Help Print this page 

Summaries of EU Legislation

Title and reference
Cooperation in criminal matters: protection of personal data

Summaries of EU legislation: direct access to the main summaries page.
Languages and formats available
HTML html ES html DE html EN html FR html IT
Multilingual display

Cooperation in criminal matters: protection of personal data

This framework decision provides for the protection of personal data that is processed in the framework of police and judicial cooperation in order to prevent, investigate, detect or prosecute a criminal offence or execute a criminal penalty.


Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.


This framework decision aims to protect the fundamental rights and freedoms of natural persons when their personal data are processed for the purposes of preventing, investigating, detecting or prosecuting a criminal offence or of executing a criminal penalty. It concerns personal data that are processed in part or entirely by automatic means, as well as personal data forming part of a filing system that are processed by non-automatic means.

Data processing

The competent authorities of Member States may collect personal data only for specified, explicit and legitimate purposes. The processing of these data is permitted only for the purposes for which they were collected. Processing for other purposes is allowed only under certain circumstances or when certain appropriate safeguards are in place.

In principle, personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerns his/her health or sex life may not be processed. Their processing may be allowed only if it is absolutely necessary and if appropriate safeguards have been established.

Inaccurate personal data must be rectified and updated or completed if possible. Once the data are no longer needed for the purposes they were collected, they must be erased, made anonymous or, in certain cases, blocked. The need to store personal data must be reviewed regularly, with time limits set for their erasure.

The competent authorities of Member States must verify that the personal data to be transmitted or made available are accurate, up to date and complete. In order to be able to verify that the processing of data is lawful and to ensure the integrity and security of the data, their transmissions must be logged or documented.

Data transmission

Personal data received from another Member State are to be processed only for the purposes for which they were transmitted. In certain cases however, they may be processed for other purposes, for example for the prevention, investigation, detection or prosecution of other criminal offences, the execution of other criminal penalties or the prevention of threats to public security. The receiving Member State must respect any specific restrictions to the exchanges of data provided for in the law of the transmitting Member State.

Under certain circumstances, the receiving Member State may transfer personal data to third countries or to international bodies. To this end, the Member State that first made the data available must provide its consent. Only in urgent cases may data be transferred without a prior consent. Personal data may also be transferred to private parties in Member States for exclusive purposes, provided that the competent authority of the Member State from where the data was received has given its consent.

Rights of data subjects

The data subject is to be kept informed of any collection or processing of personal data relating to him/her. However, when data have been transmitted from one Member State to another, the first may demand that the second does not divulge any information to the subject.

The data subject may request to receive a confirmation on whether data concerning him/her have been transmitted, who the recipients are, what data are being processed, as well as a confirmation that the necessary verifications of that data have been made. In certain cases, Member States may restrict the subject’s access to information. Any decision restricting access must be given in writing to the data subject, together with the factual and legal reasons thereof. The data subject must also be given advice on his/her right to appeal such a decision.

The data subject may demand that personal data relating to him/her be rectified, erased or blocked. Any refusal to that end must be given in writing, along with information on the right to lodge a complaint or seek a judicial remedy.

Any person may demand compensation for the damages s/he has suffered due to an unlawful processing of personal data or any other act that is not compatible with this framework decision. In case a data subject’s rights are breeched, s/he has the right to a judicial remedy.

Safeguarding data processing

The competent authorities must take the necessary security measures to protect personal data against any unlawful form of processing. This includes accidental loss, alteration and unauthorised disclosure of, as well as access to, personal data. In particular, specific measures need to be taken with regard to the automated processing of data.

National supervisory authorities in Member States monitor and advise on the application of this framework decision. To that end, they are granted investigative powers, effective powers of intervention, as well as the power to pursue legal proceedings. For any infringements of the provisions of this framework decision, Member States must establish effective, proportionate and dissuasive penalties.



Entry into force

Deadline for transposition in the Member States

Official Journal

Framework Decision 2008/977/JHA



OJ L 350 of 30.12.2008

Last updated: 29.05.2009