This document is an excerpt from the EUR-Lex website
Document 52025PC0248
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
COM/2025/248 final
EUROPEAN COMMISSION
Brussels, 22.5.2025
COM(2025) 248 final
2025/0119(NLE)
Proposal for a
COUNCIL DECISION
on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
EXPLANATORY MEMORANDUM
The present proposal concerns the signing, on behalf of the European Union, of the Agreement with the Republic of Ecuador (‘Ecuador’) on cooperation between the European Union Agency for Law Enforcement Cooperation (‘Europol’) and the Ecuadorian authorities competent for combatting serious crime and terrorism (‘the Agreement’).
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Europol’s mission is to support Member States in preventing and combating all forms of serious international and organised crime, cybercrime and terrorism. In a globalised world where serious crime and terrorism are increasingly transnational and polyvalent, law enforcement authorities should be fully equipped to cooperate with external partners to ensure the security of their citizens. Europol should therefore be able to cooperate closely, including through the exchange of personal data, with law enforcement authorities of third countries to the extent necessary for the accomplishment of its tasks within the framework of the requirements set out in Regulation (EU) 2016/794 1 . At the same time, it is important to ensure that adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals are in place for the protection of personal data.
Europol can exchange personal data with third countries or international organisations on one of the following bases, as set out in Article 25(1), points (a) to (c), of Regulation (EU) 2016/794:
·A decision of the Commission adopted in accordance with Article 36 of Directive (EU) 2016/680, finding that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection (‘adequacy decision’);
·an international agreement concluded between the Union and the third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals;
·a cooperation agreement allowing for the exchange of personal data concluded, before 1 May 2017, between Europol and the third country or international organisation in accordance with Article 23 of Decision 2009/371/JHA.
Since the entry into application of Regulation (EU) 2016/794 on 1 May 2017, the Commission is responsible, on behalf of the Union, for negotiating international agreements with third countries for the exchange of personal data with Europol. In so far as necessary for the performance of its tasks, Europol may also establish and maintain cooperative relations with external partners through working and administrative arrangements that cannot be by themselves a legal basis for the exchange of personal data. Unlike an international agreement, those arrangements are concluded by Europol and they do not bind the European Union or its Member States 2 .
Latin American’s organised crime groups pose a serious threat to the European Union internal security as their actions are increasingly linked to a series of crimes within the Union, particularly in the realm of drug trafficking. The 2021 European Union Serious and Organised Crime Threat Assessment (SOCTA) highlights that unprecedented quantities of illicit drugs are trafficked to the European Union from Latin America, generating multi-billion-euro profits, which are used to finance a diverse range of criminal organisations (international and European Union-based) and to weaken the rule of law in the European Union 3 . According to the 2025 SOCTA, Latin America is the main cocaine cultivation and production region, and its ports starting points for onward transport to the EU. It is also a source of people trafficked for sexual and, to a lesser extent, labour exploitation, and of irregular migrants smuggled by air to the EU 4 .
Recent reports confirm that cocaine availability in Europe is at an all-time high and the drug is more affordable and accessible for consumers than in the past 5 . Most of the product seized in the European Union is transported by sea, primarily in maritime shipping containers 6 , and shipped to the European Union directly from the countries of production as well as from neighbouring countries of departure in Latin America, including Ecuador 7 . Based on quantities of cocaine seized in European ports and in ports elsewhere destined for Europe, Ecuador (with a cocaine seizure of about 67.5 tonnes) was one of the main departure points in 2020, as it has been for some years 8 . An example of the evolution of Ecuador in drug trafficking is the increase in the quantities shipped from Guayaquil, the largest container port in Ecuador, towards Antwerp, Belgium, using the rip-on/rip-off method, from 6 tonnes in 2018 to almost 56 tonnes in 2021 9 . Organised crime organisations based in Latin America are well established and also active in other crime areas that fall within Europol’s mandate, such as cybercrimes, money laundering, and environmental crimes.
In its Programming Document 2024-2026, Europol has flagged that, among others, the growing demand for drugs and enhanced drug trafficking routes into the European Union justify the need for enhanced cooperation with Latin American countries 10 .
Against this background, in October 2023, a working arrangement was signed between Europol and Ecuador 11 , and cooperation between the two sides is already evolving, including with the deployment of an Ecuadorian liaison officer to Europol.
Ecuador is participating in the Community of Latin American and Caribbean States (CELAC) Coordination and Cooperation Mechanism on Drugs. Moreover, Ecuador is a member of the Police Community of the Americas (Ameripol) and of the Latin American Interior Security Committee (CLASI) 12 , which has been established in 2022 and driven by the Europe Latin America Programme of Assistance against Transnational Organised Crime (El PAcCTO) 13 . The country is also a member of CLASI’s dedicated task force on drugs and thus has been committed to contributing to the dismantling of organised crime groups involved in drug production and trafficking. In fact, Ecuador has been identified as a key international partner to reduce the global supply of cocaine by the European Monitoring Centre for Drugs and Drug Addiction (EMCDDA) 14 .
However, the Working Agreement between Europol and Ecuador does not provide a legal basis for the exchange of personal data. Nevertheless, this type of increased operational cooperation and the sharing of relevant information between Europol and Ecuador would be important in countering serious offences in many crime areas of common interest, such as drug trafficking and environmental crime, as well as for crimes against persons.
In light of this, on 22 February 2023, the Commission presented a Recommendation, proposing that the Council authorises the opening of negotiations for an agreement between the European Union and Ecuador on the exchange of personal data between Europol and the Ecuadorian authorities competent for fighting serious crime and terrorism 15 . On 15 May 2023, the Council provided its authorisation and adopted negotiation directives 16 .
The negotiations with Ecuador for this Agreement began in June 2023. In the interest of having one, coherent and legally binding instrument regulating cooperation between Europol and Ecuador, provisions on strategic cooperation and the exchange of non-personal data were also included in the Agreement.
After three rounds of negotiations and a technical meeting, the lead negotiators reached a preliminary agreement on the text and initialled the draft text of the Agreement on 3 March 2025.
The co-legislators have been regularly informed and consulted at all stages of the negotiations, notably by reporting to the Council’s responsible working group and European Parliament’s LIBE Committee.
•Consistency with existing Union policies
The Agreement was negotiated in line with the comprehensive negotiating directives adopted by the Council on 15 May 2023. The present Agreement is also consistent with existing Union policy in the domain of law enforcement cooperation.
In recent years, progress was made to improve the exchange of information cooperation between Member States and to close down the space in which terrorists and serious criminals operate. Existing Commission strategic documents underpin the necessity of improving the efficiency and effectiveness of law enforcement cooperation in the European Union, as well as of expanding the cooperation with third countries. These include, among others, the Security Union Strategy 17 and the European Union Strategy to tackle organised crime 18 .
In line with these strategic documents, international cooperation has already been enhanced in the area of law enforcement. Based on an authorisation by the Council, the Commission has negotiated an Agreement with New Zealand on the exchange of personal data with the European Union Agency for Law Enforcement Cooperation (Europol) 19 . It should also be recalled that the Council has previously authorised the opening of negotiations with Algeria, Egypt, Jordan, Israel, Lebanon, Morocco, Tunisia and Turkey for international agreements on the exchange of personal data with Europol 20 .
Furthermore, the Agreement is in line with the European Union Drugs Strategy 2021-2025 21 and the European Union Drugs Action Plan 2021-2025 22 , which underline the importance of international cooperation to address the multi-faceted aspects of the drugs phenomenon.
In this sense, the Agreement with Ecuador should also be seen as part of a broader effort to enhance law enforcement cooperation between the European Union and Latin American countries of interest. In that regard, on the Commission’s recommendation, the Council authorised the opening of negotiations for similar international agreements with Bolivia, Brazil, Mexico and Peru, in parallel with Ecuador, with the ultimate aim to enhance the fight against terrorism and serious crime, including drug trafficking 23 . Notably, on 24 February 2025, the Council authorised the signature of the relevant Agreement with Brazil 24 , which took place on 5 March 2025.
At the same time, it is crucial that law enforcement cooperation with third states is fully in line with the fundamental rights enshrined in the European Union Treaties and in the Charter of Fundamental Rights of the European Union.
One particularly important set of safeguards, notably those reflected in Chapters II and IV of the Agreement, concerns the protection of personal data, which is a fundamental right enshrined in the European Union Treaties and in the Charter of Fundamental Rights of the European Union. In accordance with Article 25(1), point (b), of the Europol Regulation, Europol may transfer personal data to an authority of a third country or to an international organisation on the basis of an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Chapters II and IV of the Agreement provide for such safeguards, including in particular provisions ensuring a number of data protection principles and obligations that must be respected by the Parties (Articles 3, 4, 5, 7, 10, 11, 12, 13, 18 and 19), as well as provisions ensuring enforceable individual rights (Articles 6, 8 and 9), independent supervision (Article 14) and effective administrative and judicial redress for violations of the rights and safeguards recognised in the Agreement resulting from the processing of personal data (Article 15).
The draft Agreement adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, as well as a legal ground for the exchange of personal data for combating serious crime and terrorism.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
Article 218(5) of the Treaty on the Functioning of the European Union (TFEU) provides for decisions ‘authorising the signing of the agreement and, if necessary, its provisional application before entry into force.’ Since the proposal’s aim is to receive an authorisation to sign the Agreement, the procedural legal basis is Article 218(5) TFEU.
The proposal has two main aims and components, namely the law enforcement cooperation between Europol and Ecuador, as well as the establishing of adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for this cooperation. Thus, the substantive legal basis needs to be Article 16(2) and Article 88 TFEU.
Therefore, this proposal is based on Article 16(2) and Article 88 TFEU in conjunction with Article 218(5) TFEU.
•Subsidiarity (for non-exclusive competence)
The Regulation (EU) 2016/794 lays down specific rules regarding transfers of personal data by Europol outside of the European Union. Article 25(1) thereof lists situations where Europol can lawfully transfer personal data to law enforcement authorities of third countries. It follows from the provision that for transfers of personal data by Europol to Ecuador, the conclusion of a binding international agreement between the European Union and Ecuador, adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals is required. In accordance with Article 3(2) TFEU, the Agreement thus falls within the exclusive external competence of the Union. Therefore, this proposal is not subject to subsidiarity check.
•Proportionality
The Union’s objectives with regard to this proposal as set out above can only be achieved by entering into a binding international agreement providing for the necessary cooperation measures, while ensuring appropriate protection of fundamental rights. The provisions of the agreement are limited to what is necessary to achieve its main objectives. Unilateral action of the Member States towards Ecuador does not represent an alternative, as Europol has a unique role. Unilateral action would also not provide a sufficient basis for the police cooperation with non-European Union countries and would not ensure the necessary protection of fundamental rights.
•Choice of the instrument
In accordance with Article 25 of the Regulation (EU) 2016/794, in the absence of an adequacy decision, Europol may engage in the transfer of personal data to a third country only based on an international agreement pursuant to Article 218 TFEU that provides for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals (Article 25(1)(b) of the Europol Regulation). In accordance with Article 218(5) TFEU, the signing of such an agreement is authorised by a decision of the Council.
•Fundamental rights
The exchange of personal data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, the Agreement ensures the necessity and proportionality of any such interference by guaranteeing the application of adequate data protection safeguards to the personal data transferred, in line with European Union law.
Chapters II and IV provide for the protection of personal data. On that basis, Articles 3 to 15, as well as Articles 18 and 19, set out fundamental data protection principles, including purpose limitation, data quality and rules applicable to the processing of special categories of data, obligations applicable to controllers, including on retention, keeping of records, security and as regards onward transfers, enforceable individual rights, including on access, rectification and automated decision-making, independent and effective supervision as well as administrative and judicial redress.
The safeguards cover all forms of processing of personal data in the context of the cooperation between Europol and Ecuador. The exercise of certain individual rights can be delayed, limited or refused where necessary, reasonable and proportionate, taking into account the fundamental rights and interests of the data subject, in particular to prevent risk to an ongoing criminal investigation or prosecution, which is also in line with Union law.
Also, both the European Union and Ecuador will ensure that an independent public authority responsible for data protection (supervisory authority) oversees matters affecting the privacy of individuals in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
Article 32 strengthens the effectiveness of the safeguards in the Agreement by providing for joint reviews of its implementation at regular intervals. The evaluations teams shall include relevant experts on data protection and law enforcement.
As a further safeguard, pursuant to Article 21, paragraph 1, in the event of non-fulfilment of the obligations stemming from the provisions of the Agreement, the Agreement can be suspended. Any personal data transferred prior to suspension shall continue to be treated in accordance with the Agreement. In addition, in case of termination of the Agreement, personal data transferred prior to its termination shall continue to be processed in accordance with the provisions of the Agreement.
Furthermore, the Agreement guarantees that the exchange of personal data between Europol and Ecuador is consistent with both the principle of non-discrimination and Article 52(1) of the Charter, which ensure that interferences with fundamental rights guaranteed under the Charter are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
Not applicable.
4.BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
There is no need for an implementation plan, as the Agreement will enter into force on the date of the receipt of the last written notification by which the European Union and Ecuador have notified each other through diplomatic channels that their own procedures have been completed.
With regard to monitoring, the European Union and Ecuador shall jointly review the implementation of the Agreement one year after its entry into application, and at regular intervals thereafter, and additionally if requested by either party and jointly decided.
•Detailed explanation of the specific provisions of the proposal
Article 1 includes the objective and scope of the Agreement.
Article 2 includes the definitions of the Agreement.
Article 3 includes the purposes of processing personal data.
Article 4 provides the general data protection principles that the European Union and Ecudaor must respect.
Article 5 provides for special categories of personal data and different categories of data subjects, such as personal data in respect of victims of a criminal offence, witnesses or other persons who can provide information concerning criminal offences, or in respect of persons under the age of 18.
Article 6 provides for the automated processing of personal data.
Article 7 provides a basis for onward transfer of the personal data received.
Article 8 provides for the right of access, ensuring that the data subject has the right, at reasonable intervals, to obtain information on whether personal data relating to him or her are processed under the Agreement.
Article 9 provides for the right to rectification, erasure, and restriction, which ensures the data subject has the right to request the competent authorities to rectify inaccurate personal data concerning the data subject transferred under the Agreement.
Article 10 provides for the notification of a personal data breach affecting personal data transferred under the Agreement, ensuring that the respective competent authorities notify each other as well as their respective supervisory authority of that breach without delay, and to take measures to mitigate its possible adverse effects.
Article 11 provides for the communication of a personal data breach to the data subject, ensuring that the competent authorities of both Parties of the Agreement communicate the data subject without undue delay in the event of a personal data breach likely to have serious adverse effect upon his or her rights and freedoms.
Article 12 provides for storage, review, correction and deletion of personal data.
Article 13 provides for the keeping of logs of the collection, alteration, access, disclosure including onward transfers, combination and erasure of personal data.
Article 14 provides for the supervisory authority, ensuring that there is an independent public authority responsible for data protection (supervisory authority) to oversee matters affecting the privacy of individuals, including the domestic rules relevant under the Agreement to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data.
Article 15 provides for administrative and judicial redress, ensuring that data subjects have the right to effective administrative and judicial redress for violations of the rights and safeguards recognized in the Agreement resulting from the processing of their personal data.
Article 16 provides for data protection principles applicable to the exchange of non-personal data.
Article 17 provides for the onward transfer of the non-personal data received.
Article 18 provides for the assessment of reliability of the source and accuracy of the data in relation to both personal and non-personal data exchanged under the Agreement.
Article 19 provides for data security, ensuring the implementation of technical and organizational measures to protect personal and non-personal data exchanged under this Agreement.
Article 20 provides for the settlement of disputes, ensuring that all disputes that may emerge in connection with the interpretation, application, or implementation of the Agreement and any matters related thereto will give rise to consultations and negotiations between representatives of the European Union and Ecuador with a view to reaching a mutually agreeable solution.
Article 21 provides for a suspension clause.
Article 22 provides for the termination of the Agreement.
Article 23 provides for the relation with other international instruments, ensuring that the Agreement will not prejudice or affect the legal provisions with regard to the exchange of information foreseen in any treaty, agreement, or arrangement between Ecuador and any Member State of the European Union.
Article 24 provides for the exchange of classified information, if necessary under the Agreement.
Article 25 provides for the handling of requests for public access to data transferred under the Agreement.
Article 26 provides for the national contact points and liaison officers.
Article 27 provides for a secure communication line.
Article 28 provides for the expenses under the Agreement.
Article 29 provides for the notification of implementation of the Agreement.
Article 30 provides for entry into force and application of the Agreement.
Article 31 provides for amendments and supplements of the Agreement.
Article 32 provides for the review and evaluation of the Agreement.
Article 33 provides for the languages of the Agreement.
2025/0119 (NLE)
Proposal for a
COUNCIL DECISION
on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16(2) and Article 88, in conjunction with Article 218(5) thereof,
Having regard to the proposal from the European Commission,
Whereas:
(1)Regulation (EU) 2016/794 of the European Parliament and of the Council 25 provides that it is possible for the European Union Agency for Law Enforcement Cooperation (Europol) to transfer personal data to an authority of a third country, inter alia, on the basis of an international agreement concluded between the Union and that third country pursuant to Article 218 of the Treaty on the Functioning of the European Union (TFEU), adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.
(2)On 15 May 2023, the Council authorised the Commission to open negotiations with the Republic of Ecuador for an agreement on the exchange of personal data between Europol and the Ecuadorian authorities competent for fighting serious crime and terrorism.
(3)The negotiations for the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism (the ‘Agreement’) were successfully finalised, and the text of the Agreement was initialled on 3 March 2025.
(4)The Agreement establishes cooperative relations between Europol and the competent authorities of Ecuador, and allows for the transfer of personal and non-personal data between them, with a view to combating serious crime and terrorism, and protecting the security of the Union and its citizens.
(5)The Agreement ensures full respect for the Charter of Fundamental Rights of the Union, including the right to respect for private and family life, recognised in Article 7 of the Charter, the right to the protection of personal data, recognised in Article 8 of the Charter and the right to an effective remedy and to a fair trial, recognised in Article 47 of the Charter. The Agreement includes adequate safeguards for the protection of personal data transferred by Europol under the Agreement.
(6)The Agreement does not affect, and is without prejudice to, the transfer of personal data or other forms of cooperation between the authorities responsible for safeguarding national security.
(7)Ireland is bound by Regulation (EU) 2016/794 and is therefore taking part in the adoption of this Decision.
(8)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the TFEU, Denmark is not taking part in the adoption of this Decision and is not bound by it or subject to its application.
(9)The European Data Protection Supervisor delivered its Opinion [xxx] on [xx.xx.xxxx].
(10)Therefore, the Agreement should be signed,
HAS ADOPTED THIS DECISION:
Article 1
The signing of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism, is hereby authorised on behalf of the Union, subject to the conclusion of the said Agreement. 26
Article 2
This Decision shall enter into force on the date of its adoption.
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 22.5.2025
COM(2025) 248 final
ANNEX
to the
Proposal for a Council Decision
on the signing, on behalf of the European Union, of the Agreement between the European Union, of the one part, and the Republic of Ecuador, of the other part, on cooperation between the European Union Agency for Law Enforcement Cooperation (Europol) and the Ecuadorian authorities competent for combatting serious crime and terrorism
ANNEX
AGREEMENT BETWEEN THE EUROPEAN UNION, OF THE ONE PART, AND THE REPUBLIC OF ECUADOR, OF THE OTHER PART, ON COOPERATION BETWEEN THE EUROPEAN UNION AGENCY FOR LAW ENFORCEMENT COOPERATION (EUROPOL) AND THE ECUADORIAN AUTHORITIES COMPETENT FOR COMBATING SERIOUS CRIME AND TERRORISM
THE EUROPEAN UNION, hereinafter also referred to as the "Union" or “EU",
and
THE REPUBLIC OF ECUADOR, hereinafter also referred to as “Ecuador”,
hereinafter jointly referred to as "the Contracting Parties",
CONSIDERING that by allowing the exchange of personal and non-personal data between the European Union Agency for Law Enforcement Cooperation (Europol) and the competent authorities of Ecuador, this Agreement will create the framework for an enhanced operational cooperation between the Union and Ecuador in the field of law enforcement, while safeguarding the human rights and fundamental freedoms of all individuals concerned, including the right to privacy and data protection,
CONSIDERING that this Agreement is without prejudice to mutual legal assistance arrangements between Ecuador and the Member States of the Union allowing for the exchange of personal data,
CONSIDERING that this Agreement does not impose any requirement on the competent authorities to transfer personal or non-personal data and that the sharing of any personal or non-personal data requested under this Agreement remains voluntary,
HAVE AGREED AS FOLLOWS:
CHAPTER I
GENERAL PROVISIONS
ARTICLE 1
Objective and scope
(1)The objective of this Agreement is to establish cooperative relations between the European Union Agency for Law Enforcement Cooperation (Europol) and the competent authorities of Ecuador and to allow the transfer of personal and non-personal data between them, in order to support and strengthen the action by the authorities of the Member States of the Union and those of Ecuador, as well as their mutual cooperation in preventing and combating criminal offences, including serious crime and terrorism, while ensuring appropriate safeguards with respect to the human rights and fundamental freedoms of individuals, including the right to privacy and data protection.
(2)The scope of this Agreement covers the cooperation between Europol and the competent authorities of Ecuador in the fields of activities and within the competence and tasks of Europol, as set out in the Europol Regulation, as applied in accordance with the Treaty on European Union and the Treaty on the Functioning of the European Union, and in this Agreement.
ARTICLE 2
Definitions
For the purposes of this Agreement, the following definitions apply:
(1)'Contracting Parties' means the European Union and the Republic of Ecuador;
(2)'Europol' is the European Union Agency for Law Enforcement Cooperation, set up under the Europol Regulation;
(3)‘Europol Regulation’ or ‘Regulation (EU) 2016/794’ is the Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ EU L 135, 24.5.2016, p. 53), or any amendment thereto or successor thereof;
(4)'competent authorities' means, for Ecuador, the domestic law enforcement authorities that under Ecuador’s national law are responsible for preventing and combating criminal offences as listed in Annex II ("competent authorities of Ecuador"), and, for the Union, Europol;
(5)'Union bodies' means institutions, bodies, missions, offices and agencies set up by, or on the basis of the Treaty on European Union ("TEU") and the Treaty on the Functioning of the European Union ("TFEU"), listed in Annex III;
(6)'criminal offences' are the types of crime listed in Annex I and related criminal offences; criminal offences are considered to be related to the types of crime listed in Annex I if they are committed in order to procure the means of perpetrating, to facilitate or perpetrate, or to ensure the impunity of those committing such types of crime;
(7)'personal data' means any information relating to a data subject;
(8)‘non-personal data’ means information other than personal data;
(9)'data subject' means an identified or identifiable natural person; an identifiable person being a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(10)'genetic data' means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question;
(11)'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(12)'processing' means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(13)'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(14)'supervisory authority' means one or more domestic independent authorities that is/are, alone or cumulatively, responsible for data protection in accordance with Article 14, and that have been notified according to that Article; this may include authorities whose responsibility also covers other human rights;
(15)'international organisation' means an organisation and its subordinate bodies governed by public international law, or any other body, which is set up by, or on the basis of, an agreement between two or more countries.
CHAPTER II
EXCHANGE OF PERSONAL DATA AND DATA PROTECTION
ARTICLE 3
Purposes of processing personal data
(1)Personal data requested and received under this Agreement shall be processed only for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties within the limits of Article 4(5) and the respective mandates of the competent authorities.
(2)The competent authorities shall clearly indicate, at the latest at the moment of transferring personal data, the specific purpose or purposes for which the data are being transferred. For transfers to Europol, the purpose or purposes for such transfer shall be specified in line with the specific purpose or purposes of processing set out in the Europol Regulation. The competent authorities may decide by common accord that the personal data transferred may be processed for a supplementary, compatible and specific purpose, which shall be specified at the moment of such common accord and shall fall within the scope of paragraph 1 of this Article.
ARTICLE 4
General data protection principles
(1)Each Contracting Party shall provide for personal data exchanged under this Agreement to be:
(a)processed fairly, lawfully, in line with the transparency requirements in Article 29(1), and only for the purpose or purposes for which they have been transferred in accordance with Article 3;
(b)adequate, relevant and limited to what is necessary in relation to the purpose or purposes for which they are processed;
(c)accurate and kept up to date; each Contracting Party shall provide that its competent authorities take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are rectified or erased without undue delay;
(d)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
(e)processed in a manner that ensures appropriate security of the personal data.
(2)The transferring competent authority, at the moment of transferring personal data, may indicate any restriction on access thereto or the use to be made thereof, in general or specific terms, including as regards its onward transfer, erasure or destruction after a certain period of time, or the further processing of it. Where the need for such restrictions becomes apparent after the information has been provided, the transferring competent authority shall inform the receiving authority accordingly.
(3)Each Contracting Party shall ensure that the receiving competent authority complies with any restriction on access or further use of the personal data indicated by the transferring competent authority as described in paragraph 2.
(4)Each Contracting Party shall provide that its competent authorities implement appropriate technical and organisational measures in such a way as to be able to demonstrate that the processing will comply with this Agreement and the rights of the data subjects concerned are protected.
(5)Each Contracting Party shall ensure that its competent authorities do not transfer personal data which have been obtained in a manifest violation of human rights recognised by the norms of international law binding on the Contracting Parties. Each Contracting Party shall ensure that the personal data received are not used to request, hand down or execute the death penalty or any form of torture and other cruel, inhuman or degrading treatment or punishment.
(6)Each Contracting Party shall ensure that a record is kept of all transfers of personal data under this Agreement and of the purpose or purposes for those transfers.
ARTICLE 5
Special categories of personal data and different categories of data subjects
(1)The transfer and further processing of personal data in respect of victims of a criminal offence, witnesses or other persons who can provide information concerning criminal offences, or in respect of persons under the age of 18, shall be prohibited unless such transfer is strictly necessary and proportionate in individual cases for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties.
(2)The transfer and further processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health, or data concerning a natural person’s sex life or sexual orientation shall be allowed only where strictly necessary and proportionate in individual cases for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, and if those data, except biometric data, supplement other personal data.
(3)The Contracting Parties shall ensure that the processing of personal data under paragraphs 1 and 2 of this Article is subject to appropriate safeguards guarding against the specific risks involved, including restrictions on access, measures for data security within the meaning of Article 19 and limitations on onward transfers under Article 7.
ARTICLE 6
Automated processing of personal data
Decisions based solely on automated processing of the personal data exchanged, including profiling, which may produce an adverse legal effect on the data subject or significantly affect him or her, shall be prohibited, unless authorised at law for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties and with appropriate safeguards for the rights and freedoms of the data subject, including at least the right to obtain human intervention.
ARTICLE 7
Onward transfer of the personal data received
(1)Ecuador shall ensure that its competent authorities only transfer personal data received under this Agreement to other authorities of Ecuador if:
(a)Europol has given its prior explicit authorisation;
(b)the purpose or purposes of the onward transfer is the same as the original purpose or purposes of the transfer by Europol; and
(c)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
Without prejudice to Article 4(2), the requirement set out in point (a) of this paragraph does not need to be fulfilled when the receiving authority is itself a competent authority of Ecuador listed in Annex II.
(2)The Union shall ensure that Europol only transfers personal data received under this Agreement to authorities in the Union other than those listed in Annex III if:
(a)Ecuador has given its prior explicit authorisation;
(b)the purpose or purposes of the onward transfer is the same as the original purpose or purposes of the transfer by Ecuador; and
(c)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
Without prejudice to Article 4(2), the requirement set out in point (a) of this paragraph does not need to be fulfilled when the receiving authority is one of the bodies or authorities listed in Annex III.
(3)Ecuador shall ensure that onward transfers of personal data received by its competent authorities under this Agreement to the authorities of a third country or to an international organisation are prohibited, unless the following conditions are fulfilled:
(a)Europol has given its prior explicit authorisation;
(b)the purpose or purposes of the onward transfer is the same as the original purpose or purposes of the transfer by Europol; and
(c)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
(4)Europol may only grant its authorisation under paragraph 3, point a, of this Article for an onward transfer to the authority of a third country or to an international organisation if and insofar as an adequacy decision, an international agreement providing appropriate safeguards with respect to the protection of the right to privacy and fundamental rights and freedoms of individuals, a cooperation agreement or any other legal ground for transfers of personal data within the meaning of the Europol Regulation covering the onward transfer is in place.
(5)The Union shall ensure that onward transfers of personal data received by Europol under this Agreement to authorities of third countries or an international organisation are prohibited, unless the following conditions are fulfilled:
(a)Ecuador has given its prior explicit authorisation;
(b)the purpose or purposes of the onward transfer is the same as the original purpose of the transfer by Ecuador; and
(c)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
(6)In the application of this Article, onward transfers of special categories of personal data referred to in Article 5 shall be allowed only if such onward transfers are strictly necessary and proportionate in individual cases concerning criminal offences.
RIGHTS OF DATA SUBJECTS
ARTICLE 8
Right of access
(1)The Contracting Parties shall ensure that the data subject has the right, at reasonable intervals, to obtain information on whether personal data relating to him or her are processed under this Agreement, and when that is the case, access to at least the following information:
(a)confirmation as to whether or not data related to him or her are being processed;
(b)information on at least the purpose or purposes of processing, the categories of data concerned, and where applicable the recipients or categories of recipients to whom the data are disclosed;
(c)the existence of the right to request from the competent authority rectification, erasure of personal data or restriction of processing of personal data concerning the data subject;
(d)an indication of the legal basis for the processing;
(e)the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
(f)communication in an intelligible form of the personal data undergoing processing and of any available information as to its sources.
(2)In cases where the right of access pursuant to paragraph 1 is exercised, the transferring Contracting Party will be consulted in writing, on a non-binding basis before a final decision on the request for access is taken.
(3)The Contracting Parties may provide for the provision of information in response to any request under paragraph 1 to be delayed, refused or restricted if and as long as such delay, refusal or restriction constitutes a measure that is necessary and proportionate taking into account the fundamental rights and interests of the data subject, in order to:
(a)ensure that any criminal investigation and prosecution will not be jeopardised;
(b)protect the rights and freedoms of third parties; or
(c)protect national security and public order or prevent crime.
(4)The Contracting Parties shall ensure that the competent authority having received the request informs the data subject in writing of any delay, refusal or restriction of access and of the reasons for such delay, refusal or restriction of access. Those reasons may be omitted if and as long as this would undermine the purpose of the delay, refusal or restriction under paragraph 3. The competent authority shall inform the data subject of the possibility of lodging a complaint with the respective supervisory authorities and of other available means of administrative and judicial redress provided for in their respective legal frameworks.
ARTICLE 9
Right to rectification, erasure and restriction
(1)The Contracting Parties shall ensure that the data subject has the right to have inaccurate personal data transferred under this Agreement rectified by the competent authorities. Taking into account the purpose or purposes of the processing, this includes the right to have incomplete personal data transferred under this Agreement completed.
(2)Rectification shall include erasure of personal data that are no longer necessary for the purpose or purposes for which they are processed.
(3)The Contracting Parties may provide for the restriction of processing rather than the erasure of personal data if there are reasonable grounds to believe that such erasure could affect the legitimate interests of the data subject.
(4)The competent authorities shall inform each other of measures taken pursuant to paragraphs 1, 2 and 3. The receiving competent authority shall rectify, erase or restrict the processing in accordance with the action taken by the transferring competent authority.
(5)The Contracting Parties shall provide for the competent authority which has received the request to inform the data subject in writing without undue delay, and in any case within three months of receipt of a request in accordance with paragraph 1 or 2, that data concerning the data subject have been rectified, erased or the processing has been restricted.
(6)The Contracting Parties shall provide for the competent authority which has received the request to inform the data subject in writing, without undue delay and in any case within three months of receipt of a request of any refusal of rectification, erasure or restriction of processing, of the reasons for such a refusal and of the possibility of lodging a complaint with the respective supervisory authorities and other available means of administrative and judicial redress provided for in their respective legal frameworks.
ARTICLE 10
Notification of a personal data breach to the authorities concerned
(1)The Contracting Parties shall ensure, in the event of a personal data breach affecting personal data transferred under this Agreement, that the respective competent authorities notify each other as well as their respective supervisory authority of that personal data breach without delay, and to take measures to mitigate its possible adverse effects.
(2)The notification shall at least:
(a)describe the nature of the personal data breach including, where possible, the categories and number of data subjects concerned and the categories and number of personal data records concerned;
(b)describe the likely consequences of the personal data breach;
(c)describe the measures taken or proposed to be taken by the competent authority to address the personal data breach, including the measures taken to mitigate its possible adverse effects.
(3)To the extent that it is not possible to provide all the required information at the same time, it may be provided in phases. Outstanding information shall be provided without undue further delay.
(4)The Contracting Parties shall ensure that their respective competent authorities document any personal data breaches affecting personal data transferred under this Agreement, including the facts relating to the personal data breach, its effects and the remedial action taken, thereby enabling their respective supervisory authority to verify compliance with applicable legal requirements.
ARTICLE 11
Communication of a personal data breach to the data subject
(1)The Contracting Parties shall, where a personal data breach as referred to in Article 10 is likely to severely and adversely affect the rights and freedoms of the data subject, provide for their respective competent authorities to communicate the personal data breach to the data subject without undue delay.
(2)The communication to the data subject pursuant to paragraph 1 shall describe, where possible, the nature of the personal data breach, recommend measures to mitigate the possible adverse effects of the personal data breach, and provide the name and contact details of the contact point where more information can be obtained.
(3)The communication to the data subject pursuant to paragraph 1 shall not be required if:
(a)the personal data concerned by the breach were subject to appropriate technological protection measures that render the data unintelligible to any person who is not authorised to have access to that data;
(b)subsequent measures have been taken which ensure that the rights and freedoms of the data subject are no longer likely to be severely affected; or
(c)communication to the data subject pursuant to paragraph 1 would involve disproportionate effort, in particular owing to the number of cases involved; in such a case, there shall instead be a public communication or similar measure whereby the data subject is informed in an equally effective manner.
(4)The communication to the data subject pursuant to paragraph 1 may be delayed, restricted or omitted where such communication would be likely to:
(a)obstruct official or legal inquiries, investigations or procedures;
(b)prejudice the prevention, detection, investigation and prosecution of criminal offences or the execution of criminal penalties, public order or national security;
(c)affect the rights and freedoms of third parties;
where this constitutes a necessary and proportionate measure with due regard for the legitimate interests of the data subject concerned.
ARTICLE 12
Storage, review, correction and deletion of personal data
(1)The Contracting Parties shall provide for appropriate time limits to be established for the storage of personal data received under this Agreement or for a periodic review of the need for the storage of personal data, so that personal data are stored only as long as is necessary for the purpose or purposes for which they are transferred.
(2)In any case, the need for continued storage of personal data shall be reviewed no later than three years after the personal data has been transferred, and if no justified and documented decision is taken on the continued storage of personal data, personal data shall be erased automatically after three years.
(3)Where a competent authority has reason to believe that personal data previously transferred by it are incorrect, inaccurate, no longer up to date or should not have been transferred, it shall inform the receiving competent authority, which shall correct or delete that data, and provide notification thereof to the transferring competent authority.
(4)Where a competent authority has reason to believe that personal data previously received are incorrect, inaccurate, no longer up to date or should not have been transferred, it shall inform the transferring competent authority, which shall provide its position on the matter. Where the transferring competent authority concludes that the personal data are incorrect, inaccurate, no longer up to date or should not have been transferred, it shall inform the receiving competent authority, which shall correct or delete that data, and provide notification thereof to the transferring competent authority.
ARTICLE 13
Logging and documentation
(1)The Contracting Parties shall provide for the keeping of logs or documentation of the collection, alteration, access, disclosure including onward transfers, combination and erasure of personal data.
(2)Logs or documentation referred to in paragraph 1 shall be made available to the respective supervisory authority upon request for the purpose of verification of the lawfulness of processing, self-monitoring and ensuring proper data integrity and security.
ARTICLE 14
Supervisory authority
(1)Each Contracting Party shall ensure that there is an independent public authority responsible for data protection (supervisory authority) to oversee matters affecting the right to privacy of individuals, including the domestic rules relevant under this Agreement, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data. The Contracting Parties shall notify each other of the authority that each of them designates as the supervisory authority.
(2)The Contracting Parties shall ensure that each supervisory authority:
(a)acts with complete independence in performing its tasks and exercising its powers; it shall act free from external influence and neither seek nor accept instructions; its members shall have a secure term of office, including safeguards against arbitrary removal;
(b)has the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers;
(c)has effective powers of investigation and intervention to exercise oversight over the bodies it supervises and to engage in legal proceedings;
(d)has powers to hear complaints from individuals about the use of their personal data by the competent authorities under its supervision.
ARTICLE 15
Administrative and judicial redress
(1)Data subjects shall have the right to effective administrative and judicial redress for violations of the rights and safeguards recognised in this Agreement resulting from the processing of their personal data. The Contracting Parties shall notify each other of the domestic legislation that each of them considers as providing for the rights guaranteed under this Article.
(2)This shall include the right to compensation for any damage caused to the data subject.
CHAPTER III
EXCHANGE OF NON-PERSONAL DATA
ARTICLE 16
Data protection principles for non-personal data
(1)Each Contracting Party shall provide for the non-personal data exchanged under this Agreement to be processed fairly and lawfully, and in a manner that ensures appropriate security of the non-personal data.
(2)The transferring competent authority, at the moment of transferring non-personal data, may indicate any restriction on access thereto or the use to be made thereof, in general or specific terms, including as regards its onward transfer, erasure or destruction after a certain period of time, or the further processing of it. Where the need for such restrictions becomes apparent after the data has been provided, the transferring competent authority shall inform the receiving authority accordingly.
(3)Each Contracting Party shall ensure that the receiving competent authority complies with any restriction on access or further use of the non- personal data indicated by the transferring competent authority as described in paragraph 2.
(4)Each Contracting Party shall ensure that its competent authorities do not transfer non-personal data which have been obtained in a manifest violation of human rights recognised by the norms of international law binding on the Contracting Parties. Each Contracting Party shall ensure that the non-personal data received are not used to request, hand down or execute the death penalty or any form of torture and other cruel, inhuman or degrading treatment or punishment.
ARTICLE 17
Onward transfer of the non-personal data received
(1)Ecuador shall ensure that its competent authorities only transfer non-personal data received under this Agreement to other authorities of Ecuador or to the authorities of a third country or to an international organization, if:
(a)Europol has given its prior explicit authorisation;
(b)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
Without prejudice to Article 16(2), the requirement set out in point (a) of this paragraph does not need to be fulfilled when the receiving authority is itself a competent authority of Ecuador listed in Annex II.
(2)The Union shall ensure that Europol only transfers non-personal data received under this Agreement to other Union bodies or authorities of third countries or an international organisation, if:
(a)Ecuador has given its prior explicit authorisation;
(b)the onward transfer is subject to the same conditions and safeguards as those applying to the original transfer.
Without prejudice to Article 16(2), the requirement set out in point (a) of this paragraph does not need to be fulfilled when the receiving authority is one of the bodies or authorities listed in Annex III.
CHAPTER IV
COMMON PROVISIONS FOR THE EXCHANGE OF PERSONAL AND NON-PERSONAL DATA
ARTICLE 18
Assessment of reliability of the source of and accuracy of data
(1)The competent authorities shall indicate as far as possible, at the latest at the moment of transferring data, the reliability of the source of the data exchanged under this Agreement on the basis of one or more of the following criteria:
(a)“(A)” where there is no doubt about the authenticity, trustworthiness and competence of the source, or if the data is supplied by a source who, in the past, has proved to be reliable in all instances;
(b)“(B)” where the data is provided by a source from whom information received has in most instances proved to be reliable;
(c)“(C)” where the data is provided by a source from whom information received has in most instances proved to be unreliable;
(d)“(X)” where the reliability of the source cannot be assessed.
(2)The competent authorities shall indicate as far as possible, at the latest at the moment of transferring data, the accuracy of the data on the basis of one or more of the following criteria:
(a)“(1)” for data the accuracy of which is not in doubt at the time of transfer;
(b)“(2)” for data known personally to the source but not known personally to the official passing it on;
(c)“(3)” for data not known personally to the source but corroborated by other information already recorded;
(d)“(4)” for data which is not known personally to the source and cannot be corroborated.
(3)Where the receiving competent authority, on the basis of information already in its possession, comes to the conclusion that the assessment of data supplied by the transferring competent authority or of its source carried out in accordance with paragraphs 1 and 2 needs correction, it shall inform that competent authority and shall attempt to agree on an amendment to the assessment. The receiving competent authority shall not change the assessment of data received or of its source without such an agreement.
(4)If a competent authority receives data without an assessment, it shall attempt as far as possible and where possible in agreement with the transferring competent authority to assess the reliability of the source or the accuracy of the data on the basis of information already in its possession.
(5)If no reliable assessment can be made, the data shall be evaluated in accordance with paragraph 1, point d, and paragraph 2, point (d), as applicable.
ARTICLE 19
Data security
(1)The Contracting Parties shall ensure that data transferred under this Agreement are processed in a manner that ensures appropriate data security.
(2)The Contracting Parties shall ensure the implementation of technical and organisational measures to protect data exchanged under this Agreement. The modalities for the implementation of such measures shall be laid down between Europol and the competent authorities of Ecuador.
(3)In respect of automated data processing, the Contracting Parties shall ensure the implementation of measures designed to:
(a)deny unauthorised persons access to processing equipment used for processing data (equipment access control);
(b)prevent the unauthorised reading, copying, modification or removal of data media (data media control);
(c)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored data (storage control);
(d)prevent the use of automated processing systems by unauthorised persons using data communication equipment (user control);
(e)ensure that persons authorised to use an automated processing system have access only to the data covered by their access authorisation (data access control);
(f)ensure that it is possible to verify and establish to which bodies data may be or have been transmitted using data communication equipment (communication control);
(g)ensure that it is possible to verify and establish which data have been input into automated processing systems and when and by whom the data were input (input control);
(h)ensure that it is possible to verify and establish what data have been accessed by which member of personnel and at what time (access log);
(i)prevent the unauthorised reading, copying, modification or deletion of data during transfers of data or during transportation of data media (transport control);
(j)ensure that installed systems may, in the event of interruption, be restored immediately (recovery);
(k)ensure that the functions of the system perform without fault, that the appearance of faults in the functions is immediately reported (reliability) and that stored data cannot be corrupted by system malfunctions (integrity).
CHAPTER V
DISPUTES
ARTICLE 20
Settlement of disputes
All disputes which may emerge in connection with the interpretation, application or implementation of this Agreement and any matters related thereto shall give rise to consultations and negotiations between representatives of the Contracting Parties with a view to reaching a mutually agreeable solution.
ARTICLE 21
Suspension clause
(1)In the event of non-fulfilment of obligations stemming from this Agreement, either Contracting Party may suspend this Agreement temporarily in part or in whole by written notification to the other Contracting Party through diplomatic channels. Such written notification shall not be made until after the Contracting Parties have engaged in a reasonable period of consultation without reaching a resolution and suspension shall take effect twenty days from the date of receipt of such notification. Such suspension may be lifted by the suspending Contracting Party upon written notification to the other Contracting Party. The suspension shall be lifted immediately upon receipt of such notification.
(2)Notwithstanding any suspension of this Agreement, personal and non-personal data falling within the scope of this Agreement and transferred prior to the suspension of this Agreement shall continue to be processed in accordance with this Agreement.
ARTICLE 22
Termination
(1)This Agreement may be terminated at any time by either of the Contracting Parties by written notification through diplomatic channels. The termination shall take effect three months after the date of receipt of the notification.
(2)If either Contracting Party gives notice of termination under this Article, the Contracting Parties shall decide what measures are needed to ensure that any cooperation initiated under this Agreement is concluded in an appropriate manner. In any event, with regard to all personal and all non-personal data obtained through cooperation under this Agreement before it ceases to be in force, the Contracting Parties shall ensure that the level of protection under which the personal and the non-personal data were transferred is maintained after the termination takes effect.
CHAPTER VI
FINAL PROVISIONS
ARTICLE 23
Relation to other international instruments
This Agreement shall not prejudice or otherwise affect or impact the legal provisions with regard to the exchange of information provided for by any mutual legal assistance treaty, any other cooperation agreement or arrangement, or working law enforcement relationship for the exchange of information between Ecuador and any Member State of the Union.
ARTICLE 24
Exchange of classified information
Where necessary under this Agreement, the modalities for the exchange of classified information shall be laid down between Europol and the competent authorities of Ecuador.
ARTICLE 25
Requests for Public Access
Requests for public access to documents containing personal or non-personal data transferred pursuant to this Agreement shall be submitted to the transferring Contracting Party for consultation as soon as possible.
ARTICLE 26
National contact point and liaison officers
(1)Ecuador shall designate a national contact point to act as the central point of contact between Europol and competent authorities of Ecuador. Ecuador shall ensure the continuous availability of the national contact point twenty-four hours a day, seven days a week. The designation of a contact point shall not preclude the possibility of direct exchanges between Europol and the competent authorities of Ecuador. The designated national contact point for Ecuador is indicated in Annex IV.
(2)Europol and Ecuador shall enhance their cooperation as laid down in this Agreement through the deployment of one or more liaison officer(s) by Ecuador. Europol may deploy one or more liaison officer(s) to Ecuador. The liaison officers’ tasks, their number, and the costs involved, shall be laid down between Europol and the competent authorities of Ecuador.
ARTICLE 27
Secure communication line
A secure communication line shall be established for the purpose of exchange of personal and non-personal data between Europol and the competent authorities of Ecuador. The modalities for the establishment, implementation, costs and operation of the secure communication line shall be laid down between Europol and the competent authorities of Ecuador.
ARTICLE 28
Expenses
The Contracting Parties shall ensure that the competent authorities bear their own expenses which arise in the course of the implementation of this Agreement, unless otherwise laid down between Europol and the competent authorities of Ecuador.
ARTICLE 29
Notification of implementation
(1)Each Contracting Party shall provide for its competent authorities to make publicly available a document setting out in an intelligible form the provisions regarding the processing of personal data transferred under this Agreement, including the means available for the exercise of the rights of data subjects. Each Contracting Party shall notify a copy of that document to the other Contracting Party.
(2)Where not already in place, each Contracting Party shall ensure that the competent authorities shall adopt rules specifying how compliance with the provisions regarding the processing of personal data transferred under this Agreement will be enforced in practice. Each Contracting Party shall notify a copy of those rules to the other Contracting Party and the respective supervisory authorities.
(3)Notifications by a Contracting Party made pursuant to Articles 14(1), 15, 29(1) and 29(2) of this Agreement shall be made through diplomatic channels, in a single note verbale.
ARTICLE 30
Entry into force and application
(1)This Agreement shall be approved by the Contracting Parties in accordance with their own procedures.
(2)This Agreement shall enter into force on the date of the receipt of the last written notification by which the Contracting Parties have notified each other through diplomatic channels that the procedures referred to in paragraph 1 have been completed.
(3)For this Agreement to enter into application, it is required that the notifications by a Contracting Party referred to in Article 29(3) are accepted by the other Contracting Party through diplomatic channels. This Agreement shall enter into application on the first day after the date of receiving the last acceptance of the notifications referred to in Article 29(3).
(4)From the time it enters into application, the Contracting Parties shall ensure that any other legal instruments governing cooperation between Europol and the competent authorities of Ecuador are promptly repealed.
ARTICLE 31
Amendments and supplements
(1)This Agreement may be amended in writing, at any time by mutual consent between the Contracting Parties by written notification exchanged through diplomatic channels. The amendments to this Agreement shall enter into force in accordance with the legal procedure provided for in Article 30(1) and (2).
(2)The Annexes to this Agreement may be updated, as necessary, by exchange of diplomatic notes. Such updates shall enter into force in accordance with the legal procedure provided for in Article 30(1) and (2).
(3)The Contracting Parties shall enter into consultations with respect to the amendment to this Agreement or its Annexes at the request of either Contracting Party.
ARTICLE 32
Review and evaluation
(1)The Contracting Parties shall jointly review the implementation of this Agreement one year after its entry into application, and at regular intervals thereafter, and additionally if requested by either Contracting Party and jointly decided.
(2)The Contracting Parties shall jointly evaluate this Agreement four years after the date of its application.
(3)The Contracting Parties shall decide in advance on the modalities of the review of the implementation of this Agreement and shall communicate to each other the composition of their respective teams. The teams shall include relevant experts on data protection and law enforcement. Subject to applicable laws, any participants in a review shall be required to respect the confidentiality of the discussions and have appropriate security clearances. For the purposes of any review, the Union and Ecuador shall ensure access to relevant documentation, systems and personnel.
ARTICLE 33
This Agreement shall be drawn up in duplicate in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish, each text being equally authentic. In the event of any divergence between the texts of this Agreement, the English text shall prevail.
ANNEX I
AREAS OF CRIME
Criminal offences are:
–terrorism,
–organised crime,
–drug trafficking,
–money-laundering activities,
–crime connected with nuclear and radioactive substances,
–immigrant smuggling,
–trafficking in human beings,
–motor vehicle crime,
–murder, grievous bodily injury,
–illicit trade in human organs and tissue,
–kidnapping, illegal restraint and hostage taking,
–racism and xenophobia,
–robbery and aggravated theft,
–illicit trafficking in cultural goods, including antiquities and works of art,
–swindling and fraud,
–crime against the financial interests of the Union,
–insider dealing and financial market manipulation,
–racketeering and extortion,
–counterfeiting and product piracy,
–forgery of administrative documents and trafficking therein,
–forgery of money and means of payment,
–computer crime,
–corruption,
–illicit trafficking in arms, ammunition and explosives,
–illicit trafficking in endangered animal species,
–illicit trafficking in endangered plant species and varieties,
–environmental crime, including ship-source pollution,
–illicit trafficking in hormonal substances and other growth promoters,
–sexual abuse and sexual exploitation, including child abuse material and solicitation of children for sexual purposes,
–genocide, crimes against humanity and war crimes.
The forms of crime referred to in this Annex shall be assessed by the competent authorities of Ecuador in accordance with the law of Ecuador and by Europol in accordance with the applicable laws of the European Union and its Member States.
ANNEX II
COMPETENT AUTHORITIES OF ECUADOR
The competent authorities of Ecuador are:
The National Police of Ecuador, and
The Attorney General’s Office (Fiscalía General del Estado - FGE)
ANNEX III
UNION BODIES AND EU MEMBER STATE AUTHORITIES
(a)Union Bodies
Common Security and Defence Policy Missions/Operations, limited to law enforcement activities
European Anti-Fraud Office (OLAF)
European Border and Coast Guard Agency (Frontex)
European Central Bank (ECB)
European Public Prosecutor's Office (EPPO)
European Union Agency for Criminal Justice Cooperation (Eurojust)
European Union Intellectual Property Office (EUIPO)
European Union Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA)
(b)the authorities responsible in the EU Member States for preventing and fighting criminal offences, in accordance with Article 2(a) and Article 7 of the Europol Regulation.
ANNEX IV
NATIONAL CONTACT POINT
The national contact point for Ecuador to act as the central point of contact between Europol and the competent authorities of Ecuador is the Ecuadorian Police Europol National Coordination Office.
Ecuador has the duty to inform Europol in case the national contact point for Ecuador changes.