4. The reasons for a refusal or restriction according to paragraph 2 shall not be given if their communication prejudices the purpose of the refusal. In such case the controller shall inform the data subject that he may appeal to the competent supervisory authority, without prejudice to any judicial remedy and without prejudice to national criminal procedure. If the data subject lodges an appeal to the supervisory authority, the latter shall examine the appeal. The supervisory authority shall, when investigating the appeal, only inform him of whether the data have been processed correctly and, if not, whether any necessary corrections have been made.

Article 20 Right of information where the data have not been obtained from the data subject or have been obtained from him without his knowledge

1. Where the data have not been obtained from the data subject or have been obtained from him without his knowledge or without his awareness that data are being collected concerning him, Member States shall provide that the controller or his representative must, at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, within a reasonable time after the data are first disclosed, provide the data subject with at least the following information free of cost, except where he already has it or the provision of the information proves impossible or would involve a disproportionate effort:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing;

(c) any further information such as

- the legal basis of the processing,

- the categories of data concerned,

- the recipients or categories of recipients,

- the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

2. The information laid down in paragraph 1 shall not be provided if necessary

(a) to enable the controller to fulfil its lawful duties properly,

(b) to avoid prejudicing of ongoing investigations, inquiries or proceedings or the fulfilment of the lawful duties of the competent authorities,

(c) to protect public security and public order in a Member State,

(d) to protect the rights and freedoms of third parties,

except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

Article 2 1 Right of access, rectification, erasure or blocking

1. Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint, at reasonable intervals and without excessive delay or expense:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, the legal basis of the processing and the recipients or categories of recipients to whom the data have been disclosed,

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source;

(b) as appropriate, the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Framework Decision, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

2. Any act the data subject is entitled to according to paragraph 1 shall be refused if necessary

(a) to enable the controller to fulfil its lawful duties properly,

(b) to avoid prejudicing of ongoing investigations, inquiries or proceedings or the fulfilment of the lawful duties of the competent authorities,

(c) to protect public security and public order in a Member State,

(d) to protect the rights and freedoms of third parties,

except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject.

3. A refusal or restriction of the rights referred to in paragraph 1 shall be set out in writing. If the right referred to in paragraph 1 is refused or restricted, the controller shall inform the data subject that he may appeal to the competent supervisory authority, without prejudice to any judicial remedy and without prejudice to national criminal procedure.

4. The reasons for a refusal according to paragraph 2 shall not be given to the data subject if their communication prejudices the purpose of the refusal. In such case the controller shall inform the data subject that he may appeal to the competent supervisory authority, without prejudice to any judicial remedy and without prejudice to national criminal procedure. If the data subject lodges an appeal to the supervisory authority, the latter shall examine the appeal. The supervisory authority shall, when investigating the appeal, only inform him of whether the data have been processed correctly and, if not, whether any necessary corrections have been made.

Article 2 2 Information to third parties following rectification, blocking or erasure

Member States shall provide that appropriate technical measures are taken to ensure that, in cases where the controller rectifies, blocks or erases personal data following a request, a list of the suppliers and addressees of these data is automatically produced. The controller shall ensure that those included in the list are informed of the changes performed on the personal data.

CHAPTER VConfidentiality and security of processing

Article 2 3 Confidentiality

Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law. All persons called upon to work with or within a competent authority of a Member State shall be bound by strict confidentiality rules.

Article 2 4 Security

1. Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission over a network or the making available by granting direct automated access, and against all other unlawful forms of processing, taking into account in particular the risks represented by the processing and the nature of the data to be protected.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Measures shall be deemed necessary where the effort they involve is not disproportionate to the objective they are designed to achieve in terms of protection.

2. In respect of automated data processing each Member State shall implement measures designed to:

(a) deny unauthorized persons access to data processing equipment used for processing personal data (equipment access control);

(b) prevent the unauthorized reading, copying, modification or removal of data media (data media control);

(c) prevent the unauthorized input of data and the unauthorized inspection, modification or deletion of stored personal data (storage control);

(d) prevent the use of automated data processing systems by unauthorized persons using data communication equipment (user control);

(e) ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation (data access control);

(f) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment (communication control);

(g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data processing systems and when and by whom the data were input (input control);

(h) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (transport control);

(i) ensure that installed systems may, in case of interruption, be immediately restored (recovery);

(j) ensure that the functions of the system perform without fault, that the appearance of faults in the functions is immediately reported (reliability) and that stored data cannot be corrupted by means of a malfunctioning of the system (integrity).

3. Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

4. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:

- the processor shall act only on instructions from the controller,

- the obligations set out in paragraphs 1 and 2, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.

5. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.

Article 2 5 Register

1. Member States shall provide that every controller keeps a register of any processing operation or sets of such an operation intended to serve a single purpose or several related purposes. The information to be contained in the register shall include

(a) the name and address of the controller and of his representative, if any;

(b) the purpose or purposes of the processing;

(c) a description of the category or categories of data subject and of the data or categories of data relating to them;

(d) the legal basis of the processing operation for which the data are intended;

(e) the recipients or categories of recipient to whom the data might be disclosed;

(f) proposed transfers of data to third countries;

(g) a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken pursuant to Article 24 to ensure security of processing.

2. Member States shall specify the conditions and procedures under which information referred to in paragraph 1 must be notified to the supervisory authority.

Article 2 6 Prior checking

1. Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof.

2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory authority.

3. Member States may also carry out such checks in the context of preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which define the nature of the processing and lay down appropriate safeguards.

CHAPTER VI JUDICIAL REMEDIES AND LIABILITY

Article 27 Remedies

Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 30, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the applicable national law pursuant to this Framework Decision to the processing in question.

Article 2 8 Liability

1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Framework Decision is entitled to receive compensation from the controller for the damage suffered. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

2. However, a competent authority that received personal data from the competent authority of another Member State is liable vis-à-vis the injured party for damages caused because of the use of inaccurate or outdated data. It can not disclaim its liability on the ground that it received inaccurate or outdated data from another authority. If damages are awarded against the receiving authority because of its use of inaccurate data transmitted or made available by the competent authority of another Member State, the latter shall refund in full to the receiving authority the amount paid in damages.

Article 2 9 Sanctions

1. The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Framework Decision and shall in particular lay down effective, proportionate and dissuasive sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Framework Decision.

2. Member States shall provide for effective, proportionate and dissuasive criminal sanctions for intentionally committed offences implying serious infringements of provisions adopted pursuant to this Framework Decision, notably provisions aimed at ensuring confidentiality and security of processing.

CHAPTER VII SUPERVISORY AUTHORITY AND WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

Article 30 Supervisory authority

1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Framework Decision. These authorities shall act with complete independence in exercising the functions entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences.

3. Each authority shall in particular be endowed with:

- investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 26, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this Framework Decision have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.

4. Each supervisory authority shall hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

7. The supervisory authorities shall cooperate with one another as well as with the supervisory bodies set up under Title VI of the Treaty on European Union and the European Data Protection Supervisor to the extent necessary for the performance of their duties, in particular by exchanging all useful information.

8. Member States shall provide that the members and staff of the supervisory authority, even after their employment has ended, are to be subject to a duty of professional secrecy with regard to confidential information to which they have access.

9. The powers of the supervisory authority shall not affect the independence of the judiciary and the decision taken by this authority shall be without prejudice to the execution of the legitimate tasks of the judiciary in criminal proceedings.

Article 3 1 Working Party on the Protection of Individuals with regard to the Processing of Personal Data for the purpose of the prevention, investigation, detection and prosecution of criminal offences

1. A Working Party on the Protection of Individuals with regard to the Processing of Personal Data for the purpose of the prevention, investigation, detection and prosecution of criminal offences, hereinafter referred to as 'the Working Party', is hereby set up. It shall have advisory status and act independently.

2. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State, of a representative of the European Data Protection Supervisor, and of a representative of the Commission.

Each member of the Working Party shall be designated by the institution, authority or authorities which he represents. Where a Member State has designated more than one supervisory authority, they shall nominate a joint representative.

The chairpersons of the joint supervisory bodies set up under Title VI of the Treaty on European Union shall be entitled to participate or to be represented in meetings of the Working Party. The supervisory authority or authorities designated by Iceland, Norway and Switzerland shall be entitled to be represented in meetings of the Working Party insofar as issues related to the Schengen Acquis are concerned.

3. The Working Party shall take its decisions by a simple majority of the representatives of the supervisory authorities of the Member States.

4. The Working Party shall elect its chairperson. The chairperson's term of office shall be two years. His appointment shall be renewable.

5. The Working Party's secretariat shall be provided by the Commission.

6. The Working Party shall adopt its own rules of procedure.

7. The Working Party shall consider items placed on its agenda by its chairperson, either on his own initiative or at the request of a representative of the supervisory authorities, the Commission, the European Data Protection Supervisor or the chairpersons of the joint supervisory bodies.

Article 3 2

Tasks

1. The Working Party shall,

(a) examine any question covering the application of the national measures adopted under this Framework Decision in order to contribute to the uniform application of such measures,

(b) give an opinion on the level of protection in the Member States and in third countries and international bodies, in particular in order to guarantee that personal data are transferred in compliance with Article 15 of this Framework Decision to third countries or international bodies that ensure an adequate level of data protection,

(c) advise the Commission and the Member States on any proposed amendment of this Framework Decision, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences and on any other proposed measures affecting such rights and freedoms.

2. If the Working Party finds that divergences likely to affect the equivalence of protection for persons with regard to the processing of personal data in the European Union are arising between the laws and practices of Member States it shall inform the Council and the Commission.

3. The Working Party may, on its own initiative or on the initiative of the Commission or the Council, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the European Union for the purpose of the prevention, investigation, detection and prosecution of criminal offences.

4. The Working Party’s opinions and recommendations shall be forwarded to the Council, to the Commission and to the European Parliament and to the committee referred to in Article 16.

5. The Commission shall, based on information provided by the Member States, inform the Working Party of the action taken in response to its opinions and recommendations. It shall do so in a report which shall also be forwarded to the European Parliament and the Council. The report shall be made public. Member States shall inform the Working Party of any action taken by them pursuant to Paragraph 1.

6. The Working Party shall draw up an annual report on the situation regarding the protection of natural persons with regard to the processing of personal data for the purpose of the prevention, investigation, detection and prosecution of criminal offences in the European Union and in third countries, which it shall transmit to the Commission, the European Parliament and the Council. The report shall be made public.

CHAPTER VIIIFinal provisions

Article 3 3 Amendment of the Schengen Convention

For the purposes of matters falling within the scope of the EU Treaty, this Framework Decision replaces Articles 126 to 130 of the Schengen Convention.

Article 3 4 Relation to other instruments concerning the processing and protection of personal data

1. This Framework Decision replaces Article 23 of the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union..

2. Any reference to the Convention No 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data shall be construed as a reference to this Framework Decision.

Article 3 5 Implementation

1. Member States shall take the necessary measures to comply with this Framework Decision on 31 December 2006.

2. By the same date Member States shall transmit to the General Secretariat of the Council and to the Commission the text of the provisions transposing into national law the obligations imposed on them under this Framework Decision, as well as information on the designation of the supervisory authority or authorities referred to in Article 29. On the basis of this information and a written report from the Commission, the Council shall before 31 December 2007 assess the extent to which Member States have taken the measures necessary to comply with this Framework Decision.

Article 3 6 Entry into force

This Framework Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Done at Brussels,

For the Council

The President

ANNEX

LEGISLATIVE FINANCIAL STATEMENT

Policy area(s): Justice and Home Affairs Activit(y/ies): 1806 – Establishing a genuine area of freedom, security and justice in criminal and civil matters |

TITLE OF ACTION: PROPOSAL FOR A COUNCIL FRAMEWORK DECISION ON THE PROTECTION ON PERSONAL DATA PROCESSED IN THE FRAMEWORK OF POLICE AND JUDICIAL COOPERATION |

1. BUDGET LINE(S) + HEADING(S)

NA

2. OVERALL FIGURES

2.1. Total allocation for action (Part B): € million for commitment

NA

2.2. Period of application:

starting 2006

2.3. Overall multiannual estimate of expenditure:

(a) Schedule of commitment appropriations/payment appropriations (financial intervention) (see point 6.1.1)

€ million ( to three decimal places)

[2006] | [2007] | [2008] | [2009] | [2010] | [2011] | Total |

Commitments |

Payments |

(b) Technical and administrative assistance and support expenditure (see point 6.1.2)

Commitments |

Payments |

Subtotal a+b |

Commitments |

Payments |

(c) Overall financial impact of human resources and other administrative expenditure (see points 7.2 and 7.3)

Commitments/ payments | 0.389 | 0.389 | 0.389 | 0.389 | 0.389 | 0.389 | 2,334 |

TOTAL a+b+c |

Commitments |

Payments |

2.4. Compatibility with financial programming and financial perspective

NA

2.5. Financial impact on revenue:

Proposal has no financial implications

3. BUDGET CHARACTERISTICS

Type of expenditure | New | EFTA contribution | Contributions form applicant countries | Heading in financial perspective |

Non-comp | Non-diff | NA | NA | NA | No NA |

4. LEGAL BASIS

Article 30, 31 and 34 (2)(b)TEU

5. DESCRIPTION AND GROUNDS

5.1. Need for Community intervention

5.1.1. Objectives pursued

The proposed framework decision shall provide for common standards regarding the protection of personal data processed by the competent authorities in the context of activities provided for by Title VI of the Treaty on European Union (police and judicial cooperation in criminal matters). Independent public supervisory authorities shall monitor the application of national provisions pursuant to this Framework Decision in the Member States. At EU level a Working Party on the Protection of Individuals with regard to the Processing of Personal Data for the purpose of the prevention, investigation, detection and prosecution of criminal offences, hereinafter referred to as 'the Working Party' shall be set up. The Working Party shall be composed of a representative of the supervisory authority or authorities designated by each Member State, of a representative of the European Data Protection Supervisor, and of a representative of the Commission. The Working Party shall examine any question covering the application of the national measures adopted under the Framework Decision in order to contribute to the uniform application of such measures. It shall give opinions on the level of data protection in the Member States and in third countries and it shall advise the Commission and the Member States on any proposed amendment of the Framework Decision as well as on any additional or specific measures to safeguard fundamental rights.

Furthermore, according to Article 16 of the Framework Decision a committee, composed of the representatives of the Member States and chaired by a representative of the Commission, shall assist the Commission in order to assess, where necessary, the level of data protection in a third country.

5.1.2. Measures taken in connection with ex ante evaluation

Representatives of the Governments and of the independent supervisory authorities of the Member States as well as of Iceland, Norway and Switzerland, the European Data Protection Supervisor, Europol and Eurojust were consulted. In particular, taking into account different views the Commission proposes to establish the Working Party described above. In order to estimate the possible cost caused by this measure, the Commission verified the cost (travel expenses, secretarial support for the preparation and organisation of meetings) currently incurred by the Working Party established according Article 29 of Directive 95/46/EC.

5.2. Action envisaged and budget intervention arrangements

The above mentioned working party will probably meet regularly, estimated five times a year. The committee referred to in Article 16 will meet if necessary and as often as necessary, possibly also five times a year. One participant per Member State and Schengen State (Iceland, Norway) will have to be reimbursed. Some orientation can be gained from the groups established according to Articles 29 and 31 of the Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

5.3. Methods of implementation

All meetings will have to be organised and hosted by the Commission. The Commission will have to provide secretarial services for the above mentioned working party and committee and to prepare/organise their meetings.

6. FINANCIAL IMPACT

6.1. Total financial impact on Part B - (over the entire programming period)

6.1.1. Financial intervention

NA

6.1.2. Technical and administrative assistance, support expenditure and IT expenditure (commitment appropriations)

NA

6.2. Calculation of costs by measure envisaged in Part B (over the entire programming period)

NA

7. IMPACT ON STAFF AND ADMINISTRATIVE EXPENDITURE

The impact on staff and administrative expenditure will be covered in the context of allocation of resources of the lead DG in the context of the annual allocation procedure.

The allocation of posts also depends on the attribution of functions and resources in the context of the financial perspectives 2007-2013.

7.1. Impact on human resources

Types of post | Staff to be assigned to management of the action using existing and/or additional resources | Total | Description of tasks deriving from the action |

Number of permanent posts | Number of temporary posts |

Officials or temporary staff | A B C | 0.25 A 0,50 B 1,00 C | 0,25A0,50B 1,00C | Providing secretarial support, preparing the meetings of the working party and the committee |

Other human resources |

Total |

7.2. Overall financial impact of human resources

Type of human resources | Amount (€) | Method of calculation * |

Officials Temporary staff | 1rst year: 189. 000 | 1 X 108 000 0.5 X 108 000 0,25 X 108.000 = 189 .000 |

Other human resources (specify budget line) |

Total | 189.000 |

The amounts are total expenditure for twelve months.

7.3. Other administrative expenditure deriving from the action

Budget line (number and heading) | Amount € | Method of calculation |

Overall allocation (Title A7) A0701 – Missions A07030 – Meetings A07031 – Compulsory committees A07032 – Non-compulsory committees A07040 – Conferences A0705 – Studies and consultations Other expenditure (specify) | 200.000 | 10 meetings* 27 * 740€ |

Information systems (A-5001/A-4300) |

Other expenditure - Part A (specify) |

Total | 200.000 |

The amounts are total expenditure for twelve months.

Specify the type of committee and the group to which it belongs.

I. Annual total (7.2 + 7.3) II. Duration of action III. Total cost of action (I x II) | €389.000 |

8. FOLLOW-UP AND EVALUATION

8.1. Follow-up arrangements

The working party and the committee will lay down their rules of procedure, including rules on confidentiality. The European Parliament will be informed in a manner analogous to that set out in Article 7 of Council Decision 99/468/EC of 28.6.1999 laying down the procedures for the exercise of implementing powers conferred on the Commission (OJ L 184, 17.7.1999, p. 23) .

8.2. Arrangements and schedule for the planned evaluation

NA

9. ANTI-FRAUD MEASURES

NA

XXX

[1] OJ C 53, 3.3.2005, p. 1

[2] OJ C 198, 12.8.2005, p. 1

[3] COM(2005) 184 final, Bru[4].8ALO[_`fg…†‡ˆ‰( * : ; X Y Œ · AB*

+

-

Z

q

æ

ç

ömùõêãØÐØÐØȽØêØêµêØõ±©õã¢ùšù?ù?ù‰zùrù?ùkù

hý6Ûh=J´hý6ÛhR_¡6?jhý6ÛhR_¡0JmU[pic]aJh˜

’jhý6ÛhR_¡0JmU[pic]hý6ÛhR_¡5?

h©8ŠhR_¡hùbþhùbþ5?hùbþ

ho€mHsHh±:øh¼£mHsH

h¼£mHsH

hO[pic]mHsHssels, 10.5.2005

[5] Council Working Document 11158/1/05 REV 1 JAI 255

[6] Council Working Document 8321/98JAI 15

[7] OJ C 19, 23.1.1999, p. 1

[8] Council Working Document 6316/2/01 REV 2 JAI 13

[9] 2514th Council Meeting, Justice and Home Affairs, Luxembourg, 5-6 June 2003, Council Document 9845/03 (Presse 150), p. 32

[10] Declaration and Position paper on law enforcement and information exchange in the EU, adopted by the Spring Conference of European Data Protection Authorities, Krakow, 25-26 April 2005

[11] No. 1 h of European Parliament recommendation to the European Council and the Council on the exchange of information and cooperation concerning terrorist offences (2005/2046(INI)), adopted on 7 June 2005

[12] OJ C 364, 18.12.2000, p. 1, 10

[13] OJ L 281, 23.11.1995, p. 31

[14] OJ L 239 , 22.9.2000, p. 19

[15] OJ C 316, 27.11.1995, p. 2

[16] OJ C 88, 30.3.1999, p. 1

[17] OJ L 63, 6.3.2002, p. 1

[18] OJ C 68, 19.3.2005, p. 1.

[19] OJ C 316, 27.11.1995, p. 34

[20] OJ C 197, 12.7.2000, p. 1, 15

[21] COM (2005) 230 final

[22] COM (2005) 236 final, COM (2005) 237 final

[23] COM (2005) 438 final, 21.9.2005

[24] …

[25] …

[26] OJ C 198, 12.8.2005, p. 1.

[27] OJ L 281, 23.11.1995, p. 31.

[28] OJ L 8, 12.1.2001, p. 1.

[29] OJ L 201, 31.7.2001, p. 37.

[30] OJ L 239, 22.9.2000, p. 19.

[31] OJ L 69, 16.3.2005, p. 67.

[32] OJ C 197, 12.7.2000, p. 3.

[33] OJ L 131, 1.6.2000, p. 43.

[34] OJ L 176, 10.7.1999, p. 31.

[35] OJ L 368, 15.12.2004, p. 26.