This document is an excerpt from the EUR-Lex website
Document 02016R0794-20220628
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
Consolidated text: Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
02016R0794 — EN — 28.06.2022 — 001.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
REGULATION (EU) 2016/794 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 May 2016 (OJ L 135 24.5.2016, p. 53) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
REGULATION (EU) 2022/991 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2022 |
L 169 |
1 |
27.6.2022 |
REGULATION (EU) 2016/794 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 11 May 2016
on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
CHAPTER I
GENERAL PROVISIONS, OBJECTIVES AND TASKS OF EUROPOL
Article 1
Establishment of the European Union Agency for Law Enforcement Cooperation
Article 2
Definitions
For the purposes of this Regulation:
‘the competent authorities of the Member States’ means all police authorities and other law enforcement services existing in the Member States which are responsible under national law for preventing and combating criminal offences. The competent authorities shall also comprise other public authorities existing in the Member States which are responsible under national law for preventing and combating criminal offences in respect of which Europol is competent;
‘strategic analysis’ means all methods and techniques by which information is collected, stored, processed and assessed with the aim of supporting and developing a criminal policy that contributes to the efficient and effective prevention of, and the fight against, crime;
‘operational analysis’ means all methods and techniques by which information is collected, stored, processed and assessed with the aim of supporting criminal investigations;
‘Union bodies’ means institutions, bodies, missions, offices and agencies set up by, or on the basis of, the TEU and the TFEU;
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
‘private parties’ means entities and bodies established under the law of a Member State or third country, in particular companies and firms, business associations, non-profit organisations and other legal persons that are not covered by point (e);
‘private persons’ means all natural persons;
▼M1 —————
‘recipient’ means a natural or legal person, public authority, agency or any other body to which data are disclosed, whether a third party or not;
▼M1 —————
‘administrative personal data’ means personal data processed by Europol other than operational personal data;
‘investigative data’ means data that a Member State, the European Public Prosecutor’s Office (‘the EPPO’) established by Council Regulation (EU) 2017/1939 ( 1 ), Eurojust or a third country is authorised to process in an ongoing criminal investigation related to one or more Member States, in accordance with procedural requirements and safeguards applicable under Union or national law, that a Member State, the EPPO, Eurojust or a third country submitted to Europol in support of such an ongoing criminal investigation and that contain personal data that do not relate to the categories of data subjects listed in Annex II;
‘terrorist content’ means terrorist content as defined in Article 2, point (7), of Regulation (EU) 2021/784 of the European Parliament and of the Council ( 2 );
‘online child sexual abuse material’ means online material constituting child pornography as defined in Article 2, point (c), of Directive 2011/93/EU of the European Parliament and of the Council ( 3 ) or pornographic performance as defined in Article 2, point (e), of that Directive;
‘online crisis situation’ means the dissemination of online content stemming from an ongoing or recent real world event which depicts harm to life or to physical integrity, or calls for imminent harm to life or to physical integrity, and aims to or has the effect of seriously intimidating a population, provided that there is a link, or a reasonable suspicion of a link, to terrorism or violent extremism and that the potential exponential multiplication and virality of that content across multiple online services are anticipated;
‘category of transfers of personal data’ means a group of transfers of personal data where the data relate to the same specific situation, and where the transfers consist of the same categories of personal data and the same categories of data subjects;
‘research and innovation projects’ means projects regarding matters covered by this Regulation for the development, training, testing and validation of algorithms for the development of specific tools, and other specific research and innovation projects relevant for the achievement of Europol’s objectives.
Article 3
Objectives
In addition to paragraph 1, Europol's objectives shall also cover related criminal offences. The following shall be considered to be related criminal offences:
criminal offences committed in order to procure the means of perpetrating acts in respect of which Europol is competent;
criminal offences committed in order to facilitate or perpetrate acts in respect of which Europol is competent;
criminal offences committed in order to ensure the impunity of those committing acts in respect of which Europol is competent.
Article 4
Tasks
Europol shall perform the following tasks in order to achieve the objectives set out in Article 3:
collect, store, process, analyse and exchange information, including criminal intelligence;
notify the Member States, via the national units established or designated pursuant to Article 7(2), without delay of any information and connections between criminal offences concerning them;
coordinate, organise and implement investigative and operational actions to support and strengthen actions by the competent authorities of the Member States, that are carried out:
jointly with the competent authorities of the Member States; or
in the context of joint investigation teams in accordance with Article 5 and, where appropriate, in liaison with Eurojust;
participate in joint investigation teams, as well as propose that they be set up in accordance with Article 5;
provide information and analytical support to Member States in connection with major international events;
prepare threat assessments, strategic and operational analyses and general situation reports;
develop, share and promote specialist knowledge of crime prevention methods, investigative procedures and technical and forensic methods, and provide advice to Member States;
support Member States' cross-border information exchange activities, operations and investigations, as well as joint investigation teams, including by providing operational, technical and financial support;
provide administrative and financial support to Member States’ special intervention units as referred to in Council Decision 2008/617/JHA ( 4 );
provide specialised training and assist Member States in organising training, including with the provision of financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at its disposal in coordination with the European Union Agency for Law Enforcement Training (CEPOL);
cooperate with the Union bodies established on the basis of Title V of the TFEU, with OLAF and the European Union Agency for Cybersecurity (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council ( 5 ), in particular through the exchange of information and provision of analytical support in areas that fall within their respective competences;
provide information and support to EU crisis management structures and missions established on the basis of the TEU, within the scope of Europol's objectives as set out in Article 3;
develop Union centres of specialised expertise for combating certain types of crime falling within the scope of Europol's objectives, in particular the European Cybercrime Centre;
support Member States’ actions in preventing and combating forms of crime listed in Annex I which are facilitated, promoted or committed using the internet, including by:
assisting the competent authorities of the Member States, upon their request, in responding to cyberattacks of suspected criminal origin;
cooperating with competent authorities of the Member States with regard to removal orders, in accordance with Article 14 of Regulation (EU) 2021/784; and
making referrals of online content to the online service providers concerned for their voluntary consideration of the compatibility of that content with their own terms and conditions;
support Member States in identifying persons whose criminal activities fall within the forms of crime listed in Annex I and who constitute a high risk for security;
facilitate joint, coordinated and prioritised investigations regarding persons referred to in point (r);
support Member States in processing data provided by third countries or international organisations to Europol on persons involved in terrorism or in serious crime and propose the possible entry by the Member States, at their discretion and subject to their verification and analysis of those data, of information alerts on third-country nationals in the interest of the Union (‘information alerts’) in the Schengen Information System (SIS), in accordance with Regulation (EU) 2018/1862 of the European Parliament and the Council ( 6 );
support the implementation of the evaluation and monitoring mechanism to verify the application of the Schengen acquis under Regulation (EU) No 1053/2013, within the scope of Europol’s objectives, through the provision of expertise and analyses, where relevant;
proactively monitor research and innovation activities that are relevant for the achievement of Europol’s objectives and contribute to such activities by supporting related activities of Member States and by implementing its own research and innovation activities, including projects for the development, training, testing and validation of algorithms for the development of specific tools for the use by law enforcement authorities, and disseminate the results of the activities to the Member States in accordance with Article 67;
contribute to creating synergies between the research and innovation activities of Union bodies that are relevant for the achievement of Europol’s objectives, including through the EU Innovation Hub for Internal Security, and in close cooperation with Member States;
support, upon their request, Member States’ actions in addressing online crisis situations, in particular by providing private parties with the information necessary to identify relevant online content;
support Member States’ actions in addressing the online dissemination of online child sexual abuse material;
cooperate, in accordance with Article 12 of Directive (EU) 2019/1153 of the European Parliament and of the Council ( 7 ), with Financial Intelligence Units (FIUs) established pursuant to Directive (EU) 2015/849 of the European Parliament and of the Council ( 8 ), through the relevant Europol national unit or, if allowed by the relevant Member State, by direct contact with the FIUs, in particular through the exchange of information and the provision of analyses to Member States to support cross-border investigations into the money laundering activities of transnational criminal organisations and terrorist financing.
In order for a Member State to inform, within a period of 12 months after Europol has proposed the possible entry of an information alert referred to in the first subparagraph, point (t), other Member States and Europol on the outcome of the verification and analysis of the data and on whether an alert has been entered in SIS, a periodic reporting mechanism shall be put in place.
Member States shall inform Europol of any information alerts entered in SIS and of any hit on such information alerts, and may inform, through Europol, the third country or international organisation that provided the data leading to the entry of the information alert on hits on such information alert, in accordance with the procedure set out in Regulation (EU) 2018/1862.
Europol shall assist the Commission in drawing up and implementing the Union framework programmes for research and innovation activities that are relevant to achieve Europol’s objectives.
Where appropriate, Europol may disseminate the results of its research and innovation activities as part of its contribution to creating synergies between the research and innovation activities of relevant Union bodies in accordance with paragraph 1, first subparagraph, point (w).
Europol shall take all necessary measures to avoid conflicts of interest. Europol shall not receive funding from a given Union framework programme where it assists the Commission in identifying key research themes and in drawing up and implementing that programme.
When designing and conceptualising research and innovation activities regarding matters covered by this Regulation, Europol may, where appropriate, consult the Joint Research Centre of the Commission.
Europol staff may provide operational support to the competent authorities of the Member States during the execution of investigative measures, at their request and in accordance with their national law, in particular by facilitating cross-border information exchange, by providing forensic and technical support and by being present during the execution of those measures. Europol staff shall not, themselves, have the power to execute investigative measures.
CHAPTER II
COOPERATION BETWEEN MEMBER STATES AND EUROPOL
Article 5
Participation in joint investigation teams
Article 6
Request by Europol for the initiation of a criminal investigation
If the competent authorities of a Member State decide not to accede to a request made by Europol pursuant to paragraph 1, they shall inform Europol of the reasons for their decision without undue delay, preferably within one month of receipt of the request. However, the reasons may be withheld if providing them would:
be contrary to the essential interests of the security of the Member State concerned; or
jeopardise the success of an ongoing investigation or the safety of an individual.
Article 7
Europol national units
Each Member State shall, via its national unit or, subject to paragraph 5, a competent authority, in particular:
supply Europol with the information necessary for it to fulfil its objectives, including information relating to forms of crime the prevention or combating of which is considered a priority by the Union;
ensure effective communication and cooperation of all relevant competent authorities with Europol;
raise awareness of Europol's activities;
in accordance with point (a) of Article 38(5), ensure compliance with national law when supplying information to Europol.
Without prejudice to the discharge by Member States of their responsibilities with regard to the maintenance of law and order and the safeguarding of internal security, Member States shall not in any particular case be obliged to supply information in accordance with point (a) of paragraph 6 that would:
be contrary to the essential interests of the security of the Member State concerned;
jeopardise the success of an ongoing investigation or the safety of an individual; or
disclose information relating to organisations or specific intelligence activities in the field of national security.
However, Member States shall supply information as soon as it ceases to fall within the scope of points (a), (b) or (c) of the first subparagraph.
Article 8
Liaison officers
CHAPTER III
ORGANISATION OF EUROPOL
Article 9
Administrative and management structure of Europol
The administrative and management structure of Europol shall comprise:
a Management Board;
an Executive Director;
where appropriate, other advisory bodies established by the Management Board in accordance with point (s) of Article 11(1).
SECTION 1
Management Board
Article 10
Composition of the Management Board
The principle of a balanced gender representation on the Management Board shall also be taken into account.
Article 11
Functions of the Management Board
The Management Board shall:
adopt each year, by a majority of two-thirds of its members and in accordance with Article 12 of this Regulation, a single programming document as referred to in Article 32 of Commission Delegated Regulation (EU) 2019/715 ( 11 );
adopt, by a majority of two-thirds of its members, the annual budget of Europol and exercise other functions in respect of Europol's budget pursuant to Chapter X;
adopt a consolidated annual activity report on Europol's activities and, by 1 July of the following year, send it to the European Parliament, the Council, the Commission, the Court of Auditors and the national parliaments. The consolidated annual activity report shall be made public;
adopt the financial rules applicable to Europol in accordance with Article 61;
adopt an internal anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the measures to be implemented;
adopt rules for the prevention and management of conflicts of interest in respect of its members, including in relation to their declaration of interests;
in accordance with paragraph 2, exercise, with respect to the staff of Europol, the powers conferred by the Staff Regulations on the appointing authority and by the Conditions of Employment of Other Servants on the authority empowered to conclude a contract of employment of other servants (‘the appointing authority powers’);
adopt appropriate implementing rules giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110 of the Staff Regulations;
adopt internal rules regarding the procedure for the selection of the Executive Director, including rules on the composition of the selection committee which ensure its independence and impartiality;
propose to the Council a shortlist of candidates for the posts of Executive Director and Deputy Executive Directors and, where relevant, propose to the Council that their terms of office be extended or that they be removed from office in accordance with Articles 54 and 55;
establish performance indicators and oversee the Executive Director's performance, including the implementation of Management Board decisions;
appoint a Data Protection Officer, who shall be functionally independent in the performance of his or her duties;
appoint an accounting officer, who shall be subject to the Staff Regulations and the Conditions of Employment of Other Servants and functionally independent in the performance of his or her duties;
establish, where appropriate, an internal audit capability;
ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and evaluations, as well as from investigations of OLAF and the EDPS;
define the evaluation criteria for the annual report in accordance with Article 7(11);
adopt guidelines further specifying the procedures for the processing of information by Europol in accordance with Article 18, after consulting the EDPS;
decide upon the conclusion of working and administrative arrangements in accordance with Article 23(4) and Article 25(1), respectively;
decide, taking into consideration both business and financial requirements, upon the establishment of Europol's internal structures, including Union centres of specialised expertise as referred to in point (l) of Article 4(1), upon a proposal of the Executive Director;
adopt its rules of procedure, including provisions concerning the tasks and the functioning of its secretariat;
adopt, where appropriate, other internal rules;
designate the Fundamental Rights Officer referred to in Article 41c;
specify the criteria on the basis of which Europol may issue the proposals for possible entry of information alerts in SIS.
Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the delegation of the appointing authority powers to the Executive Director and any subdelegation of such powers and exercise them itself or delegate those powers to one of its members or to a staff member other than the Executive Director.
Article 12
Multiannual programming and annual work programmes
Where the Management Board decides not to take into account the opinion of the Commission referred to in the first subparagraph, in whole or in part, Europol shall provide a thorough justification.
Where the Management Board decides not to take into account any of the matters raised by the JPSG in accordance with Article 51(2), point (c), Europol shall provide a thorough justification.
Once the single programming document has been adopted, the Management Board shall forward it to the Council, the Commission and the JPSG.
The multiannual programming shall be implemented by means of annual work programmes and shall, where appropriate, be updated following the outcome of external and internal evaluations. The conclusion of those evaluations shall also be reflected, where appropriate, in the annual work programme for the following year.
Article 13
Chairperson and Deputy Chairperson of the Management Board
Article 14
Meetings of the Management Board
Two representatives of the JPSG shall be invited to attend two ordinary meetings of the Management Board per year as non-voting observers to discuss the following matters of political interest:
the consolidated annual activity report referred to in Article 11(1), point (c), for the previous year;
the single programming document referred to in Article 12 for the following year and the annual budget;
JPSG written questions and answers;
external relations and partnership matters.
The Management Board, together with the representatives of the JPSG, may determine other matters of political interest to be discussed at the meetings referred to in the first subparagraph.
Article 15
Voting rules of the Management Board
SECTION 2
Executive Director
Article 16
Responsibilities of the Executive Director
The Executive Director shall be responsible for the implementation of the tasks assigned to Europol by this Regulation, in particular:
the day-to-day administration of Europol;
making proposals to the Management Board as regards the establishment of Europol's internal structures;
implementing decisions adopted by the Management Board;
preparing the draft single programming document referred to in Article 12 and submitting it to the Management Board, after having consulted the Commission and the JPSG;
implementing the multiannual programming and the annual work programmes and reporting to the Management Board on their implementation;
preparing appropriate draft implementing rules to give effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110 of the Staff Regulations;
preparing the draft consolidated annual report on Europol's activities and presenting it to the Management Board for adoption;
preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as investigation reports and recommendations from investigations by OLAF and the EDPS, and reporting on progress twice a year to the Commission and regularly to the Management Board;
protecting the financial interests of the Union by applying measures to prevent fraud, corruption and any other illegal activity and, without prejudice to the investigative competence of OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;
preparing a draft internal anti-fraud strategy for Europol and presenting it to the Management Board for adoption;
preparing draft internal rules for the prevention and management of conflicts of interest in respect of the members of the Management Board and presenting those draft rules to the Management Board for adoption;
preparing draft financial rules applicable to Europol;
preparing Europol's draft statement of estimates of revenue and expenditure and implementing its budget;
supporting the Chairperson of the Management Board in preparing Management Board meetings;
informing the Management Board on a regular basis regarding the implementation of Union strategic and operational priorities for fighting crime;
informing the Management Board of the memoranda of understanding signed with private parties;
performing other tasks pursuant to this Regulation.
CHAPTER IV
PROCESSING OF INFORMATION
Article 17
Sources of information
Europol shall only process information that has been provided to it:
by Member States in accordance with their national law and Article 7;
by Union bodies, third countries and international organisations in accordance with Chapter V;
by private parties and private persons in accordance with Chapter V.
Article 18
Purposes of information processing activities
Personal data may be processed only for the purposes of:
cross-checking aimed at identifying connections or other relevant links between information related to:
persons who are suspected of having committed or taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence;
persons regarding whom there are factual indications or reasonable grounds to believe that they will commit criminal offences in respect of which Europol is competent;
analyses of a strategic or thematic nature;
operational analyses;
facilitating the exchange of information between Member States, Europol, other Union bodies, third countries, international organisations and private parties;
research and innovation projects;
supporting Member States, upon their request, in informing the public about suspects or convicted individuals who are wanted on the basis of a national judicial decision relating to a crime that falls within Europol’s objectives, and facilitating the provision by the public of information on those individuals to the Member States and Europol.
Processing for the purpose of operational analyses as referred to in point (c) of paragraph 2 shall be performed by means of operational analysis projects, in respect of which the following specific safeguards shall apply:
for every operational analysis project, the Executive Director shall define the specific purpose, categories of personal data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of the data concerned, and shall inform the Management Board and the EDPS thereof;
personal data may only be collected and processed for the purpose of the specified operational analysis project. Where it becomes apparent that personal data may be relevant for another operational analysis project, further processing of that personal data shall only be permitted insofar as such further processing is necessary and proportionate and the personal data are compatible with the provisions set out in point (a) that apply to the other analysis project;
only authorised staff may access and process the data of the relevant project.
Europol shall process personal data pursuant to the first subparagraph for a period of up to 18 months from the moment Europol ascertains that those data fall within its objectives or, in justified cases, for a longer period where necessary for the purpose of this Article. Europol shall inform the EDPS of any extension of the processing period. The maximum period of data processing pursuant to the first subparagraph shall be three years. Such personal data shall be kept functionally separate from other data.
Where Europol concludes that personal data referred to in the first subparagraph of this paragraph are not in compliance with paragraph 5, Europol shall delete those data and inform, where relevant, the provider of those deleted data accordingly.
Article 18a
Processing of personal data in support of a criminal investigation
Where necessary for the support of an ongoing specific criminal investigation within the scope of Europol’s objectives, Europol may process personal data that do not relate to the categories of data subjects listed in Annex II where:
a Member State, the EPPO or Eurojust provides investigative data to Europol pursuant to Article 17(1), points (a) or (b), and requests Europol to support that investigation:
by way of operational analysis pursuant to Article 18(2), point (c); or
in exceptional and duly justified cases, by way of cross-checking pursuant to Article 18(2), point (a);
Europol assesses that it is not possible to carry out the operational analysis pursuant to Article 18(2), point (c), or the cross-checking pursuant to Article 18(2), point (a), in support of that investigation without processing personal data that do not comply with Article 18(5).
The results of the assessment referred to in the first subparagraph, point (b), shall be recorded and sent to the EDPS for information when Europol ceases to support the investigation referred to in the first subparagraph.
Where the EPPO or Eurojust provides investigative data to Europol and it is no longer authorised to process the data in the ongoing specific criminal investigation referred to in paragraph 1 in accordance with procedural requirements and safeguards applicable under Union and national law, it shall inform Europol.
The providers of investigative data referred to in paragraph 1, first subparagraph, point (a), or, with their agreement, a Member State in which judicial proceedings concerning a related criminal investigation are ongoing, may request Europol to store the investigative data and the outcome of its operational analysis of those data beyond the processing period set out in paragraph 3 for the purpose of ensuring the veracity, reliability and traceability of the criminal intelligence process, and only for as long as judicial proceedings concerning a related criminal investigation are ongoing in that other Member State.
The Management Board, acting on a proposal from the Executive Director and after consulting the EDPS, shall specify the conditions relating to the provision and processing of personal data in accordance with paragraphs 3 and 4.
Where a third country provides investigative data to Europol in accordance with the first subparagraph, the Data Protection Officer may, where appropriate, notify the EDPS thereof.
Europol shall verify that the amount of personal data referred to in the first subparagraph is not manifestly disproportionate in relation to the specific criminal investigation in the Member State concerned. Where Europol concludes that there is an indication that such data are manifestly disproportionate or were collected in obvious violation of fundamental rights, Europol shall not process the data and delete them.
Personal data processed pursuant to this paragraph shall be accessed by Europol only where necessary for the support of the specific criminal investigation for which they were provided. Those personal data shall be shared only within the Union.
Article 19
Determination of the purpose of, and restrictions on, the processing of information by Europol
Where a provider of information referred to in the first subparagraph has not complied with that subparagraph, Europol, in agreement with the provider of the information concerned, shall process the information in order to determine the relevance of such information as well as the purpose or purposes for which it is to be further processed.
Europol shall process information for a purpose different from that for which information has been provided only if authorised to do so by the provider of the information.
Information provided for the purposes referred to in Article 18(2), points (a) to (d), may also be processed by Europol for the purpose of Article 18(2), point (e), in accordance with Article 33a.
Article 20
Access by Member States and Europol's staff to information stored by Europol
In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the provider of the information to Europol.
In accordance with national law, the information referred to in paragraphs 1, 2 and 2a shall be accessed and further processed by Member States only for the purpose of preventing, detecting, investigating and prosecuting:
forms of crime in respect of which Europol is competent; and
other forms of serious crime, as set out in Council Framework Decision 2002/584/JHA ( 13 ).
Article 20a
Relations with the European Public Prosecutor’s Office
In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the provider of the information referred to in Article 19(1), and only to the extent that the data generating the hit are relevant for the request submitted pursuant to paragraph 2 of this Article.
Where Europol reports to the EPPO under the first subparagraph, it shall notify the Member States concerned without delay.
Where information concerning criminal conduct in respect of which the EPPO could exercise its competence has been provided to Europol by a Member State that indicated restrictions on the use of that information pursuant to Article 19(2) of this Regulation, Europol shall notify the EPPO of the existence of those restrictions and refer the matter to the Member State concerned. The Member State concerned shall engage directly with the EPPO in order to comply with Article 24(1) and (4) of Regulation (EU) 2017/1939.
Article 21
Access by Eurojust and OLAF to information stored by Europol
In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the provider of the information to Europol, and only to the extent that the data generating the hit are necessary for the performance of Eurojust's or OLAF's tasks.
Where Europol provides OLAF with information under the first subparagraph, it shall notify the Member States concerned without delay.
Article 22
Duty to notify Member States
In such a case, the information shall not be shared without an explicit authorisation by the provider.
In such a case, Europol shall at the same time notify the provider of the information about the sharing of the information and justify its analysis of the situation.
CHAPTER V
RELATIONS WITH PARTNERS
SECTION 1
Common provisions
Article 23
Common provisions
SECTION 2
Article 24
Transmission of personal data to Union bodies
The requesting Union body shall ensure that the necessity of the transmission of the personal data can be verified.
Article 25
Transfer of personal data to third countries and international organisations
Subject to any restrictions indicated pursuant to Article 19(2) or (3) and without prejudice to Article 67, Europol may transfer personal data to competent authorities of a third country or to an international organisation, provided that such transfer is necessary for the performance of Europol’s tasks, on the basis of one of the following:
a decision of the Commission adopted in accordance with Article 36 of Directive (EU) 2016/680, finding that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection (‘adequacy decision’);
an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals;
a cooperation agreement allowing for the exchange of personal data concluded, before 1 May 2017, between Europol and that third country or international organisation in accordance with Article 23 of Decision 2009/371/JHA.
Europol may conclude administrative arrangements to implement such agreements or adequacy decisions.
▼M1 —————
In the absence of an adequacy decision, the Management Board may authorise Europol to transfer personal data to a competent authority of a third country or to an international organisation where:
appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or
Europol has assessed all the circumstances surrounding the transfer of personal data and has concluded that appropriate safeguards exist with regard to the protection of personal data.
►M1 By way of derogation from paragraph 1, the Executive Director may, in duly justified cases, authorise the transfer or a category of transfers of personal data to a competent authority of a third country or to an international organisation on a case-by-case basis if the transfer, or the category of transfers is: ◄
necessary in order to protect the vital interests of the data subject or of another person;
necessary to safeguard legitimate interests of the data subject;
essential for the prevention of an immediate and serious threat to the public security of a Member State or a third country;
necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions; or
necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal sanction.
Personal data shall not be transferred if the Executive Director determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer referred to in points (d) and (e).
Derogations may not be applicable to systematic, massive or structural transfers.
Article 26
Exchanges of personal data with private parties
Insofar as is necessary in order for Europol to perform its tasks, Europol may process personal data obtained from private parties on condition that they are received via:
a national unit in accordance with national law;
the contact point of a third country or an international organisation with which Europol has concluded, before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with Article 23 of Decision 2009/371/JHA; or
an authority of a third country or an international organisation as referred to in Article 25(1), point (a), (b) or (c), or in Article 25(4a).
Criteria as to whether the national unit of the Member State of establishment of the relevant private party constitutes a national unit concerned shall be set out in the guidelines referred to in Article 18(7).
Without prejudice to the first subparagraph of this paragraph, Europol may transfer the results referred to in the first subparagraph of this paragraph to the third country concerned pursuant to Article 25(5) or (6).
Europol shall not transmit or transfer personal data to private parties, except in the following cases and provided that such transmission or transfer is strictly necessary and proportionate, to be determined on a case by case basis:
the transmission or transfer is undoubtedly in the interests of the data subject;
the transmission or transfer is strictly necessary in the interests of preventing the imminent perpetration of a crime, including terrorism, that falls within Europol’s objectives;
the transmission or transfer of personal data that are publicly available is strictly necessary for the performance of the task referred to in Article 4(1), point (m), and the following conditions are met:
the transmission or transfer concerns an individual and specific case;
the fundamental rights and freedoms of the data subjects concerned do not override the public interest that requires those personal data be transmitted or transferred in the case concerned; or
the transmission or transfer is strictly necessary for Europol to notify that private party that the information received is insufficient to enable Europol to identify the national units concerned, and the following conditions are met:
the transmission or transfer follows a receipt of personal data directly from a private party in accordance with paragraph 2;
the missing information, which Europol may refer to in its notification, has a clear link with the information previously shared by that private party;
the missing information, which Europol may refer to in its notification, is strictly limited to what is necessary for Europol to identify the national units concerned.
The transmission or transfer referred to in the first subparagraph of this paragraph is subject to any restrictions indicated pursuant to Article 19(2) or (3) and is without prejudice to Article 67.
With regard to paragraph 5, points (a), (b) and (d), of this Article, if the private party concerned is not established within the Union or in a third country as referred to in Article 25(1), point (a), (b) or (c), or in Article 25(4a), the transfer shall only be authorised by the Executive Director if the transfer is:
necessary in order to protect the vital interests of the data subject concerned or of another person;
necessary in order to safeguard legitimate interests of the data subject concerned;
essential for the prevention of an immediate and serious threat to public security of a Member State or a third country;
necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of a specific crime that falls within Europol’s objectives; or
necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence that falls within Europol’s objectives.
Personal data shall not be transferred if the Executive Director determines that the fundamental rights and freedoms of the data subject concerned override the public interest that requires the transfer referred to in the first subparagraph, points (d) and (e), of this paragraph.
Notwithstanding the jurisdiction of Member States over a specific crime, Member States shall ensure that their competent authorities can process the requests referred to in the first subparagraph in accordance with their national law for the purpose of supplying Europol with the information necessary for it to identify the national units concerned.
Where Member States use Europol’s infrastructure for the exchange of personal data on crimes that fall within Europol’s objectives, they may grant Europol access to such data.
Where Member States use Europol’s infrastructure for the exchange of personal data on crimes that do not fall within Europol’s objectives, Europol shall not have access to those data and shall be considered to be a processor in accordance with Article 87 of Regulation (EU) 2018/1725.
Europol shall assess the security risks posed by allowing the use of its infrastructure by private parties and, where necessary, implement appropriate preventive and mitigating measures.
▼M1 —————
The annual report shall include specific examples demonstrating why Europol’s requests in accordance with paragraph 6b of this Article were necessary to achieve its objectives and carry out its tasks.
The annual report shall take into account the obligations of discretion and confidentiality and the examples shall be anonymised insofar as personal data are concerned.
The annual report shall be sent to the European Parliament, the Council, the Commission and national parliaments.
Article 26a
Exchange of personal data with private parties in online crisis situations
Europol may transfer the results of its analysis and verification of the data referred to in paragraph 1 of this Article to the third country concerned pursuant to Article 25(5) or (6).
Notwithstanding the jurisdiction of Member States with regard to the dissemination of the content in relation to which Europol requests the personal data, Member States shall ensure that their competent authorities can process the requests referred to in the first subparagraph in accordance with their national law for the purpose of supplying Europol with the information necessary for it to achieve its objectives.
Article 26b
Exchange of personal data with private parties to address the online dissemination of online child sexual abuse material
Europol may transfer the results of its analysis and verification of the data referred to in the first subparagraph of this paragraph to the third country concerned pursuant to Article 25(5) or (6).
Notwithstanding the jurisdiction of Member States with regard to the dissemination of the content in relation to which Europol requests the personal data, Member States shall ensure that the competent authorities of the Member States can process the requests referred to in the first subparagraph in accordance with their national law for the purpose of supplying Europol with the information necessary for it to achieve its objectives.
Article 27
Information from private persons
Personal data originating from private persons shall only be processed by Europol provided that they are received via:
a national unit in accordance with national law;
the contact point of a third country or an international organisation pursuant to Article 25(1), point (c); or
an authority of a third country or an international organisation as referred to in Article 25(1), point (a) or (b), or in Article 25(4a).
CHAPTER VI
DATA PROTECTION
Article 27a
Processing of personal data by Europol
Regulation (EU) 2018/1725, with the exception of Chapter IX, shall apply to the processing of administrative personal data by Europol.
▼M1 —————
Article 29
Assessment of reliability of the source and accuracy of information
The reliability of the source of information originating from a Member State shall be assessed as far as possible by the providing Member State using the following source evaluation codes:
The accuracy of information originating from a Member State shall be assessed as far as possible by the providing Member State using the following information evaluation codes:
Article 30
Processing of special categories of personal data and of different categories of data subjects
Notwithstanding the first subparagraph, where it is necessary to grant staff of the competent authorities of the Member States or Union agencies established on the basis of Title V of the TFEU direct access to personal data for the performance of their tasks, in the cases provided for in Article 20(1) and (2a) of this Regulation or for research and innovation projects in accordance with Article 33a(2), point (d), of this Regulation, the Executive Director shall duly authorise a limited number of such staff to have such access.
▼M1 —————
Article 31
Time-limits for the storage and erasure of personal data
Personal data shall not be erased if:
this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only with the express and written consent of the data subject;
their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate, to verify the accuracy of the data;
they have to be maintained for purposes of proof or for the establishment, exercise or defence of legal claims; or
the data subject opposes their erasure and requests the restriction of their use instead.
Article 32
Security of processing
Mechanisms to ensure that security measures are addressed across information system boundaries shall be established by Europol in accordance with Article 91 of Regulation (EU) 2018/1725 and by the Member States in accordance with Article 29 of Directive (EU) 2016/680.
▼M1 —————
Article 33a
Processing of personal data for research and innovation
Europol may process personal data for the purpose of its research and innovation projects, provided that the processing of those personal data:
is strictly required and duly justified to achieve the objectives of the project concerned;
as regards special categories of personal data, is strictly necessary and subject to appropriate safeguards, which may include pseudonymisation.
The processing of personal data by Europol in the context of research and innovation projects shall be guided by the principles of transparency, explainability, fairness, and accountability.
Without prejudice to paragraph 1, for the processing of personal data performed in the context of Europol’s research and innovation projects, the following safeguards shall apply:
any research and innovation project requires the prior authorisation by the Executive Director, in consultation with the Data Protection Officer and the Fundamental Rights Officer, based on:
a description of the objectives of the project and an explanation of how the project assists Europol or competent authorities of the Member States in their tasks;
a description of the envisaged processing activity, setting out the objectives, scope and duration of the processing and the necessity and proportionality to process the personal data, such as for exploring and testing innovative technological solutions and ensuring accuracy of the project results;
a description of the categories of personal data to be processed;
an assessment of the compliance with the data protection principles laid down in Article 71 of Regulation (EU) 2018/1725, of the time limits for the storage and conditions for access to the personal data; and
a data protection impact assessment, including the risks to rights and freedoms of data subjects, the risk of any bias in the personal data to be used for the training of algorithms and in the outcome of the processing, and the measures envisaged to address those risks as well as to avoid violations of fundamental rights;
the EDPS shall be informed prior to the launch of the project;
the Management Board shall be consulted or informed prior to the launch of the project, in accordance with the guidelines referred to in Article 18(7);
any personal data to be processed in the context of the project shall:
be temporarily copied to a separate, isolated and protected data processing environment within Europol for the sole purpose of carrying out that project;
be accessed only by specifically authorised staff of Europol in accordance with Article 30(3) of this Regulation and, subject to technical security measures, by specifically authorised staff of the competent authorities of the Member States and Union agencies established on the basis of Title V of the TFEU;
not be transmitted or transferred;
not lead to measures or decisions affecting the data subjects as a result of their processing;
be erased once the project is concluded or the time limit for the storage of personal data has expired in accordance with Article 31;
the logs of the processing of personal data in the context of the project shall be kept until two years after the conclusion of the project, solely for the purpose of and only as long as necessary for verifying the accuracy of the outcome of the data processing.
Europol shall not process data for research and innovation projects without the consent of the provider of the data. Such consent may be withdrawn at any time.
Article 34
Notification of a personal data breach to the authorities concerned
The notification referred to in paragraph 1 shall, as a minimum:
describe the nature of the personal data breach including, where possible and appropriate, the categories and number of data subjects concerned and the categories and number of data records concerned;
describe the likely consequences of the personal data breach;
describe the measures proposed or taken by Europol to address the personal data breach; and
where appropriate, recommend measures to mitigate the possible adverse effects of the personal data breach.
▼M1 —————
Article 35
Communication of a personal data breach to the data subject
▼M1 —————
▼M1 —————
Article 36
Right of access for the data subject
▼M1 —————
▼M1 —————
Article 37
Right to rectification, erasure and restriction
▼M1 —————
Restricted data shall be processed only for the purpose of protecting the rights of the data subject, where it is necessary to protect the vital interests of the data subject or of another person, or for the purposes laid down in Article 82(3) of Regulation (EU) 2018/1725.
▼M1 —————
Article 38
Responsibility in data protection matters
The responsibility for the accuracy of personal data as referred to in Article 71(1), point (d), of Regulation (EU) 2018/1725 shall lie with:
the Member State or the Union body which provided the personal data to Europol;
Europol in respect of personal data provided by third countries or international organisations or directly provided by private parties; of personal data retrieved by Europol from publicly available sources or resulting from Europol's own analyses; and of personal data stored by Europol in accordance with Article 31(5).
The responsibility for the legality of a data transfer shall lie with:
the Member State which provided the personal data to Europol;
Europol in the case of personal data provided by it to Member States, third countries or international organisations.
Without prejudice to the first subparagraph, where the data are transferred by Europol following a request from the recipient, both Europol and the recipient shall be responsible for the legality of such a transfer.
Article 39
Prior consultation
Written advice of the EDPS pursuant to Article 90(4) of Regulation (EU) 2018/1725 shall be taken into account retrospectively, and the way the processing is carried out shall be adjusted accordingly.
The Data Protection Officer shall be involved in assessing the urgency of such processing operations before the period provided for in Article 90(4) of Regulation (EU) 2018/1725 expires and shall oversee the processing in question.
Article 39a
Records of categories of processing activities
Europol shall maintain a record of all categories of processing activities under its responsibility. That record shall contain the following information:
Europol’s contact details and the name and the contact details of the Data Protection Officer;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
where applicable, transfers of personal data to a third country, an international organisation or private party, including the identification of that recipient;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures referred to in Article 91 of Regulation (EU) 2018/1725;
where applicable, the use of profiling.
Article 40
Logging
Article 41
Designation of the Data Protection Officer
Article 41a
Position of the Data Protection Officer
In order to support the Data Protection Officer in carrying out his or her tasks, a member of staff of Europol may be designated as assistant Data Protection Officer.
The Data Protection Officer shall report directly to the Management Board.
No one shall suffer prejudice on account of a matter brought to the attention of the Data Protection Officer alleging that a breach of this Regulation or Regulation (EU) 2018/1725 has taken place.
Article 41b
Tasks of the Data Protection Officer
The Data Protection Officer shall, in particular, have the following tasks with regard to processing of personal data:
ensuring in an independent manner the compliance of Europol with the data protection provisions of this Regulation and Regulation (EU) 2018/1725 and with the relevant data protection provisions in Europol’s internal rules, including monitoring compliance with this Regulation, with Regulation (EU) 2018/1725, with other Union or national data protection provisions and with the policies of Europol in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits;
informing and advising Europol and staff who process personal data of their obligations pursuant to this Regulation, to Regulation (EU) 2018/1725 and to other Union or national data protection provisions;
providing advice where requested as regards the data protection impact assessment pursuant to Article 89 of Regulation (EU) 2018/1725 and monitoring the performance of the data protection impact assessment;
keeping a register of personal data breaches and providing advice where requested as regards the necessity of a notification or communication of a personal data breach pursuant to Articles 92 and 93 of Regulation (EU) 2018/1725;
ensuring that a record of the transmission, transfer and receipt of personal data is kept in accordance with this Regulation;
ensuring that, at their request, data subjects are informed of their rights under this Regulation and Regulation (EU) 2018/1725;
cooperating with Europol staff responsible for procedures, training and advice on data processing;
responding to requests from the EDPS, within the sphere of his or her competence, cooperating and consulting with the EDPS, at the latter’s request or on his or her own initiative;
cooperating with the competent authorities of the Member States, in particular with the Data Protection Officers of the competent authorities of the Members States and national supervisory authorities regarding data protection matters in the law enforcement area;
acting as the contact point for the EDPS on issues relating to processing, including the prior consultation under Articles 40 and 90 of Regulation (EU) 2018/1725, and consulting, where appropriate, with regard to any other matter within the sphere of his or her competence;
preparing an annual report and communicating that report to the Management Board and to the EDPS;
ensuring that the rights and freedoms of data subjects are not adversely affected by processing operations.
The Data Protection Officer may, on his or her own initiative or at the request of the Management Board or any individual, investigate matters and occurrences directly relating to his or her tasks which come to his or her notice, and report back to the person who requested the investigation or to the Management Board the results of that investigation.
If the Executive Director does not resolve the non-compliance of the processing within the specified period, the Data Protection Officer shall inform the Management Board. The Management Board shall reply within a specified time limit agreed with the Data Protection Officer. If the Management Board does not resolve the non-compliance within the specified period, the Data Protection Officer shall refer the matter to the EDPS.
Article 41c
Fundamental Rights Officer
The Fundamental Rights Officer shall perform the following tasks:
advise Europol where he or she deems it necessary or where requested on any activity of Europol without impeding or delaying those activities;
monitor Europol’s compliance with fundamental rights;
provide non-binding opinions on working arrangements;
inform the Executive Director about possible violations of fundamental rights in the course of Europol’s activities;
promote Europol’s respect of fundamental rights in the performance of its tasks and activities;
any other tasks where provided for by this Regulation.
Article 41d
Fundamental Rights Training
All Europol staff involved in operational tasks involving personal data processing shall receive mandatory training on the protection of fundamental rights and freedoms, including with regard to the processing of personal data. That training shall be developed in cooperation with the European Union Agency for Fundamental Rights (FRA), established by Council Regulation (EC) No 168/2007 ( 14 ), and the European Union Agency for Law Enforcement Training (CEPOL), established by Regulation (EU) 2015/2219 of the European Parliament and of the Council ( 15 ).
Article 42
Supervision by the national supervisory authority
Article 43
Supervision by the EDPS
The EDPS shall have the following duties:
hearing and investigating complaints, and informing the data subject of the outcome within a reasonable period;
conducting inquiries either on his or her own initiative or on the basis of a complaint, and informing the data subject of the outcome within a reasonable period;
monitoring and ensuring the application of this Regulation and any other Union act relating to the protection of natural persons with regard to the processing of personal data by Europol;
advising Europol, either on his or her own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular before it draws up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal data;
keeping a register of new types of processing operations notified to him or her by virtue of Article 39(1) and registered in accordance with Article 39(4);
carrying out a prior consultation on processing notified to him or her.
The EDPS may pursuant to this Regulation:
give advice to data subjects on the exercise of their rights;
refer a matter to Europol in the event of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the data subjects;
order that requests to exercise certain rights in relation to data be complied with where such requests have been refused in breach of Articles 36 and 37;
warn or admonish Europol;
order Europol to carry out the rectification, restriction, erasure or destruction of personal data which have been processed in breach of the provisions governing the processing of personal data and to notify such actions to third parties to whom such data have been disclosed;
impose a temporary or definitive ban on processing operations by Europol which are in breach of the provisions governing the processing of personal data;
refer a matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;
refer a matter to the Court of Justice of the European Union under the conditions provided for in the TFEU;
intervene in actions brought before the Court of Justice of the European Union;
order the controller or processor to bring processing operations into compliance with this Regulation, where appropriate, in a specified manner and within a specified period;
order the suspension of data flows to a recipient in a Member State, a third country or to an international organisation;
impose an administrative fine in the case of non-compliance by Europol with one of the measures referred to in points (c), (e), (f), (j) and (k) of this paragraph, depending on the circumstances of each individual case.
The EDPS shall have the power to:
obtain from Europol access to all personal data and to all information necessary for his or her enquiries;
obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for presuming that an activity covered by this Regulation is being carried out there.
The EDPS shall invite the national supervisory authorities to submit observations on that part of the annual report before the annual report is adopted. The EDPS shall take utmost account of those observations and shall refer to them in the annual report.
The part of the annual report referred to in the second subparagraph shall include statistical information regarding complaints, inquiries, and investigations, as well as regarding transfers of personal data to third countries and international organisations, cases of prior consultation of the EDPS, and the use of the powers laid down in paragraph 3 of this Article.
Article 44
Cooperation between the EDPS and national supervisory authorities
In carrying out joint inspections together with the EDPS, members and staff of national supervisory authorities shall, taking due account of the principles of subsidiarity and proportionality, have powers equivalent to those laid down in Article 43(4) of this Regulation and be bound by an obligation equivalent to that laid down in Article 43(6) of this Regulation.
▼M1 —————
CHAPTER VII
REMEDIES AND LIABILITY
Article 47
Right to lodge a complaint with the EDPS
Article 48
Right to a judicial remedy against the EDPS
Any action against a decision of the EDPS shall be brought before the Court of Justice of the European Union.
Article 49
General provisions on liability and the right to compensation
Article 50
Right to compensation
CHAPTER VIII
JOINT PARLIAMENTARY SCRUTINY
Article 51
Joint Parliamentary scrutiny
For the purposes of the first subparagraph:
the Chairperson of the Management Board, the Executive Director or their Deputies shall appear before the JPSG at its request to discuss matters relating to the activities referred to in the first subparagraph, including the budgetary aspects of such activities, the structural organisation of Europol and the potential establishment of new units and specialised centres, taking into account the obligations of discretion and confidentiality. The JPSG may decide to invite to its meetings other relevant persons, where appropriate;
the EDPS shall appear before the JPSG at its request, and at least once a year, to discuss general matters relating to the protection of fundamental rights and freedoms of natural persons, and in particular the protection of personal data, with regard to Europol's activities, taking into account the obligations of discretion and confidentiality;
the JPSG shall be consulted in relation to the multiannual programming of Europol in accordance with Article 12(1).
Europol shall transmit the following documents, for information purposes, to the JPSG, taking into account the obligations of discretion and confidentiality:
threat assessments, strategic analyses and general situation reports relating to Europol's objective as well as the results of studies and evaluations commissioned by Europol;
the administrative arrangements concluded pursuant to Article 25(1);
the document containing the multiannual programming and the annual work programme of Europol, referred to in Article 12(1);
the consolidated annual activity report on Europol’s activities, referred to in Article 11(1), point (c), including relevant information on Europol’s activities and results obtained in processing large data sets, without disclosing any operational details and without prejudice to any ongoing investigations;
the evaluation report drawn up by the Commission, referred to in Article 68(1);
annual information pursuant to Article 26(11) on the personal data exchanged with private parties pursuant to Articles 26, 26a and 26b, including an assessment of the effectiveness of cooperation, specific examples of cases demonstrating why those requests were necessary and proportionate for the purpose of enabling Europol to achieve its objectives and carry out its tasks, and, as regards personal data exchanges pursuant to Article 26b, the number of children identified as a result of those exchanges to the extent that this information is available to Europol;
annual information about the number of cases where it was necessary for Europol to process personal data that do not relate to the categories of data subjects listed in Annex II in order to support Member States in an ongoing specific criminal investigation in accordance with Article 18a, alongside information on the duration and outcomes of the processing, including examples of such cases demonstrating why that data processing was necessary and proportionate;
annual information about transfers of personal data to third countries and international organisations pursuant to Article 25(1) or Article 25(4a) broken down per legal basis, and on the number of cases in which the Executive Director authorised, pursuant to Article 25(5), the transfer or categories of transfers of personal data related to an ongoing specific criminal investigation to third countries or international organisations, including information on the countries concerned and the duration of the authorisation;
annual information about the number of cases in which Europol proposed the possible entry of information alerts in accordance with Article 4(1), point (t), including specific examples of cases demonstrating why the entry of those alerts was proposed;
annual information about the number of research and innovation projects undertaken, including information on the purposes of those projects, the categories of personal data processed, the additional safeguards used, including data minimisation, the law enforcement needs those projects seek to address and the outcome of those projects;
annual information about the number of cases in which Europol made use of temporary processing in accordance with Article 18(6a) and, where applicable, the number of cases in which the processing period has been extended;
annual information on the number and types of cases where special categories of personal data were processed, pursuant to Article 30(2).
The examples referred to in points (f) and (i) shall be anonymised insofar as personal data are concerned.
The examples referred to in point (g) shall be anonymised insofar as personal data are concerned, without disclosing any operational details and without prejudice to any ongoing investigations.
Article 52
Access by the European Parliament to information processed by or through Europol
Article 52a
Consultative Forum
The JPSG and the Executive Director may consult the consultative forum on any matter related to fundamental rights.
CHAPTER IX
STAFF
Article 53
General provisions
Article 54
Executive Director
The shortlist shall be drawn up by a selection committee set up by the Management Board and composed of members designated by Member States and a Commission representative
For the purpose of concluding a contract with the Executive Director, Europol shall be represented by the Chairperson of the Management Board.
Before appointment, the candidate selected by the Council may be invited to appear before the competent committee of the European Parliament, which shall subsequently give a non-binding opinion.
The term of office of the Executive Director shall be four years. By the end of that period, the Commission, in association with the Management Board, shall undertake an assessment taking into account:
an evaluation of the Executive Director's performance, and
Europol's future tasks and challenges.
Article 55
Deputy Executive Directors
Article 56
Seconded national experts
CHAPTER X
FINANCIAL PROVISIONS
Article 57
Budget
Article 58
Establishment of the budget
Article 59
Implementation of the budget
Article 60
Presentation of accounts and discharge
Article 61
Financial Rules
The financial rules referred to in paragraph 1 may specify the criteria under which financial support may cover the full investment costs referred to in the first subparagraph of this paragraph.
CHAPTER XI
MISCELLANEOUS PROVISIONS
Article 62
Legal status
Article 63
Privileges and immunities
Article 64
Language arrangements
Article 65
Transparency
Article 66
Combating fraud
Article 67
Rules on the protection of sensitive non-classified and classified information
Article 68
Evaluation and review
Article 69
Administrative inquiries
The activities of Europol shall be subject to inquiries by the European Ombudsman in accordance with Article 228 TFEU.
Article 70
Headquarters
The necessary arrangements concerning the accommodation to be provided for Europol in the Kingdom of the Netherlands and the facilities to be made available by the Kingdom of the Netherlands, together with the specific rules applicable there to the Executive Director, members of the Management Board, Europol's staff and members of their families, shall be laid down in a headquarters agreement between Europol and the Kingdom of the Netherlands, in accordance with Protocol No 6.
CHAPTER XII
TRANSITIONAL PROVISIONS
Article 71
Legal succession
Article 72
Transitional arrangements concerning the Management Board
During the period from 13 June 2016 to 1 May 2017, the Management Board as established on the basis of Article 37 of Decision 2009/371/JHA shall:
exercise the functions of the Management Board in accordance with Article 11 of this Regulation;
prepare the adoption of the rules relating to the application of Regulation (EC) No 1049/2001 with regard to Europol documents as referred to in Article 65(2) of this Regulation, and of the rules referred to in Article 67 of this Regulation;
prepare any instrument necessary for the application of this Regulation, in particular any measures relating to Chapter IV; and
review the internal rules and measures which it has adopted on the basis of Decision 2009/371/JHA so as to allow the Management Board as established pursuant to Article 10 of this Regulation to take a decision pursuant to Article 76 of this Regulation.
Article 73
Transitional arrangements concerning the Executive Director, the Deputy Directors and staff
Article 74
Transitional budgetary provisions
The discharge procedure in respect of the budgets approved on the basis of Article 42 of Decision 2009/371/JHA shall be carried out in accordance with the rules established by Article 43 thereof.
Article 74a
Transitional arrangements concerning the processing of personal data in support of an ongoing criminal investigation
Where a Member State, the EPPO or Eurojust provided personal data that do not relate to the categories of data subjects listed in Annex II to Europol before 28 June 2022, Europol may process those personal data in accordance with Article 18a where:
the Member State concerned, the EPPO or Eurojust informs Europol by 29 September 2022, that it is authorised to process those personal data, in accordance with procedural requirements and safeguards applicable under Union or national law, in the ongoing criminal investigation for which it requested Europol’s support when it initially provided the data;
the Member State concerned, the EPPO or Eurojust requests that Europol, by 29 September 2022, support the ongoing criminal investigation referred to in point (a); and
Europol assesses, in accordance with Article 18a(1), point (b), that it is not possible to support the ongoing criminal investigation referred to in point (a) of this paragraph without processing personal data that do not comply with Article 18(5).
The assessment referred to in point (c) of this paragraph is recorded and sent to the EDPS for information when Europol ceases to support the related specific criminal investigation.
Where a third country referred to in Article 18a(6) provided personal data that do not relate to the categories of data subjects listed in Annex II to Europol before 28 June 2022, Europol may process those personal data in accordance with Article 18a(6) where:
the third country provided the personal data in support of a specific criminal investigation in one or more Member States that Europol supports;
the third country obtained the data in the context of a criminal investigation in accordance with procedural requirements and safeguards applicable under its national criminal law;
the third country informs Europol, by 29 September 2022, that it is authorised to process those personal data in the criminal investigation in the context of which it obtained the data;
Europol assesses, in accordance with Article 18a(1), point (b), that it is not possible to support the specific criminal investigation referred to in point (a) of this paragraph without processing personal data that do not comply with Article 18(5) and that assessment is recorded and sent to the EDPS for information when Europol ceases to support the related specific criminal investigation; and
Europol verifies, in accordance with Article 18a(6), that the amount of personal data is not manifestly disproportionate in relation to the specific criminal investigation referred to in point (a) of this paragraph in one or more Member States that Europol supports.
Article 74b
Transitional arrangements concerning the processing of personal data held by Europol
Without prejudice to Article 74a, for personal data that Europol received before 28 June 2022, Europol may verify whether those personal data relate to one of the categories of data subjects set out in Annex II. To that end, Europol may carry out a pre-analysis of those personal data for a period of up to 18 months from the date the data were first received or, in justified cases and with the prior authorisation of the EDPS, for a longer period.
The maximum period of processing the data referred to in the first subparagraph shall be three years from the day of receipt of the data by Europol.
CHAPTER XIII
FINAL PROVISIONS
Article 75
Replacement and repeal
Therefore, Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA are repealed with effect from 1 May 2017.
Article 76
Maintenance in force of the internal rules adopted by the Management Board
Internal rules and measures adopted by the Management Board on the basis of Decision 2009/371/JHA shall remain in force after 1 May 2017, unless otherwise decided by the Management Board in the application of this Regulation.
Article 77
Entry into force and application
However, Articles 71, 72 and 73 shall apply from 13 June 2016.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
ANNEX I
LIST OF FORMS OF CRIME REFERRED TO IN ARTICLE 3(1)
ANNEX II
A. Categories of personal data and categories of data subjects whose data may be collected and processed for the purpose of cross-checking as referred to in point (a) of Article 18(2)
1. Personal data collected and processed for the purpose of cross-checking shall relate to:
persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence;
persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent.
2. Data relating to the persons referred to in paragraph 1 may include only the following categories of personal data:
surname, maiden name, given names and any alias or assumed name;
date and place of birth;
nationality;
sex;
place of residence, profession and whereabouts of the person concerned;
social security numbers, driving licences, identification documents and passport data; and
where necessary, other characteristics likely to assist in identification, including any specific objective physical characteristics not subject to change such as dactyloscopic data and DNA profile (established from the non-coding part of DNA).
3. In addition to the data referred to in paragraph 2, the following categories of personal data concerning the persons referred to in paragraph 1 may be collected and processed:
criminal offences, alleged criminal offences and when, where and how they were (allegedly) committed;
means which were or which may have been used to commit those criminal offences, including information concerning legal persons;
departments handling the case and their filing references;
suspected membership of a criminal organisation;
convictions, where they relate to criminal offences in respect of which Europol is competent;
inputting party.
These data may be provided to Europol even when they do not yet contain any references to persons.
4. Additional information held by Europol or national units concerning the persons referred to in paragraph 1 may be communicated to any national unit or to Europol, should either so request. National units shall do so in compliance with their national law.
5. If proceedings against the person concerned are definitively dropped or if that person is definitively acquitted, the data relating to the case in respect of which either decision has been taken shall be deleted.
B. Categories of personal data and categories of data subjects whose data may be collected and processed for the purpose of analyses of a strategic or thematic nature, for the purpose of operational analyses or for the purpose of facilitating the exchange of information as referred to in points (b), (c) and (d) of Article 18(2)
1. Personal data collected and processed for the purpose of analyses of a strategic or thematic nature, for the purpose of operational analyses or for the purpose of facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations shall relate to:
persons who, pursuant to the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence;
persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent;
persons who might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings;
persons who have been the victims of one of the offences under consideration or with regard to whom certain facts give reason to believe that they could be the victims of such an offence;
contacts and associates; and
persons who can provide information on the criminal offences under consideration.
2. The following categories of personal data, including associated administrative data, may be processed on the categories of persons referred to in points (a) and (b) of paragraph 1:
personal details:
present and former surnames;
present and former forenames;
maiden name;
father's name (where necessary for the purpose of identification);
mother's name (where necessary for the purpose of identification):
sex;
date of birth;
place of birth;
nationality;
marital status;
alias;
nickname;
assumed or false name;
present and former residence and/or domicile;
physical description:
physical description;
distinguishing features (marks/scars/tattoos etc.);
means of identification:
identity documents/driving licence;
national identity card/passport numbers;
national identification number/social security number, if applicable;
visual images and other information on appearance;
forensic identification information such as fingerprints, DNA profile (established from the non-coding part of DNA), voice profile, blood group, dental information;
occupation and skills:
present employment and occupation;
former employment and occupation;
education (school/university/professional);
qualifications;
skills and other fields of knowledge (language/other);
economic and financial information:
financial data (bank accounts and codes, credit cards, etc.);
cash assets;
shareholdings/other assets;
property data;
links with companies;
bank and credit contacts;
tax position;
other information revealing a person's management of his or her financial affairs;
behavioural data:
lifestyle (such as living above means) and routine;
movements;
places frequented;
weapons and other dangerous instruments;
danger rating;
specific risks such as escape probability, use of double agents, connections with law enforcement personnel;
criminal-related traits and profiles;
drug abuse;
contacts and associates, including type and nature of the contact or association;
means of communication used, such as telephone (static/mobile), fax, pager, electronic mail, postal addresses, internet connection(s);
means of transport used, such as vehicles, boats, aircraft, including information identifying those means of transport (registration numbers);
information relating to criminal conduct:
previous convictions;
suspected involvement in criminal activities;
modi operandi;
means which were or may be used to prepare and/or commit crimes;
membership of criminal groups/organisations and position in the group/organisation;
role in the criminal organisation;
geographical range of criminal activities;
material gathered in the course of an investigation, such as video and photographic images;
references to other information systems in which information on the person is stored:
Europol;
police/customs agencies;
other enforcement agencies;
international organisations;
public entities;
private entities;
information on legal persons associated with the data referred to in points (e) and (j):
designation of the legal person;
location;
date and place of establishment;
administrative registration number;
legal form;
capital;
area of activity;
national and international subsidiaries;
directors;
links with banks.
3. ‘Contacts and associates’, as referred to in point (e) of paragraph 1, are persons through whom there is sufficient reason to believe that information which relates to the persons referred to in points (a) and (b) of paragraph 1 and which is relevant for the analysis can be gained, provided they are not included in one of the categories of persons referred to in points (a), (b), (c), (d) and (f) of paragraph 1. ‘Contacts’ are those persons who have a sporadic contact with the persons referred to in points (a) and (b) of paragraph 1. ‘Associates’ are those persons who have a regular contact with the persons referred to in points (a) and (b) of paragraph 1.
In relation to contacts and associates, the data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that such data are required for the analysis of the relationship of such persons with persons referred to in points (a) and (b) of paragraph 1. In this context, the following shall be observed:
such relationship shall be clarified as soon as possible;
the data referred to in paragraph 2 shall be deleted without delay if the assumption that such relationship exists turns out to be unfounded;
all data referred to in paragraph 2 may be stored if contacts or associates are suspected of having committed an offence falling within the scope of Europol's objectives, or have been convicted for the commission of such an offence, or if there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit such an offence;
data referred to in paragraph 2 on contacts, and associates, of contacts as well as on contacts, and associates, of associates shall not be stored, with the exception of data on the type and nature of their contact or association with the persons referred to in points (a) and (b) of paragraph 1;
if a clarification pursuant to the previous points is not possible, this shall be taken into account when a decision is taken on the need for, and the extent of, data storage for further analysis.
4. With regard to a person who, as referred to in point (d) of paragraph 1, has been the victim of one of the offences under consideration or who, on the basis of certain facts there is reason to believe could be the victim of such an offence, the data referred to in point (a) to point (c)(iii) of paragraph 2 as well as the following categories of data may be stored:
victim identification data;
reason for victimisation;
damage (physical/financial/psychological/other);
whether anonymity is to be guaranteed;
whether participation in a court hearing is possible;
crime-related information provided by or through persons referred to in point (d) of paragraph 1, including where necessary information on their relationship with other persons, for the purpose of identifying the persons referred to in points (a) and (b) of paragraph 1.
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of a person's role as victim or potential victim.
Data not required for any further analysis shall be deleted.
5. With regard to persons who, as referred to in point (c) of paragraph 1, might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings, data referred to in point (a) to point (c)(iii) of paragraph 2 as well as categories of data complying with the following criteria may be stored:
crime-related information provided by such persons, including information on their relationship with other persons included in the analysis work file;
whether anonymity is to be guaranteed;
whether protection is to be guaranteed and by whom;
new identity;
whether participation in a court hearing is possible.
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons' role as witness.
Data not required for any further analysis shall be deleted.
6. With regard to persons who, as referred to in point (f) of paragraph 1, can provide information on the criminal offences under consideration, data referred to in point (a) to point (c)(iii) of paragraph 2 as well as categories of data complying with the following criteria may be stored:
coded personal details;
type of information supplied;
whether anonymity is to be guaranteed;
whether protection is to be guaranteed and by whom;
new identity;
whether participation in a court hearing is possible;
negative experiences;
rewards (financial/favours).
Other data referred to in paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons' role as informant.
Data not required for any further analysis shall be deleted.
7. If, at any time during the course of an analysis, it becomes clear on the basis of serious and corroborating indications that a person should be included in a category of persons, as defined in this Annex, other than the category in which that person was initially placed, Europol may process only the data on that person which is permitted under that new category, and all other data shall be deleted.
If, on the basis of such indications, it becomes clear that a person should be included in two or more different categories as defined in this Annex, all data allowed under such categories may be processed by Europol.
( 1 ) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1).
( 2 ) Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
( 3 ) Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1).
( 4 ) Council Decision 2008/617/JHA of 23 June 2008 on the improvement of cooperation between the special intervention units of the Member States of the European Union in crisis situations (OJ L 210, 6.8.2008, p. 73).
( 5 ) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
( 6 ) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).
( 7 ) Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 2019 laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA (OJ L 186, 11.7.2019, p. 122).
( 8 ) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).
( 9 ) Council Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting, by designating Europol as the Central Office for combating euro counterfeiting (OJ L 185, 16.7.2005, p. 35).
( 10 ) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79 I, 21.3.2019, p. 1).
( 11 ) Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (OJ L 122, 10.5.2019, p. 1).
( 12 ) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
( 13 ) Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1).
( 14 ) Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights (OJ L 53, 22.2.2007, p. 1).
( 15 ) Regulation (EU) 2015/2219 of the European Parliament and of the Council of 25 November 2015 on the European Union Agency for Law Enforcement Training (CEPOL) and replacing and repealing Council Decision 2005/681/JHA (OJ L 319, 4.12.2015, p. 1.)
( 16 ) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
( 17 ) OJ C 95, 1.4.2014, p. 1.
( 18 ) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
( 19 ) Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).
( 20 ) OJ L 136, 31.5.1999, p. 15.
( 21 ) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities' financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).