This document is an excerpt from the EUR-Lex website
Protecting personal data that is used by police and criminal justice authorities (from 2018)
The directive requires that the data collected by law enforcement authorities are:
Member States must establish time limits for erasing the personal data or for a regular review of the need to store such data.
Individuals concerned (‘data subjects’)
The directive requires that law enforcement authorities make a clear distinction between the data of different categories of persons, including:
Information to data subjects and access to data
Individuals have the right to have certain information made available – and in some cases provided – to them by the competent law enforcement authorities, including:
Individuals have the right to obtain confirmation from competent authorities as to whether their personal data are being processed, and to access such data and information relating to their processing.
Security and logging
National authorities must take technical and organisational measures to ensure a level of security for personal data that is appropriate to the risk. Where data processing is automated, a number of measures must be put in place, including:
National authorities must keep logs with information such as the date and time of access to personal data and the names of those who have consulted the data or to whom the data have been disclosed. The logs shall mainly be used for verifying the lawfulness of the processing, ensuring the security and integrity of the processing and for criminal proceedings.
The directive replaced Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with effect from 6 May 2018.
The European Commission has issued a communication entitled ‘Way forward on aligning the former third pillar acquis with data protection rules’ in June 2020.
The first report on the evaluation and review of the directive is due by 5 May 2022.
It has applied since 5 May 2016. Member States had to transpose the directive (incorporate it into their national law) by 6 May 2018.
For further information, see:
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).
Successive amendments to Regulation (EU) 2016/680 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37–47).
See consolidated version.
last update 14.01.2022