EU cooperation in criminal matters — personal data protection (until 2018)
Framework Decision 2008/977/JHA — protection of personal data processed in the context of police and judicial cooperation in criminal matters
WHAT IS THE AIM OF THIS FRAMEWORK DECISION?
It aims to protect people’s fundamental rights and freedoms when their personal data are processed for the purposes of preventing, investigating, detecting or prosecuting a criminal offence or of executing a criminal penalty.
This framework decision concerns both personal data that are processed in part or entirely by automatic means (using information technology) and personal data that are part of a filing system and processed by non-automatic means (i.e. humans).
The competent authorities of European Union (EU) countries may collect personal data only for specified, explicit and legitimate purposes. The processing of these data is permitted only for the purposes for which they were collected. Processing for other purposes is allowed only under certain circumstances or when certain appropriate safeguards are in place (e.g. such as making the data anonymous).
In principle, personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerns his/her health or sex life may not be processed. Their processing may be allowed only if it is absolutely necessary and if appropriate safeguards have been established.
Inaccurate personal data must be rectified and updated or completed if possible. Once the data are no longer needed for the purposes they were collected, they must be erased, made anonymous or, in certain cases, blocked. The need to store personal data must be reviewed regularly, with time limits set for their erasure.
EU countries’ competent authorities must verify that the personal data to be transmitted or made available are accurate, up to date and complete. In order to be able to verify that the processing of data is lawful and to ensure the integrity and security of the data, their transmissions must be logged or documented.
Personal data received from another EU country are to be processed only for the purposes for which they were transmitted. In certain cases, however, they may be processed for other purposes, for example for the prevention, investigation, detection or prosecution of other criminal offences, the execution of other criminal penalties or the prevention of threats to public security. The receiving EU country must respect any specific restrictions to the exchanges of data provided for in the law of the transmitting country.
Under certain circumstances, the receiving EU country may transfer personal data to non-EU countries or to international bodies. To this end, the EU country that first made the data available must provide its consent. Only in urgent cases may data be transferred without prior consent. Personal data may also be transferred to private parties in EU countries for exclusive purposes, provided that the competent authority of the country from where the data was received has given its consent.
Rights of data subjects
The data subject is to be kept informed of any collection or processing of personal data relating to him/her. However, when data have been transmitted from one EU country to another, the first may demand that the second does not divulge any information to the subject.
The data subject may request to receive a confirmation on
whether their data have been transmitted,
who the recipients are, what data are being processed, as well as a
confirmation that the necessary verifications of that data have been made.
In certain cases, EU countries may restrict the subject’s access to information. Any decision restricting access must be given in writing to the data subject, together with the factual and legal reasons thereof. The data subject must also be given advice on their right to appeal such a decision.
The data subject may demand that personal data relating to him/her be rectified, erased or blocked. Any refusal to that end must be given in writing, along with information on the right to lodge a complaint or seek a judicial remedy.
Any person may demand compensation for the damages they have suffered due to an unlawful processing of personal data or any other act that is not compatible with this framework decision. Where a data subject’s rights are breached, they have the right to a judicial remedy.
Safeguarding data processing
The competent authorities must take the necessary security measures to protect personal data against any unlawful form of processing. This includes accidental loss, alteration and unauthorised disclosure of, as well as access to, personal data. In particular, specific measures need to be taken with regard to the automated processing of data.
National supervisory authorities in EU countries monitor and advise on the application of this framework decision. To that end, they are granted investigative powers, effective powers of intervention, as well as the power to pursue legal proceedings. For any infringements of the provisions of this framework decision, EU countries must establish effective, proportionate and dissuasive penalties.
Framework Decision 2008/977/JHA is repealed by Directive (EU) 2016/680 with effect from 6 May 2018.
FROM WHEN DOES THE FRAMEWORK DECISION APPLY?
It has applied since 19 January 2009.
For more information, see:
Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, pp. 60-71)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)
last update 26.10.2016