European Union Agency for Law Enforcement Cooperation and Training (Europol) ***I

European Parliament legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA (COM(2013)0173 — C7-0094/2013 — 2013/0091(COD))

P7_TC1-COD(2013)0091

Position of the European Parliament adopted at first reading on 25 February 2014 with a view to the adoption of Regulation (EU) No …/2014 of the European Parliament and of the Council on the establishment of the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions Council Decision 2009/371/JHA and 2005/681/JHA [Am. 1]

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 88 and Article 87(2)(b) thereof, [Am. 2]

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

After having consulted the European Data Protection Supervisor,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1)

Europol was set up by Council Decision 2009/371/JHA (2) as an entity of the Union funded from the general budget of the Union to support and strengthen action by competent authorities of the Member States and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime affecting two or more Member States. Decision 2009/371/JHA replaced the Convention based on Article K.3 of the Treaty on European Union (TEU), on the establishment of a European Police Office (Europol Convention) (3).

(2)

Article 88 of the Treaty on the Functioning of the European Union (TFEU) provides for Europol to be governed by a regulation to be adopted in accordance with the ordinary legislative procedure. It also requires the establishment of procedures for the scrutiny of Europol’s activities by the European Parliament, together with national parliaments, in accordance with Article 12(c) TEU and Article 9 of Protocol No 1 on the role of national parliaments in the European Union, in order to enhance the democratic legitimacy and accountability of Europol to the European citizens . Therefore, it is necessary to replace the Decision 2009/371/JHA by a regulation laying down rules on parliamentary scrutiny. [Am. 3]

(3)	The European Police College (‘CEPOL’) was established by Decision 2005/681/JHA (4) to facilitate cooperation between national police forces by organising and coordinating training activities with a European policing dimension. [Am. 4]

(4)

The ‘Stockholm Programme — An open and secure Europe serving and protecting citizens’ (5) calls for Europol to evolve and become a ‘hub for information exchange between the law enforcement authorities of the Member States, a service provider and a platform for law enforcement services.’ On the basis of an assessment of Europol’s functioning, further enhancement of its operational effectiveness is needed to meet this objective. The Stockholm Programme also sets the aim of creating a genuine European law enforcement culture by setting up European training schemes and exchange programmes for all relevant law enforcement professionals at national and Union level. [Am. 5]

(5)

Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to the safety and livelihood of its citizens. Available threat assessments show that criminal groups are becoming increasingly poly-criminal and cross-border in their activities. National law enforcement authorities therefore need to cooperate more closely with their counterparts in other Member States. In this context, it is necessary to equip Europol to support Member States more in Union-wide crime prevention, analyses and investigations. This has also been confirmed in the evaluations evaluation of Decisions Decision 2009/371/JHA and 2005/681/JHA. [Am. 6]

(6)	Given the links between the tasks of Europol and CEPOL, integrating and rationalising the functions of the two agencies would enhance the effectiveness of operational activity, the relevance of training and the efficiency of Union police cooperation. [Am. 7]

(7)

Decisions Decision 2009/371/JHA and 2005/681/JHA should therefore be repealed and replaced by this regulation, which draws on the lessons learnt from the implementation of both Decisions that Decision . The Europol agency as established by this regulation should replace and assume the functions of Europol and CEPOL as established by the two repealed Decisions Decision . [Am. 8]

(8)

As crime often occurs across internal borders, Europol should support and strengthen Member State actions and their cooperation in preventing and combating serious crime affecting two or more Member States. As terrorism is one of the most important threats presents a threat for the security of the Union, Europol should assist Member States in facing common challenges in this regard. As the EU law enforcement agency, Europol should also support and strengthen actions and cooperation on tackling forms of crime that affect the interests of the EU. It should also offer support in preventing and combating related criminal offences which are committed in order to procure the means, to facilitate, to carry out or to ensure the impunity of acts in respect of which Europol is competent. [Am. 9]

(9)	Europol should ensure better quality, coherent and consistent training for law enforcement officers of all ranks within a clear framework in accordance with identified training needs. [Am. 10]

(10)	Europol should be able to request Member States to initiate, conduct or coordinate criminal investigations in specific cases where cross-border cooperation would add value. Europol should inform Eurojust of such requests. Europol should justify the request. [Am. 11]

(10a)

Europol should keep a record of collaboration in the operations of joint investigation teams targeting criminal activities falling within its remit. [Am. 12]

(10b)

Whenever a cooperation between Europol and Member States has been established regarding a specific investigation, clear provisions should be drawn up between Europol and those Member States involved, outlining the specific tasks to be carried out, the degree of participation with the investigative or judicial proceedings of the Member states, and the division of responsibilities and the applicable law for the purposes of judicial oversight. [Am. 13]

(11)

To increase the effectiveness of Europol as a hub for information exchange in the Union, clear obligations for Member States to provide Europol with the data necessary for it to fulfil its objectives should be laid down. While implementing such obligations, Member States should must pay particular attention to providing only data relevant for the fight against crimes considered to be strategic and operational priorities within relevant policy instruments of the Union. Member States should also provide Europol with a copy of bilateral and multilateral exchanges of information with other Member States on crime falling under Europol’s objectives and also indicate the source of this information . At the same time, Europol should increase the level of its support to Member States, so as to enhance mutual cooperation and sharing of information. Europol should must submit an annual report to all Union institutions and to national parliaments on the extent to which individual Member States provide it with information. [Am. 14]

(12)

To ensure effective cooperation between Europol and Member States, a national unit should be set up in each Member State. It should be the principal liaison between national law enforcement authorities and training institutes and Europol. The role of the national Europol units as guarantors and defenders of national interests in the Agency should be maintained under the Regulation. National units should also continue to be the contact point between Europol and the competent authorities, thereby giving them a centralised and coordinating role in respect of all Member State cooperation with and through Europol, and thus ensuring that each Member State responds in a uniform way to Europol requests. To ensure continuous, effective exchange of information between Europol and national units and to facilitate their cooperation, each national unit should second at least one liaison officer to Europol. [Am. 15]

(13)

Taking into account the decentralised structure of some Member States and the need to ensure in certain cases rapid exchanges of information, Europol should be allowed to cooperate directly with law enforcement authorities in Member States in individual investigations, while keeping Europol national units informed.

(14)

To ensure that Union-level law enforcement training is of high quality, coherent and consistent, Europol should act in line with Union law enforcement training policy. Union-level training should be available to law enforcement officers of all ranks. Europol should ensure that training is evaluated and that conclusions from training needs assessments are part of planning to reduce duplication. Europol should promote the recognition in Member States of training provided at Union level. [Am. 16]

(15)	It is also necessary to improve the governance of Europol, by seeking efficiency gains and streamlining procedures.

(16)

The Commission and the Member States should be represented on the Management Board of Europol to effectively supervise its work. To reflect the dual mandate of the new agency, operational support and training for law enforcement, the full The members of the Management Board should be appointed on the basis of their knowledge of law enforcement cooperation, whereas alternate members should be appointed on the basis of their knowledge of training for law enforcement officers. Alternate members should act as full members in the absence of the full member and in any case when training is discussed or decided. The Management Board should be advised by a scientific committee on technical training issues. [Am. 17]

(17)

The Management Board should be given the necessary powers, in particular to set the budget, verify its execution, adopt the appropriate financial rules and planning documents, adopt measures to protect the financial interests of the Union and to fight against fraud, as well as adopt rules for the prevention and management of conflicts of interests, establish transparent working procedures for decision-making by the Executive Director of Europol, and adopt the annual activity report. It should exercise the powers of appointing authority towards staff of the agency including the Executive Director. To streamline the decision making process, and to reinforce supervision of administrative and budgetary management, the Management Board should be also entitled to establish an Executive Board. [Am. 18]

(18)

To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative and manager, acting in complete independence in the performance of all tasks and ensuring that Europol carries out the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing budgetary and planning documents submitted for the decision of the Management Board, implementing the annual and multiannual work programmes of Europol and other planning documents.

(19)

For the purposes of preventing and combating crime falling under its objectives, it is necessary for Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to process data provided to it by Member States, third countries, international organisations and Union bodies as well as coming from publicly available sources , as long as Europol can be considered to be lawful recipient of that data, to develop an understanding of criminal phenomena and trends, to gather information about criminal networks, and to detect links between different offences. [Am. 19]

(20)

To improve Europol’s effectiveness in providing accurate crime analyses to the Member States’ law enforcement authorities, it should use new technologies to process data. Europol should be able to swiftly detect links between investigations and common modi operandi across different criminal groups, to check cross-matches of data and to have a clear overview of trends, while maintaining guaranteeing high level of protection of personal data for individuals. Therefore, Europol databases should not be pre-defined, allowing Europol to choose the most efficient IT structure. To ensure a high level of data protection, the purpose of processing operations and access rights as well as specific additional safeguards should be laid down. The principles of relevance and proportionality must be observed with regard to personal data processing. [Am. 20]

(21)

To respect ownership of data and protection of information, Member States and authorities in third countries and international organisations should be able to determine the purpose for which Europol may process the data they provide and to restrict access rights. Purpose limitation contributes to transparency, legal certainty and predictability and is especially of high importance in the area of police cooperation, where data subjects are usually unaware when their personal data are being collected and processed and where the use of personal data may have a very significant impact on the lives and freedoms of individuals. [Am. 21]

(22)

To ensure that data are accessed only by those for whom access is necessary to perform their tasks, this Regulation should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of data should be respected. In order to increase efficiency of preventing and combating crime falling under Europol’s objectives, Europol should notify Member States of information which concerns them.

(23)

To enhance operational cooperation between the agencies, and particularly to establish links between data already in possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office (OLAF) to have access to and be able to search against data available at Europol , on the basis of specific safeguards . [Am. 22]

(24)	Europol should maintain cooperative relations with other Union bodies, and law enforcement authorities and law enforcement training institutes of third countries, international organisations, and private parties to the extent required for the accomplishment of its tasks. [Am. 23]

(25)

To ensure operational effectiveness, Europol should be able to exchange all information, with the exception of personal data, with other Union bodies, law enforcement authorities and law enforcement training institutes of third countries, and international organisations to the extent necessary for the performance of its tasks. Since companies, firms, business associations, non-governmental organisations and other private parties hold expertise and data of direct relevance to the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such data with private parties. To prevent and combat cybercrime, as related to network and information security incidents, Europol should, pursuant to Directive [name of adopted Directive] of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (*1), cooperate and exchange information, with the exception of personal data, with national authorities competent for the security of network and information systems. [Am. 24]

(26)

Europol should be able to exchange personal data with other Union bodies to the extent necessary for the accomplishment of its tasks. The European Data Protection Supervisor should ensure that this exchange of information concerns only persons who have committed or who are thought likely to commit offences in respect of which Europol has competence. [Am. 25]

(27)

Serious crime and terrorism often have links beyond the territory of the EU. Europol should therefore be able to exchange personal data with law enforcement authorities of third countries and with international organisations such as Interpol to the extent necessary for the accomplishment of its tasks. In exchanging personal data with third countries and international organisations, it is necessary to strike an appropriate balance between the need for effective enforcement and personal data protection. [Am. 26]

(28)

Europol should be able to transfer personal data to an authority of a third country or an international organisation on the basis of a Commission decision finding that the country or international organisation in question ensures an adequate level of data protection, or, in the absence of an adequacy decision, an international agreement concluded by the Union pursuant to Article 218 TFEU, or a cooperation agreement concluded between Europol and this third country prior to the entry into force of this Regulation. In view of Article 9 of Protocol 36 on transitional provisions attached to the Treaty, legal effects of such agreements should be preserved until those agreements are repealed, annulled or amended in the implementation of the Treaty.

(29)

Where a transfer of personal data cannot be based on an adequacy decision taken by the Commission, or, an international agreement concluded by the Union, or an existing cooperation agreement, the Management Board and the European Data Protection Supervisor should be allowed to authorise a transfer or a set of transfers, provided adequate safeguards are ensured. Where none of the above applies, the Executive Director should be allowed to authorise the transfer of data in exceptional cases on a case-by-case basis, if it is necessary to safeguard the essential interests of a Member State, to prevent an imminent danger associated with crime or terrorism, if the transfer is otherwise necessary or legally required on important public grounds, if the data subject has consented, or if vital interests of the data subject are at stake.

(30)

Europol should be able to process personal data originating from private parties and private persons only if transferred to Europol by a Europol national unit of a Member State in accordance with its national law or, by a contact point in a third country with which there is established cooperation through a cooperation agreement concluded in accordance with Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation or an authority of a third country or an international organisation with which the Union has concluded and international agreement pursuant to Article 218 TFEU.

(31)	Any information which has clearly been obtained by a third country or international organisation in violation of human rights shall not be processed. [Am. 27]

(32)

Data protection rules at Europol should be strengthened and aligned with other relevant data protection instruments applicable to processing of personal data in the area of police cooperation in the Union to ensure a high level of protection of individuals with regard to processing of personal data. While Decision 2009/371/JHA provides for a robust data protection regime for Europol, it should be further elaborated to align Europol with the requirements of the Lisbon Treaty, reflect the growing role of Europol, improve the rights of data subjects and further enhance the trust between Member States and Europol which is necessary for a successful exchange of information. Data protection rules at Europol should be strengthened and draw on the principles underpinning Regulation (EC) No 45/2001 of the European Parliament and of the Council (6) or the instrument replacing Regulation (EC) No 45/2001 to ensure a high level of protection of individuals with regard to processing of personal data , as well as on other data protection principles, including accountability principle, data protection impact assessment, privacy by design and by default and notification of personal data breaches. As soon as the new data protection framework of the EU institutions and bodies will be adopted, it should be applicable to Europol .

As Declaration 21 attached to the Treaty recognizes acknowledges, the specific nature of the specificity of personal data processing of personal data in the law enforcement context, the data proves necessary that specific rules on the protection rules of of personal data and the free movement of such data are established for Europol should be autonomous based on Article 16 TFEU and aligned with other relevant data protection instruments applicable in the area of police cooperation in the Union, in particular Convention No. 108 (7) and its Additional Protocol of 8 November 2001 and Recommendation No R(87) of the Council of Europe (8) and the robust data protection regime laid down in Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (9) [to be replaced by the relevant Directive in force at the moment of adoption]. Transparency is a crucial part of data protection since it enables other data protection principles and rights to be exercised. To enhance transparency, Europol should have transparent data protection policies that it should make easily publicly available setting out in an intelligible form and using clear and plain language the provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects, as well as publish a list of the international and cooperation agreements it has with third countries, Union bodies and international organisations. [Am. 28]

(33)

As far as possible, personal Personal data should be distinguished according to the degree of their accuracy and reliability. Facts should must be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by Europol. [Am. 29]

(33a)

Bearing in mind the particular character of the Agency, it should have its own particular regime that should also guarantee data protection, which should on no account be at a lower level than the general regime applicable to the Union and its Agencies. Reforms relating to the general rules on data protection should thus apply to Europol as soon as possible and no later than two years after the entry into force of the new general rules; the legislative alignment between the particular data protection regimes of Europol and the EU should be completed before the end of two years following the adoption of any corresponding rules. [Am. 30]

(34)

Personal data relating to different categories of data subjects are processed in the area of police co-operation. Europol should make distinctions between personal data of different categories of data subjects as clear as possible. Personal data of persons such as victims, witnesses, persons possessing relevant information as well as personal data of minors should in particular be protected. Therefore, Europol should not process them unless it is strictly necessary for preventing and combating crime within its objectives, and if those data supplement other personal data already processed by Europol.

(35)	In the light of fundamental rights to protection of personal data, Europol should not store personal data longer than necessary for the performance of its tasks. At the latest three years after the data has been recorded, the need for the continued storage thereof should be considered. [Am. 32]

(36)	To guarantee the security of personal data, Europol should must implement appropriate technical and organisational the necessary measures. [Am. 33]

(37)

Any person should have a right of access to personal data concerning them, to have inaccurate data concerning them rectified and to erase or block data concerning them, if the data is no longer required. The rights of the data subject and the exercise thereof should not affect the obligations placed on Europol and should be subject to the restrictions laid down in this Regulation. [Am. 34]

(38)

The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities under this Regulation. In particular, Member States should be responsible for accuracy and keeping up to date the data they have transferred to Europol and for the legality of such transfer. Europol should be responsible for accuracy and for keeping the data provided by other data suppliers up to date. Europol should must also ensure that data are processed fairly and lawfully, are collected and processed for a specific purpose, that they are adequate, relevant, not excessive in relation to the purposes for which they are processed, and stored no longer than is necessary for that purpose. [Am. 35]

(39)

Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security. Europol should be is obliged to co-operate with the European Data Protection Supervisor and make the logs or documentation available upon request, so that they can be used for monitoring processing operations. [Am. 36]

(40)

Europol should designate a data protection officer to assist it in monitoring compliance with the provisions of this Regulation. The data protection officer should be in a position to perform his/her duties and tasks independently and effectively. The data protection officer should be given the resources necessary to fulfil his tasks. [Am. 37]

(41)

An independent, sufficiently empowered, transparent, accountable and effective structure for supervision is essential for the protection of individuals with regard to the processing of personal data as required by Article 8 of the Charter of Fundamental Rights and Article 16 TFEU. National competent authorities for the supervision of the processing of personal data should monitor the lawfulness of the processing of personal data by Member States. The European Data Protection Supervisor should monitor the lawfulness of data processing by Europol exercising its functions with complete independence. [Am. 38]

(42)	The European Data Protection Supervisor and national supervisory authorities should co-operate with each other on specific issues requiring national involvement and to ensure coherent application of this Regulation throughout the Union.

(43)	As Europol is processing also non-operational personal data, not related to any criminal investigations, such as personal data of staff of Europol, services providers or visitors, processing of such data should be subject to Regulation (EC) No 45/2001. [Am. 40]

(44)

The European Data Protection Supervisor should hear and investigate complaints lodged by data subjects. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate necessary for full elucidation in the specific case. The supervisory authority should immediately inform the data subject of progress and the outcome of the complaint within a reasonable period. [Am. 41]

(45)	Any individual should have the right to a judicial remedy against decisions of the European Data Protection Supervisor concerning him/her.

(46)	Europol should be subject to general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, with the exception of liability for unlawful data processing.

(47)

It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.

(48)

To ensure To respect the role of the parliaments in the monitoring of the European area of freedom, security and justice and the political responsibilities of the national parliaments and of the European Parliament in respecting and exercising their respective powers in the legislation process, it is necessary that Europol is be a fully accountable and transparent internal organisation, it is necessary, . To that end , in the light of Article 88 TFEU, to lay down procedures for scrutiny of Europol activities by the European Parliament together with national parliaments should be established in accordance with the provisions on interparliamentary cooperation laid down in Title II of Protocol No 1 on the role of national parliaments in the European Union , taking into due account the need to safeguard confidentiality of operational information. [Am. 42]

(49)

The Staff Regulations of Officials of the European Communities and the Conditions of Employment of Other Servants of the European Communities laid down in Regulation (EEC, Euratom, ECSC) No 259/68 of the Council (10) should apply to Europol staff. Europol should be able to employ staff engaged from the competent authorities of the Member States as temporary agents whose period of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of staff members into the service of their competent authority facilitates close cooperation between Europol and the competent authorities of the Member States. Member States should take any measure necessary to ensure that staff engaged at Europol as temporary agents may, at the end of this service at Europol, return to the national civil service to which they belong.

(50)

Given the nature of the duties of Europol and the role of the Executive Director, the Executive Director may should be invited to make a statement to and to answer questions from the competent committee of the European Parliament Joint Parliamentary Scrutiny Group before his appointment, as well as before any extension of his term of office. The Executive Director should also present the annual report to the European Parliament Joint Parliamentary Scrutiny Group and to the Council. Furthermore, the European Parliament should be able to invite the Executive Director to report on the performance of his duties. [Am. 43]

(51)

To guarantee the full autonomy and independence of Europol, it should be granted an autonomous budget, with revenue coming essentially from a contribution from the budget of the Union. The Union budgetary procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general budget of the Union are concerned. The auditing of accounts should be undertaken by the Court of Auditors.

(52)	Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (11) should apply to Europol.

(53)	Regulation (EC) No 1073/1999 of the European Parliament and of the Council (12) should apply to Europol.

(54)

Europol processes data that require particular protection as they include EU classified information and sensitive non-classified information. Europol should therefore draw up rules on confidentiality and processing of such information, taking into account the basic principles and minimum standards laid down in Council Decision 2011/292/EU (13).

(55)	It is appropriate to evaluate the application of this Regulation regularly.

(56)

The necessary provisions regarding accommodation for Europol in the Member State in which it has its headquarters, in the Netherlands, and the specific rules applicable to all Europol’s staff and members of their families should be laid down in a headquarters agreement. Furthermore, the host Member State should provide the best possible conditions to ensure the proper functioning of Europol, including schools for children and transport, so as to attract high-quality human resources from as wide a geographical area as possible. [Am. 44]

(57)

Europol, as established by this Regulation, shall replace and succeed Europol as established by Decision 2009/371/JHA, and CEPOL as established by Decision 2005/681/JHA. It should therefore be a legal successor of all their contracts, including employment contracts, liabilities and properties acquired. International agreements concluded by Europol as established on the basis of Decision 2009/371/JHA and CEPOL as established on the basis of Decision 2005/681/JHA should remain in force, with the exception of the headquarters agreement concluded by CEPOL. [Am. 45]

(58)

To enable Europol to continue to fulfil the tasks of Europol as established on the basis of Decision 2009/371/JHA and CEPOL as established by Decision 2005/681/JHA to the best of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, and the Executive Director and ring-fencing part of Europol’s budget for training for three years following the entry into force of this Regulation. [Am. 46]

(59)

Since the objective of this Regulation, namely the establishment of an entity responsible for law-enforcement cooperation and training at Union level, cannot be sufficiently achieved by the Member States and can, therefore but , by reason of the scale and effects of the action, can rather be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity, as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective. [Am. 47]

(60)

[In accordance with Article 3 of the Protocol (No 21) on the position of United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice, annexed to the TEU and the TFEU, those Member States have notified their wish to participate in the adoption and application of this Regulation] OR [Without prejudice to Article 4 of the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice, annexed to the TEU and the TFEU, those Member States will not participate in the adoption of this Regulation and will not be bound by or be subject to its application].

(61)	In accordance with Articles 1 and 2 of the Protocol (No 22) on the position of Denmark annexed to the TEU and the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(62)

This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data and the right to privacy as protected by Articles 8 and 7 of the Charter, as well as by Article 16 TFEU.

HAVE ADOPTED THIS REGULATION:

Chapter I

GENERAL PROVISIONS AND OBJECTIVES OF EUROPOL

Article 1

Establishment of the European Union Agency for Law Enforcement Cooperation and Training [Am. 48]

1. A European Union Agency for Law Enforcement Cooperation and Training (Europol) is hereby established to improve mutual cooperation among law enforcement authorities in the European Union and to strengthen and support their actions as well as to deliver a coherent European training policy. [Am. 49]

2. Europol, as established by this Regulation, shall replace and succeed Europol as established by Decision 2009/371/JHA, and CEPOL as established by Decision 2005/681/JHA. [Am. 50]

2a. Europol shall liaise with a single national unit in each Member State, to be established or designated in accordance with Article 7. [Am. 51]

Article 2

Definitions

For the purposes of this Regulation:

(a)

‘the competent authorities of the Member States’ means all police public authorities and other law enforcement services existing in the Member States which are responsible under , in accordance with the applicable national law, for preventing and combating criminal offences in respect of which Europol is competent ; [Am. 52]

(b)	‘analysis’ means the assembly, processing or use of data careful examination of information to discover its specific meaning and particular features with the aim of assisting criminal investigations and carrying out any of the other tasks listed in Article 4 ; [Am. 53]

(c)	‘Union bodies’ means institutions, entities, missions, offices and agencies set up by, or on the basis of the TEU and the TFEU;

(d)

‘law enforcement officers’ means officers of police, customs and of other relevant services, including Union bodies, responsible for preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime that affect a common interest covered by a Union policy and for civilian crisis management and international policing of major events;

(e)	‘third countries’ means countries that are not Member States of the European Union;

(f)	‘international organisations’ means international organisations and their subordinate bodies governed by public law or other bodies which are set up by, or on the basis of, an agreement between two or more countries;

(g)	‘private parties’ means entities and bodies established under the law of a Member State or a third country, in particular companies and firms, business associations, non-profit organizations and other legal persons that do not fall under point (f);

(h)	‘private persons’ means all natural persons;

(i)

‘personal data’ means any information relating to an identified or identifiable natural person hereinafter referred to as (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number , location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person ; [Am. 54]

(j)

‘processing of personal data’ hereinafter referred to as ‘processing’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(k)	‘recipient’ means a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients; [Am. 55]

(l)	‘transfer of personal data’ means the communication of personal data, actively made available, between a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data;

(m)	‘personal data filing system’ hereinafter referred to as ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(n)	‘the data subject’s consent’ means any freely given specific , explicit and informed indication of his/her wishes by which the data subject clearly and unambiguously signifies his/her agreement to personal data relating to him/her being processed; [Am. 56]

(o)	‘administrative personal data’ means all personal data processed by Europol apart from those that are processed to meet the objectives laid down in Article 3(1) and (2).

Article 3

Objectives

1. Europol shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime , as specified in Annex 1 and affecting two or more Member States, terrorism and forms of crime which affect in such a way to require a common interest covered by a Union policy, as specified in Annex 1 approach by the Member States taking in account the scale, significance and consequences of the offences . [Am. 57]

2. Europol shall also support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating criminal offences related to the offences referred to under point (a). The following offences shall be regarded as related criminal offences:

(a)	criminal offences committed in order to procure the means of perpetrating acts in respect of which Europol is competent;

(b)	criminal offences committed in order to facilitate or carry out acts in respect of which Europol is competent;

(c)	criminal offences committed in order to ensure the impunity of acts in respect of which Europol is competent.

3. Europol shall support, develop, deliver and coordinate training activities for law enforcement officers. [Am. 58]

Chapter II

TASKS RELATED TO LAW ENFORCEMENT COOPERATION

Article 4

Tasks

1. Europol is the European Union agency that shall perform the following tasks in accordance with this Regulation:

(a)	to collect, store, process, analyse and exchange information;

(b)	to notify the Member States without delay , through the Europol national units, as referred to in Article 7, of information concerning them and of any connections between criminal offences; [Am. 59]

(c)

to coordinate, organise and implement investigative and operational action

(i)	carried out jointly with the Member States' competent authorities , either in investigations already started by Member States or as a result of a request from Europol to a Member State to initiate a criminal investigation ; or [Am. 60]

(ii)	in the context of joint investigative teams, in accordance with Article 5, where appropriate in liaison with Eurojust;

(d)	to participate in joint investigative teams as well as to propose that they are set up in accordance with Article 5;

(e)	to provide information and analytical support to Member States in connection with major international events;

(f)	to prepare threat assessments, strategic and operational analyses and general situation reports;

(g)	to develop, share and promote specialist knowledge of crime prevention methods, investigative procedures and technical and forensic methods, and to provide advice to Member States;

(h)	to provide technical and financial support to Member States' cross-border operations and investigations, including through joint investigative teams in accordance with Article 5 ; [Am. 61]

(i)	to support, develop, deliver, coordinate and implement training for law enforcement officers in cooperation with the network of training institutes in Member States as set out in Chapter III; [Am. 62]

(j)	to provide the Union bodies established on the basis of Title V of the Treaty and the European Anti-Fraud Office (OLAF) with criminal intelligence and analytical support in the areas that fall under their competence; [Am. 63]

(k)	to provide information and support to EU crisis management structures, and to EU crisis management missions established on the basis of the TEU;

(l)	to develop Union centres of specialised expertise for combating certain types of crime falling under Europol’s objectives, in particular the European Cybercrime Centre;

(la)	to aid investigations in the Member States, in particular by forwarding all relevant information to the national units. [Am. 64]

2. Europol shall provide strategic analyses and threats assessments to assist the Council and the Commission in laying down strategic and operational priorities of the Union for fighting crime. Europol shall also assist in operational implementation of those priorities.

3. Europol shall provide strategic intelligence to assist the efficient and effective use of the resources available at national and Union level for operational activities and the support of those activities.

4. Europol shall act as the Central Office for combating euro counterfeiting in accordance with Council Decision 2005/511/JHA (14). Europol shall also encourage the coordination of measures carried out to fight euro counterfeiting by the competent authorities of the Member States or in the context of joint investigation teams, where appropriate in liaison with Union bodies and the authorities of third countries.

4a. Europol shall not apply coercive measures. [Am. 65]

Article 5

Participation in joint investigation teams

1. Europol may participate in the activities of joint investigation teams dealing with crime that falls under Europol’s objectives.

2. Europol may, within the limits provided by the law of the Member States in which joint investigative team is operating, assist in all activities and exchange of information with all members of the joint investigative team. Europol officers shall not take part in the application of coercive measures. [Am. 66]

3. Where Europol has reasons to believe that setting up a joint investigation team would add value to an investigation, it may propose this to the Member States concerned and take measures to assist them in setting up the joint investigation team.

3a. Europol participation in a joint investigative team shall be agreed by the competent authorities of the Member States involved in that team and shall be recorded in a document signed in advance by the Director of Europol, which shall be annexed to the corresponding agreement on the setting-up of a joint investigative team. [Am. 67]

3b. The annex referred to in paragraph 3a shall lay down the conditions under which Europol officers are to take part in the joint investigative team, including rules governing the privileges and immunities of those officers and the liabilities arising from possible irregular activities on the part of those officers. [Am. 68]

3c. Europol officers taking part in a joint investigative team shall be subject, as regards any infringements against them or committed by them, to the national law of the Member State in which the joint investigative team is operating, applicable to members of the joint investigative team performing similar functions in that Member State. [Am. 69]

3d. Europol officers taking part in a joint investigative team may exchange information obtained from Europol's data storage systems with the members of the team. Given that this involves direct contact as regulated in Article 7, Europol shall simultaneously inform the Europol National Units in the Member States represented in the joint investigative team and the Europol National Units in the Member States which provided the information. [Am. 70]

3e. Information obtained by a Europol officer while taking part in a joint investigative team may be incorporated into any of Europol's data storage systems, through the Europol National Units, with the consent and under the responsibility of the competent authority which provided that information. [Am. 71]

4. Europol shall not apply coercive measures.

Article 6

Requests by Europol for the initiation of criminal investigations

1. In specific cases where Europol considers that a criminal investigation should be initiated into a crime that falls under its objectives, it shall inform Eurojust. [Am. 72]

2. At the same time, Europol shall may request the National Units of the Member States concerned established on the basis of Article 7(2) to initiate, conduct or coordinate a criminal investigation. [Am. 73]

2a. In the case of a suspicion of a malicious attack on the network and information system of two or more Member States or Union bodies, carried out by a state or non-state actor located in a third country, Europol shall initiate an investigation on its own initiative. [Am. 74]

3. The National Units Member States shall give such requests due consideration and shall, through their National Units, inform Europol without delay of the initiation of the whether an investigation will be initiated . [Am. 75]

4. If the competent authorities of the Member States concerned decide not to comply with the request made by Europol, they shall provide Europol with the reasons for the decision, within one month of the request. The reasons may be withheld if giving them would:

(a)	harm essential national security interests; or

(b)	jeopardise the success of investigations under way or the safety of individuals.

5. Europol shall inform Eurojust of the decision of a competent authority of a Member State to initiate or refuse to initiate an investigation.

Article 7

Member States’ cooperation with Europol

1. Member States and Europol shall cooperate with Europol in the fulfilment of its Europol's tasks. [Am. 76]

2. Each Member State shall establish or designate a National Unit which shall be the liaison body between Europol and the designated competent authorities in Member States as well as with training institutes for law enforcement officers. Each Member State shall appoint an official as the designate a head of the National Unit. [Am. 77]

3. Member States shall ensure that their National Units are able to fulfil their tasks as set out in this Regulation, in particular that they have access to national law enforcement databases.

4. The national unit shall be the only liaison body between Europol and the competent authorities of the Member States. However Europol may directly cooperate with competent authorities of the Member States in respect the framework of individual investigations. In that case, being carried out by those authorities provided that this direct contact represents added value with a view to the successful conclusion of the investigation and in accordance with national legislation. Europol shall inform the National Unit without delay and of the need for such contact in advance. Europol shall provide , as soon as possible, a copy of any the information exchanged in the course of through these direct contacts between Europol and the respective competent authorities. [Am. 78]

5. Member States shall, via their National Unit or a competent authority of a Member State, in particular: [Am. 79]

(a)

supply Europol , on their own initiative, with the information and intelligence necessary for it to fulfil its objectives. This includes providing Europol without delay with information relating to crime areas that are considered a priority by the Union. It also includes providing a copy of bilateral or multilateral exchanges with another Member State or Member States in so far as the exchange refers to crime that falls under Europol’s objectives perform its functions, and respond to Europol's requests for information, the supply of intelligence and advice .

Without prejudice to the Member States’ discharging the responsibilities incumbent upon them with regard to the maintenance of law and order and the safeguarding of internal security, a national unit shall not in any particular case be obliged to supply information or intelligence if that would entail:

(i)	harming essential national security interests;

(ii)	jeopardising the success of a current investigation or the safety of individuals; or

(iii)

disclosing information relating to organisations or specific intelligence activities in the field of State security; [Am. 80]

(b)	ensure effective communication and cooperation of all relevant competent authorities of the Member States and training institutes for law enforcement officers within the Member States, with Europol; [Am. 81]

(c)	raise awareness of Europol’s activities. [Am. 82]

(ca)	ask Europol to provide relevant information that might facilitate investigations being carried out by the designated competent authorities; [Am. 83]

(cb)	ensure effective communication and cooperation with the competent authorities; [Am. 84]

(cc)	ensure compliance with the law in every exchange of information between themselves and Europol. [Am. 85]

6. The heads of National Units shall meet on a regular basis, particularly to discuss and solve problems that occur in the context of their operational cooperation with Europol.

7. Each Member State shall define the organisation and the staff of the National Unit according to its national legislation.

8. The costs incurred by National Units and of the competent authorities in Member States in communications with Europol shall be borne by the Member States and, apart from the costs of connection, shall not be charged to Europol.

9. Member States shall ensure a minimum the highest possible level of security of all systems used to connect to Europol. [Am. 86]

10. Each year Europol shall draw up a report on the quantity and quality of regarding information provided sharing by each Member State pursuant to paragraph 5(a) and on the performance of its National Unit. The report shall be analysed by the Management Board with the objective of continuously improving the mutual cooperation between Europol and the Member States. The annual report shall be sent to the European Parliament, the Council, the Commission and national parliaments. [Am. 229]

Article 8

Liaison officers

1. Each National Unit shall designate at least one liaison officer to Europol. Except as otherwise laid down in this Regulation, liaison officers shall be subject to the national law of the designating Member State.

2. Liaison officers shall constitute the national liaison bureaux at Europol and shall be instructed by their National Units within Europol in accordance with the national law of the designating Member State and the provisions applicable to the administration of Europol.

3. Liaison officers shall assist in the exchange of transmit information between from their national units to Europol, and their Member States from Europol to the national units . [Am. 87]

4. Liaison officers shall assist in the exchange of information between their Member States and the liaison officers of other Member States in accordance with national law. Europol’s infrastructure may be used, in line with national law, for such bilateral exchanges also to cover crimes outside the objectives of Europol. The Management Board shall determine the rights and obligations of liaison officers in relation to Europol. All such exchanges of information shall be in accordance with Union and national law, in particular Decision 2008/977/JHA or Directive 95/46/EC of the European Parliament and of the Council (15) , as applicable. Europol shall process data received under this provision only when it can be considered a lawful recipient under national or Union law. [Am. 88]

5. Liaison officers shall enjoy the privileges and immunities necessary for the performance of their tasks in accordance with Article 65.

6. Europol shall ensure that liaison officers are fully informed of and associated with all of its activities, insofar as this is necessary for the performance of their tasks.

7. Europol shall cover the costs of providing Member States with the necessary premises in the Europol building and adequate support for liaison officers to carry out their duties. All other costs that arise in connection with the designation of liaison officers shall be borne by the designating Member State, including the costs of equipment for liaison officers, unless the budgetary authority decides otherwise on the recommendation of the Management Board.

Chapter III

TASKS RELATED TO TRAINING FOR LAW ENFORCEMENT OFFICERS

Article 9

Europol Academy

1. A department within Europol, called the Europol Academy, as set up by this Regulation, shall support, develop, deliver and coordinate training for law enforcement officers in particular in the areas of the fight against serious crime affecting two or more Member States and terrorism, management of high-risk public order and sports events, strategic planning and command of non-military Union missions, as well as law enforcement leadership and language skills and in particular to:

(a)

raise awareness and knowledge of:

(i)	international and Union instruments on law enforcement cooperation;

(ii)	Union bodies, in particular Europol, Eurojust and Frontex, their functioning and role;

(iii)

judicial aspects of law enforcement cooperation and practical knowledge about access to information channels;

(b)	encourage the development of regional and bilateral cooperation among Member States and between Member States and third countries;

(c)	address specific criminal or policing thematic areas where training at Union level can add value;

(d)	devise specific common curricula for law enforcement officers to train them for participation in Union civilian missions;

(e)	support Member States in bilateral law enforcement capacity-building activities in third countries;

(f)	train trainers and assist in improving and exchanging good learning practices.

2. The Europol Academy shall develop and regularly update learning tools and methodologies and apply these in a lifelong learning perspective to strengthen the skills of law enforcement officers. The Europol Academy shall evaluate the results of these actions with a view to enhancing the quality, coherence and efficacy of future actions.

Article 10

Tasks of the Europol Academy

1. The Europol Academy shall prepare multi-annual strategic training needs analyses and multi-annual learning programmes.

2. The Europol Academy shall develop and implement training activities and learning products, which may include:

(a)	courses, seminars, conferences, web-based and e-learning activities;

(b)	common curricula to raise awareness, address gaps and/or facilitate a common approach in relation to cross-border criminal phenomena;

(c)	training modules graduated according to progressive stages or levels of complexity of skills needed by the relevant target group, and focused either on a defined geographical region, a specific thematic area of criminal activity or on a specific set of professional skills;

(d)	exchange and secondment programmes of law enforcement officers in the context of an operational based training approach.

3. To ensure a coherent European training policy to support civilian missions and capacity-building in third countries the Europol Academy shall:

(a)	assess the impact of existing Union-related law enforcement training policies and initiatives;

(b)	develop and provide training to prepare Member States’ law enforcement officers for participation in civilian missions, including to enable them to acquire relevant language skills;

(c)	develop and provide training for law enforcement officers from third countries, in particular from the countries that are candidates for accession to the Union;

(d)	manage dedicated Union External Assistance funds to assist third countries in building their capacity in relevant policy areas, in line with the established priorities of the Union.

4. The Europol Academy shall promote the mutual recognition of law enforcement training in Member States and related existing European quality standards.

Article 11

Research relevant for training

1. The Europol Academy shall contribute to development of research relevant for training activities covered by this Chapter.

2. The Europol Academy shall promote and establish a partnership with Union bodies as well as with public and private academic institutions and shall encourage the creation of stronger partnerships between universities and law enforcement training institutes in Member States. [Am. 89]

Chapter IV

ORGANISATION OF EUROPOL

Article 12

Administrative and management structure of Europol

The administrative and management structure of Europol shall comprise:

(a)	a Management Board, which shall exercise the functions set out in Article 14;

(b)	an Executive Director, who shall exercise the responsibilities set out in Article 19;

(c)	a Scientific Committee for Training in accordance with Article 20; [Am. 90]

(d)	if appropriate, any other advisory body established by the Management Board in accordance with Article 14(1)(p);

(e)	if appropriate, an Executive Board in accordance with Articles 21 and 22. [Am. 91]

SECTION 1

MANAGEMENT BOARD

Article 13

Composition of the Management Board

1. The Management Board shall be composed of one representative from each Member State and two representatives one representative of the Commission, all with voting rights. [Am. 92]

1a. A representative of the Joint Parliamentary Scrutiny Group shall be authorised to attend meetings of the Management Board with observer status. This representative shall not be entitled to vote. [Am. 93]

2. The members of the Management Board shall be appointed on the basis of their experience in the management of public or private sector organisations and knowledge of law enforcement cooperation.

3. Each member of the Management Board shall be represented by an alternate member who shall be appointed on the basis of his/her experience in the management of public and private sector organisations and knowledge of national policy on training for law enforcement officers. The alternate member shall act as a member on any issues related to training of law enforcement officers by the full member on the basis of the criteria set out in Article 13(2). The alternate member shall represent the member in his/her absence. The member shall represent the alternate on any issues related to training of law enforcement officers in his/her absence. [Am. 94]

4. All parties represented in the Management Board shall make efforts to limit the turnover of their representatives, to ensure continuity of the Management Board’s work. All parties shall aim to achieve a balanced representation between men and women on the Management Board. [Am. 95]

5. The term of office for members and alternate members shall be four years. That term shall be extendable. Upon expiry of their term of office or in the event of their resignation, members shall remain in office until their appointments are renewed or until they are replaced determined by the period assigned to them by the designating Member State . [Am. 96]

5a. The Chairperson shall be supported by the Secretariat of the Management Board. The Secretariat shall in particular:

(a)	be closely and continuously involved in organising, coordinating and ensuring the coherence of the Management Board’s work. Acting under the responsibility of and in accordance with guidelines given by the Chairperson;

(b)	provide the Management Board with the administrative support necessary for it to carry out its duties. [Am. 97]

5b. Each member of the Management Board shall submit a declaration of his or her interests at the beginning of his or her term of office. [Am. 98]

Article 14

Functions of the Management Board

1. The Management Board shall:

(a)	adopt each year Europol’s work programme for the following year by a majority of two-thirds of members and in accordance with Article 15;

(b)	adopt a multi-annual work programme, by a majority of two-thirds of members in accordance with Article 15;

(c)	adopt, by a majority of two thirds of its members, the annual budget of Europol and exercise other functions in respect of Europol’s budget pursuant to Chapter XI;

(d)

adopt a consolidated annual activity report on Europol’s activities and, send and present it to the Joint Parliamentary Scrutiny Group , and forward it, by 1 July of the following year, to the European Parliament, the Council, the Commission, the Court of Auditors and, the national parliaments and the European Data Supervisor by 1 July of the following year. The consolidated annual activity report shall be made public; [Am. 99]

(e)	adopt the financial rules applicable to Europol in accordance with Article 63;

(f)	by 31 January adopt, after taking into account the opinion of the Commission, the multiannual staff policy plan;

(g)	adopt an anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the measures to be implemented; [Am. 100]

(h)	adopt rules for the prevention and management of conflicts of interest in respect of its members, as well as members of the Scientific Committee for Training; [Am. 101]

(i)

in accordance with paragraph 2, exercise, with respect to the staff of Europol, the powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude a Contract of Employment (‘the appointing authority powers’); [Am. 102]

(j)	on a proposal from the Director, adopt appropriate implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110 of the Staff Regulations; [Am. 103]

(k)	appoint the Executive Director and Deputy Executive Directors and where relevant extend their term of office or remove them from the office in accordance with Articles 56 and 57;

(l)	establish performance indicators and oversee the Executive Director’s performance including the implementation of Management Board decisions;

(m)	appoint an Accounting Officer, subject to the Staff Regulations and the Conditions of Employment of Other Servants, who shall be functionally independent in the performance of his/her duties;

(n)	appoint the members of the Scientific Committee for Training; [Am. 104]

(o)	ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and evaluations, as well as from investigations of the European Anti-fraud Office (OLAF) and from the European Data Protection Supervisor ; [Am. 105]

(p)	take all decisions on the establishment of Europol’s internal structures and, where necessary, their modification; [Am. 106]

(q)	adopt its rules of procedure;

(qa)

appoint a Data Protection Officer, who shall be independent in its functions from the Management Board and shall be responsible for the setting up and managing of the data processing systems. [Am. 107]

The Management Board may, on a recommendation from the European Data Protection Supervisor under Article 46(3)(f) and with the support a two-thirds majority of its members, impose a temporary or definitive ban on processing. [Am. 108]

2. The Management Board shall adopt, in accordance with Article 110 of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the relevant appointing authority powers to the Executive Director and defining the conditions under which this delegations of powers can be suspended. The Executive Director shall be authorised to sub-delegate those powers.

Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the delegation of the appointing authority powers to the Executive Director and those sub-delegated by the latter and exercise them itself or delegate those powers to one of its members or to a staff member other than the Executive Director. [Am. 109]

Article 15

Annual work programme and multi-annual work programme

1. The Management Board shall adopt the annual work programme at the latest by 30 November each year, based on a draft put forward by the Executive Director and presented to the Joint Parliamentary Scrutiny Group , taking into account the opinion of the Commission. It shall forward it to the European Parliament Joint Parliamentary Scrutiny Group , the Council, the Commission and, national parliaments and the European Data Protection Supervisor. [Am. 110]

2. The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with subject to the multi-annual work programme referred to in paragraph 4. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year. [Am. 111]

3. The Management Board shall amend the adopted annual work programme if a new task is given to Europol.

Any substantial amendment Amendments to the annual work programme shall be adopted by the same procedure as the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director. [Am. 112]

4. The Management Board shall also adopt the multi-annual work programme and update it by 30 November each year, taking into account the opinion of the Commission and after consulting the European Parliament and national parliaments , as well as the European Data Protection Supervisor . [Am. 114]

The adopted multi-annual work programme shall be forwarded and presented to the Joint Parliamentary Scrutiny Group, and shall be forwarded to the European Parliament, the Council, the Commission, national parliaments and the European Data Protection Supervisor . [Am. 113]

The multi-annual work programme shall set out strategic objectives and expected results including performance indicators. It shall also contain an indication of the amount and staff allocated to each objective, in line with the multiannual financial framework and the multi-annual staff policy plan. It shall include the strategy for relations with third countries or international organisations referred to in Article 29.

The multi-annual programme shall be implemented through annual work programmes and shall, where appropriate, be updated following the outcome of external and internal evaluations. The conclusion of these evaluations shall also be reflected, where appropriate, in the annual work programme for the following year.

Article 16

Chairperson of the Management Board

1. The Management Board shall elect a Chairperson and a Deputy Chairperson from among members. The Chairperson and the Deputy Chairperson shall be elected by a majority of two-thirds of the members of the Management Boards.

The Deputy Chairperson shall automatically replace the Chairperson if he/she is prevented from attending to his/her duties.

2. The terms of office of the Chairperson and of the Deputy Chairperson shall be four five years. Their term of office may be renewed once. If, however, their membership of the Management Board ends at any time during their term of office as Chairperson or Deputy Chairperson, their term of office shall automatically expire on that date. [Am. 115]

Article 17

Meetings of the Management Board

1. The Chairperson shall convene the meetings of the Management Board.

2. The Executive Director of Europol shall take part in the deliberations.

3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson, at the request of the Commission or at the request of at least one-third of its members.

4. The Management Board may invite any person whose opinion may be relevant for the discussion to attend its meeting as a non-voting observer.

4a. A representative of the Joint Parliamentary Scrutiny Group shall be authorised to attend meetings of the Management Board with observer status. [Am. 116]

5. Advisers or experts may assist the members of the Management Board, subject to the provisions of its Rules of Procedure.

6. Europol shall provide the secretariat for the Management Board.

Article 18

Voting rules

1. Without prejudice to Articles Article 14(1), first subparagraph, (a), (b) and (c), and Article 14(1), subparagraph 1a, Article 16(1) and Article 56(8), the Management Board shall take decisions by a majority of members. [Am. 117]

2. Each member shall have one vote. In the absence of a voting member, his/her alternate shall be entitled to exercise his/her right to vote.

3. The Chairperson shall take part in voting.

4. The Executive Director shall not take part in voting.

4a. The representative of the Joint Parliamentary Scrutiny Group shall not vote. [Am. 118]

5. The Management Board’s rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member, and any quorum requirements, where necessary.

SECTION 2

EXECUTIVE DIRECTOR

Article 19

Responsibilities of the Executive Director

1. The Executive Director shall manage Europol. He/she shall be accountable to the Management Board.

2. Without prejudice to the powers of the Commission, the Management Board or the Executive Board, the Executive Director shall be independent in the performance of his/her duties and shall neither seek nor take instructions from any government, nor from any other body.

3. The Executive Director shall appear and report regularly to the European Parliament Joint Parliamentary Scrutiny Group on the performance of his/her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his/her duties. [Am. 119]

4. The Executive Director shall be the legal representative of Europol.

5. The Executive Director shall be responsible for the implementation of the tasks assigned to Europol by this Regulation. In particular, the Executive Director shall be responsible for:

(a)	the day-to-day administration of Europol;

(b)	implementing decisions adopted by the Management Board;

(c)	preparing the annual work programme and the multi-annual work programme and submitting them to the Management Board after consulting , taking into account the opinion of the Commission; [Am. 120]

(d)	implementing the annual work programme and the multi-annual work programme and reporting to the Management Board on their implementation;

(e)	preparing the consolidated annual report on Europol’s activities and presenting it to the Management Board for approval;

(f)	preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as investigation reports and recommendations from investigations by the (OLAF) and reporting on progress twice a year to the Commission and regularly to the Management Board;

(g)

protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities and, without prejudice to the investigative competence of OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;

(h)	preparing an anti-fraud strategy strategic analysis and a strategy to prevent and manage conflicts of interests for Europol and presenting it to the Management Board for approval; [Am. 121]

(i)	preparing draft financial rules applicable to Europol;

(j)	preparing Europol’s draft statement of estimates of revenue and expenditure and implementing its budget;

(k)	preparing a draft multi-annual staff policy plan and submitting it to the Management Board after consultation taking into account the opinion of the Commission; [Am. 122]

(ka)

exercising with respect to Europol staff those powers conferred by the Staff Regulations of Officials of the European Communities on the Appointing Authority and by the Conditions of Employment of Other Servants of the Communities on the Authority empowered to Conclude contracts of Employment (‘powers of the Appointing Authority’), without prejudice to Article 14(1)(j); [Am. 123]

(kb)	taking all decisions on the establishment of Europol’s internal structures and, where necessary, their modification; [Am. 124]

(l)	supporting the Chair of the Management Board in preparing Management Board meetings;

(m)	informing the Management Board on a regular basis regarding the implementation of Union strategic and operational priorities for fighting crime.

SECTION 3

SCIENTIFIC COMMITTEE FOR TRAINING

Article 20

The Scientific Committee for Training

1. The Scientific Committee for Training shall be an independent advisory body guaranteeing and guiding the scientific quality of Europol’s work on training. For that purpose, the Executive Director shall involve the Scientific Committee for Training early on in the preparation of all documents referred to in Article 14 as far as they concern training.

2. The Scientific Committee for Training shall be composed of 11 persons of the highest academic or professional standing in the subjects covered by Chapter III of this Regulation. The Management Board shall appoint the members following a transparent call for applications and selection procedure to be published in the Official Journal of the European Union. The members of the Management Board shall not be members of the Scientific Committee for Training. The members of the Scientific Committee for Training shall be independent. They shall neither seek nor take instructions from any government, nor from any other body.

3. The list of members of the Scientific Committee for Training shall be made public and shall be updated by Europol on its website.

4. The term of office of the members of the Scientific Committee for Training shall be five years. It shall not be renewable and its members can be removed from office if they do not meet the criteria of independence.

5. The Scientific Committee for Training shall elect its Chairperson and Deputy Chairperson for a term of office of five years. It shall adopt positions by simple majority. It shall be convened by its Chairperson up to four times per year. If necessary, the Chairperson shall convene extraordinary meetings on his/her own initiative or at the request of at least four members of the Committee.

6. The Executive Director, Deputy Executive Director for Training or their respective representative shall be invited to the meetings as a non-voting observer.

7. The Scientific Committee for Training shall be assisted by a secretary who shall be a Europol staff member designated by the Committee and appointed by the Executive Director.

8. The Scientific Committee for Training shall, in particular:

(a)	advise the Executive Director and the Deputy Executive Director for Training in drafting the annual work programme and other strategic documents, to ensure their scientific quality and their coherence with relevant Union sector policies and priorities;

(b)	provide independent opinion and advice to the Management Board on matters pertaining to its remit;

(c)	provide independent opinion and advice on the quality of curricula, applied learning methods, learning options and scientific developments;

(d)	perform any other advisory task pertaining to the scientific aspects of Europol’s work relating to training at the request of the Management Board or by the Executive Director or the Deputy Executive Director for Training.

9. The annual budget of the Scientific Committee for Training shall be allocated to an individual budget line of Europol. [Am. 125]

SECTION 4

EXECUTIVE BOARD

Article 21

Establishment

The Management Board may establish an Executive Board.

Article 22

Functions and organisation

1. The Executive Board shall assist the Management Board.

2. The Executive Board shall have the following functions:

(a)	preparing decisions to be adopted by the Management Board;

(b)	ensuring, together with the Management Board, adequate follow-up to the findings and recommendations stemming from the internal or external audit reports and evaluations, as well as on the investigation reports and recommendations from investigations of the European Anti-Fraud Office (OLAF);

(c)	without prejudice to the functions of the Executive Director, as set out in Article 19, assisting and advising the Executive Director in the implementation of the decisions of the Management Board, with a view to reinforcing supervision of administrative management.

3. When necessary, because of urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers.

4. The Executive Board shall be composed of the Chairperson of the Management Board, one representative of the Commission to the Management Board and three other members appointed by the Management Board from among its members. The Chairperson of the Management Board shall also be the Chairperson of the Executive Board. The Executive Director shall take part in the meetings of the Executive Board, but shall not have the right to vote.

5. The term of office of members of the Executive Board shall be four years. The term of office of members of the Executive Board shall end when their membership of the Management Board ends.

6. The Executive Board shall hold at least one ordinary meeting every three months. In addition, it shall meet on the initiative of its Chairperson or at the request of its members.

7. The Executive Board shall comply with the rules of procedure laid down by the Management Board. [Am. 126]

Chapter V

PROCESSING OF INFORMATION

Article 23

Sources of information

1. Europol shall only process information that has been provided to it:

(a)	by Member States in accordance with their national law;

(b)	by Union bodies, third countries and international organisations in accordance with Chapter VI;

(c)	by private parties in accordance with Article 29(2).

2. Europol may directly retrieve and process information, including personal data, from publicly available sources, such as the media, including the internet and public data.

3. Europol may retrieve and process information, including personal data, from information systems, of a national, Union or international nature, including by means of computerised access, in so far as authorised by Union, international or national legal instruments and where the necessity and proportionality of such access for the performance of a task falling under Europol's mandate can be demonstrated . The applicable provisions of such Union, international or national legal instruments shall govern the access to and use of that information by Europol insofar as they provide for stricter rules on access and use than those of this Regulation.

They shall lay down the objectives, the categories of personal data and the purposes, means and the procedure to be followed for the retrieval and processing of the information, respecting the applicable data protection legislation and principles. The access to such information systems shall be granted only to duly authorised staff of Europol as far as this is strictly necessary and proportionate for the performance of their tasks. [Am. 127]

Article 24

Purposes of information processing activities

1. In so far as necessary for the achievement of its objectives as laid down in Article 3(1) and (2), Europol shall may process information, including personal data.

Personal data may be processed only for the purposes of:

(a)

cross-checking aimed at identifying connections or other relevant links between information limited to :

(i)	persons who are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted for such an offence,

(ii)	persons regarding whom there are factual indications or reasonable grounds that they will commit criminal offences;

(b)	analyses of a strategic or thematic nature;

(c)	operational analyses in specific cases.

The execution of these tasks shall be performed under the following criteria:

—

the checks under point (a) shall be carried out in accordance with the necessary data protection guarantees, and shall, especially, provide sufficient justification for the data request and its purpose. The necessary measures shall also be taken to ensure that only those authorities that are initially responsible for collecting the data may subsequently change them;

—

for each operational analysis case referred to in point (c) the following specific safeguards shall apply:

(i)	a specified purpose shall be defined; personal data may only be processed where they are relevant for this specific purpose;

(ii)	all cross-matching operations by Europol staff shall be specifically motivated; the retrieval of data following a consultation shall be limited to the strict minimum required and specifically motivated;

(iii)

only authorized staff in charge of the purpose for which the data were initially collected may modify that data.

Europol shall duly document these operations. The documentation shall be made available, at request, to the Data Protection Officer and to the European Data Protection Supervisor for the purpose of verifying the lawfulness of the processing operation.

2. Categories of personal data and categories of data subjects whose data may be collected for each specific purpose referred to under paragraph1 are listed in Annex 2.

2a. Europol may temporarily, in exceptional cases, process data for the purpose of determining whether such data are relevant to its tasks and for which of the purposes referred to under paragraph 1. The Management Board, acting on a proposal from the Director and after consulting the European Data Protection Supervisor, shall determine the conditions relating to the processing of such data, in particular with respect to access to and the use of the data, as well as time limits for the storage and deletion of the data that may not exceed six months, having due regard to the principles referred to in Article 34.

2b. The European Data Protection Supervisor will draft guidelines specifying the purposes listed in points (a), (b) and (c) of paragraph 1. [Am. 128]

Article 25

Determination of the purpose of information processing activities

1. A Member State, a Union body, a third country or an international organisation providing information to Europol determines the specific and well defined purpose for which it shall be processed as referred to in Article 24. If it has not done so, Europol shall determine relevance of such information as well as the purpose for which it shall be processed. Europol may process information for a different specific and explicit purpose than the one for which information has been provided only if explicitly authorised by the data provider , in accordance with the applicable law . [Am. 129]

2. Member States, Union bodies, third countries and international organisations may indicate, at the moment of transferring information, any restriction on access or use, in general or specific terms, including as regards erasure or destruction. Where the need for such restrictions becomes apparent after the transfer, they shall inform Europol accordingly. Europol shall comply with such restrictions.

3. Europol may assign any restriction to access or use by Member States, Union bodies, third countries and international organisations of information retrieved from publicly-available sources.

Article 25a

Data Protection impact assessment

1. Prior to any set of processing of personal data, Europol shall carry out an assessment of the impact of the envisaged processing systems and procedures on the protection of personal data and notify it to the European Data Protection Supervisor.

2. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate the compliance with the provisions in this Regulation, taking into account the rights and legitimate interests of the data subjects and other persons concerned. [Am. 130]

Article 26

Access by Member States’ and Europol’s staff to information stored by Europol

1. Member States, where they can justify the need for the legitimate performance of their tasks, shall have access to and be able to search all information which has been provided for the purposes of Article 24(1)(a) and (b), without prejudice to the right for Member States, Union bodies and third countries and international organisations to indicate restrictions on access and use of such data. Member States shall designate these competent authorities allowed to perform such a search.

2. Member States shall have indirect access on the basis of a hit/no hit system to information provided for the purposes of a specific purpose under Article 24(1)(c), without prejudice to any restrictions indicated by the Member States, Union bodies and third countries or international organisations providing the information, in accordance with Article 25(2). In the case of a hit, Europol shall inform the provider of the information and initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the Member State that provided the information to Europol provider of the information to Europol and to the extent necessary for the legitimate performance of the task of the Member State concerned .

3. Europol staff duly empowered by the Executive Director shall have access to information processed by Europol to the extent required for the performance of their duties.

3a. Europol shall keep detailed records of all hits and information accessed in accordance with Article 43. [Am. 131]

Article 27

Access to Europol information for Eurojust and OLAF

1. Europol shall take all appropriate measures to enable Eurojust and the European Anti-Fraud Office (OLAF) within their respective mandates, its mandate to have access to and be able to search all information that has been provided for the purposes of Article 24(1)(a) and (b), without prejudice to the right for Member States, Union bodies and third countries and international organisations to indicate restrictions to the access and use of such data. Europol shall be informed where a search by Eurojust or OLAF reveals the existence of a match with information processed by Europol.

2. Europol shall take all appropriate measures to enable Eurojust and OLAF, within their respective mandates its mandate , to have indirect access on the basis of a hit/no hit system to information provided for the purposes a specific purpose under Article 24(1)(c), without prejudice to any restrictions indicated by the providing Member States, Union bodies and third countries or international organisations, in accordance with Article 25(2). In case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the Member State, Union body, third country or international organisation that provided the information to Europol. In case of a hit, Eurojust shall specify which data it needs and Europol may share the data only to the extent that the data generating the hit are necessary for the legitimate performance of its tasks. Europol shall log which information has been accessed.

3. Searches of information in accordance with paragraphs 1 and 2 shall be made only for the purpose of identifying whether information available at Eurojust or OLAF, respectively, matches with information processed at Europol.

4. Europol shall allow searches in accordance with paragraphs 1 and 2 only after obtaining from Eurojust information about which National Members, Deputies, Assistants, as well as Eurojust staff members , and from OLAF information about which staff members, have been designated as authorised to perform such searches.

5. If during Europol’s information processing activities in respect of an individual investigation, Europol or a Member State identifies the necessity for coordination, cooperation or support in accordance with the mandate of Eurojust or OLAF, Europol shall notify them thereof and shall initiate the procedure for sharing the information, in accordance with the decision of the Member State providing the information. In such a case Eurojust or OLAF shall consult with Europol.

6. Eurojust, including the College, the National Members, Deputies, Assistants, as well as Eurojust staff members, and OLAF, shall respect any restriction to access or use, in general or specific terms, indicated by Member States, Union bodies, third countries and international organisations in accordance with Article 25(2).

6a. Europol and Eurojust shall inform each other if, after consultation of each other's data, there are indications that data may be incorrect or conflicting with other data. [Am. 132]

Article 28

Duty to notify Member States

1. If Europol, in accordance with its task pursuant to Article 4(1)(b), needs to inform a Member State about information concerning it, and that information is subject to access restrictions pursuant to Article 25(2), that would prohibit sharing it, Europol shall consult with the data provider stipulating the access restriction and seek ask for authorisation for sharing.

Without such an explicit authorisation, the information shall not be shared.

In cases where the information is not subject to access restrictions pursuant to Article 25, Europol shall nevertheless inform the Member State which provided the information that it has been passed on. [Am. 133]

2. Irrespective of any access restrictions, Europol shall inform a Member State about information concerning it if:

(a)	this is absolutely necessary in the interest of preventing imminent danger associated with serious crime or terrorist offences; or

(b)	this is essential for the prevention of an immediate and serious threat to public security of that Member State.

In such a case, Europol shall inform the data provider of sharing this information as soon as possible and justify its analysis of the situation.

Chapter VI

RELATION WITH PARTNERS

SECTION 1

COMMON PROVISIONS

Article 29

Common provisions

1. In so far as necessary for the performance of its tasks, Europol may establish and maintain cooperative relations with the Union bodies in accordance with the objectives of those bodies, the law enforcement authorities of third countries, law enforcement training institutes of third countries, international organisations and private parties.

2. In so far as relevant to the performance of its tasks and subject to any restriction stipulated pursuant to Article 25(2), Europol may directly exchange all information, with the exception of personal data, with entities referred to in paragraph 1.

3. Europol may receive and process personal data from held by entities referred to in paragraph 1 except from private parties, in so far as it is strictly necessary and proportionate for the legitimate performance of its tasks and subject to the provisions of this Chapter.

4. Without prejudice to Article 36(4) (5) , personal data shall only be transferred by Europol to Union bodies, third countries and international organisations, if this is necessary for preventing and combating crime that falls under Europol’s objectives tasks and in accordance with this Chapter and if the recipient gives an explicit undertaking that the data will be used solely for the purpose for which they were transmitted . If the data to be transferred have been provided by a Member State, Europol shall seek that Member State’s prior and explicit consent, unless:

(a)	the authorisation can be assumed as the Member State has not expressly limited the possibility of onward transfers; or

(b)	the Member State has granted its prior authorisation to such onward transfer, either in general terms or subject to specific conditions. Such consent may be withdrawn any moment.

5. Onward transfers of personal data by Member States, Union bodies, third countries and international organizations shall be prohibited unless Europol has given its prior explicit consent and if the recipient gives an explicit undertaking that the data shall be used solely for the purpose for which they were transmitted .

5a. Europol shall ensure that detailed records of all transfers of personal data and their grounds are recorded in accordance with this Regulation.

5b. Any information which has been obtained by a third country, international organization or private party in violation of fundamental rights, as enshrined in the EU Charter of Fundamental Rights, shall not be processed. [Am. 134]

SECTION 2

EXCHANGES/TRANFERS OF PERSONAL DATA

Article 30

Transfer of personal data to Union bodies

Subject to any possible restrictions stipulated pursuant to Article 25(2) or (3) , and without prejudice to Article 27, Europol may directly transfer personal data to Union bodies in so far as it is necessary for the performance of its tasks or those of the recipient Union body. Europol shall make public the list of EU institutions and bodies with whom it shares information, by posting such a list on its website. [Am. 135]

Article 31

Transfer of personal data to third countries and international organisations

1. Europol may transfer personal data to an authority of a third country or to an international organisation, in so far as this is necessary for it to perform its tasks, on the basis of:

(a)	a decision of the Commission adopted in accordance with [Articles 25 and 31 of Directive 95/46/EC] that that country or international organisation, or a processing sector within that third country or an international organisation ensures an adequate level of protection (adequacy decision); or

(b)	an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals; or

(c)	a cooperation agreement concluded between Europol and that third country or international organisation in accordance with Article 23 of Decision 2009/371/JHA prior to the date of application of this Regulation.

These cooperation agreements shall be amended within five years after the entry into force of this Regulation and replaced by a subsequent agreement in accordance with point (b). [Am. 136]

Such transfers do not require any further authorisation. The European Data Protection Supervisor shall be consulted in a timely manner before and during the negotiation of an international agreement referred to in point (b) and in particular before adoption of the negotiating mandate as well as before the finalisation of the agreement.

Europol shall make publicly available a regular updated list of international and cooperation agreements it has with third countries and international organisations, by posting this list on its website. [Am. 137]

Europol may conclude working arrangements to implement such agreements or adequacy decisions.

2. By way of derogation from paragraph 1, the Executive Director may , whilst observing his/her obligations regarding discretion, confidentiality and proportionality, authorise the transfer of personal data to third countries or international organisations on a case-by-case basis if:

(a)	the transfer of the data is absolutely necessary to safeguard the essential interests of one or more Member States within the scope of Europol’s objectives in order to protect the vital interests of the data subject or another person ; or

(b)	the transfer of the data is absolutely necessary in the to safeguard legitimate interests of preventing imminent danger associated with crime or terrorist offences the data subject where the law of the Member State or third country transferring the personal data so provides ; or

(c)	the transfer of the data is otherwise necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims essential for the prevention of an immediate and serious threat to public security of a Member State or a third country ; or

(d)	the transfer is necessary to protect the vital interests of the data subject or another person in individual cases for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or

(da)	the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal penalty.

The Executive Director shall in all circumstances consider the data protection level applicable in the third country or international organisation in question, taking into account the nature of the data, the purpose for which the data is intended, the duration of the intended processing, the general or specific data protection provisions applying in that country, and whether or not specific conditions required by Europol concerning the data have been accepted.

Derogations may not be applicable to systematic, massive or structural transfers.

Moreover the Management Board European Data Protection Supervisor may authorise a transfer or a set of transfers in conformity with points (a) to (d) above, taking into account of the existence adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, for a period not exceeding one year, renewable. [Am. 138]

3. The Executive Director shall inform without delay the Management Board and the European Data Protection Supervisor of cases where he/she applied paragraph 2. [Am. 139]

3a. Europol shall keep detailed records of all transfers under this Article. [Am. 140]

Article 32

Personal data from private parties

1. In so far as necessary for Europol to perform its tasks, Europol may process personal data originating from private parties on condition that are they are not received directly from the private parties but only via: [Am. 141]

(a)	a national unit of a Member State in accordance with national law;

(b)	the contact point of a third country with which Europol has concluded a cooperation agreement in accordance with Article 23 of the Decision 2009/371/JHA prior to date of application of this Regulation; or

(c)	an authority of a third country or an international organisation with which the Union has concluded an international agreement pursuant to Article 218 TFEU.

2. If the data received affect the interests of a Member State, Europol shall immediately inform the National Unit of the Member State concerned.

3. Europol shall not contact private parties directly to retrieve personal data. [Am. 142]

4. The Commission shall evaluate the necessity and possible impact of direct exchanges of personal data with private parties within three years after this Regulation is applicable. Such an evaluation shall specify among others the reasons whether the exchanges of personal data with private parties is necessary for Europol.

Article 33

Information from private persons

1. Information, including personal data, originating from private persons may be processed by Europol on condition that that it is received via:

(a)	a National Unit of a Member State in accordance with national law;

(b)	the contact point of a third country with which Europol has concluded a cooperation agreement in accordance with Article 23 of the Decision 2009/371/JHA prior to the date of application of this Regulation; or

(c)	an authority of a third country or an international organisation with which the European Union has concluded an international agreement pursuant to Article 218 TFEU.

2. If Europol receives information, including personal data, from a private person residing in a third country with which there is no international agreement, either concluded on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 TFEU, Europol may only forward that information to a Member State or a third country concerned with which such international agreements have been concluded.

3. Europol shall not contact private persons directly to retrieve information. [Am. 143]

Chapter VII

DATA PROTECTION SAFEGUARDS

Article 34

General data protection principles

1. Personal data shall be:

(a)	processed fairly and lawfully , fairly and in a transparent and verifiable manner in relation to the data subject ;

(b)

collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing of personal data for historical, statistical or scientific purposes shall not be considered incompatible provided that Europol provides appropriate safeguards, in particular to ensure that data are not processed for any other purposes;

(c)	adequate, relevant, and not excessive limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

(d)	accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e)	kept in a form which permits identification of data subjects and for no longer than it is necessary for the purposes for which the personal data are processed;

(ea)	processed in a way that effectively allows the data subject to exercise his or her rights;

(eb)	processed in a way that protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;

(ec)	processed by only those duly authorised staff who need them for the performance of their tasks.

1a. Europol shall make publicly available a document setting out in an intelligible form the provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects. [Am. 144]

Article 35

Different degrees of accuracy and reliability of personal data

1. The source of information originating from a Member State shall be assessed as far as possible by the providing Member State using the following source evaluation codes: [Am. 145]

(A):	where there is no doubt as to the authenticity, trustworthiness and competence of the source, or if the information is provided by a source which has proved to be reliable in all instances;
(B):	where the information is provided by a source which has in most instances proved to be reliable;
(C):	where the information is provided by a source which has in most instances proved to be unreliable;
(X):	where the reliability of the source cannot be assessed.

2. Information originating from a Member State shall be assessed as far as possible by the Member State providing information on the basis of its reliability using the following information evaluation codes: [Am. 146]

(1):	information the accuracy of which is not in doubt;
(2):	information known personally to the source but not known personally to the official passing it on;
(3):	information not known personally to the source but corroborated by other information already recorded;
(4):	information not known personally to the source and cannot be corroborated.

3. Where Europol, on the basis of information already in its possession, comes to the conclusion that the assessment needs to be corrected, it shall inform the Member State concerned and seek to agree on an amendment to the assessment. Europol shall not change the assessment without such agreement.

4. Where Europol receives information from a Member State without an assessment, Europol shall attempt as far as possible to assess the reliability of the source or the information on the basis of information already in its possession. The assessment of specific data and information shall take place in agreement with the supplying Member State. A Member State may also agree with Europol in general terms on the assessment of specified types of data and specified sources. If no agreement is reached in a specific case, or no agreement in general terms exists, Europol shall evaluate the information or data and shall attribute to such information or data the evaluation codes (X) and (4), referred to in paragraphs 1 and 2. [Am. 147]

5. Where Europol receives data or information from a third country or international organisation, or Union body, this Article shall apply accordingly.

6. Information from publicly-available sources shall be assessed by Europol using the evaluation codes set out in paragraphs 1 (X) and 2 (4) . [Am. 148]

Article 36

Processing of special categories of personal data and of different categories of data subjects

1. Processing of personal data on victims of a criminal offence, witnesses or other persons who can provide information on criminal offences, or on persons under the age of 18 shall be prohibited unless it is strictly necessary and duly justified for preventing or combating crime that falls under Europol's objectives. [Am. 149]

2. Processing of personal data, by automated or other means, revealing racial or, ethnic or social origin, political opinions, religion or beliefs, trade-union membership and of data concerning health or sex life shall be prohibited, unless it is strictly necessary and duly justified for preventing or combating crime that falls under Europol's objectives and if those data supplement other personal data already processed by Europol. [Am. 150]

3. Only Europol shall have access to personal data referred to in paragraphs 1 and 2. The Executive Director shall duly authorise a limited number of officials who would have such access, if this is necessary for the performance of their tasks.

4. No decision which produces legal effects concerning a data subject shall be based solely on automated processing of data referred to in paragraph 2, unless the decision is expressly authorised pursuant to national or Union legislation or, if necessary, by the European Data Protection Supervisor. [Am. 151]

5. Personal data referred to in paragraphs 1 and 2 shall not be transmitted to Member States, Union bodies, third countries or international organisations unless strictly necessary and duly justified in individual cases concerning crime that falls under Europol's objectives. Such transmission shall be in accordance with the provisions laid down in Chapter VI of this Regulation. [Am. 152]

6. Every six months Europol shall provide an overview of all personal data referred to in paragraph 2 processed by it to the European Data Protection Supervisor.

Article 37

Time-limits for the storage and erasure of personal data

1. Personal data processed by Europol shall be stored by Europol only as long as strictly necessary for the achievement of its objectives purposes for which the data are processed . [Am. 153]

2. Europol shall in any case review the need for continued storage no later than three years after the start of initial processing of personal data. Europol may decide on the continued storage of personal data until the following review, which shall take place after another period of three years, if continued storage is still necessary for the performance of Europol’s tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the continued storage of personal data, that data shall be erased automatically after three years.

3. If data concerning persons referred to in Article 36(1) and (2) are stored for a period exceeding five years, the European Data Protection Supervisor shall be informed accordingly.

4. Where a Member State, an Union body, a third country or an international organisation has indicated any restriction as regards the earlier erasure or destruction of the personal data at the moment of transfer in accordance with Article 25(2), Europol shall erase the personal data in accordance with those restrictions. If continued storage of the data is deemed necessary for Europol to perform its tasks, based on information that is more extensive than that possessed by the data provider, Europol shall request the authorisation of the data provider to continue storing the data and present a justification for such a request.

5. Where a Member State, a Union body, a third country or an international organisation erases from its national data files data provided to Europol, it shall inform Europol accordingly. Europol shall erase the data unless the continued storage of the data is deemed necessary for Europol to achieve its objectives, based on information that is more extensive than that possessed by the data provider. Europol shall inform the data provider of the continued storage of such data and present a justification of such continued storage.

6. Personal data shall not be erased if:

(a)	this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only with the express and written consent of the data subject; [Am. 154]

(b)	their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate, to verify the accuracy of the data;

(c)	the personal data have to be maintained for purposes of proof or for the establishment, exercise or defence of legal claims ; [Am. 155]

(d)	the data subject opposes their erasure and requests the restriction of their use instead.

Article 38

Security of processing

1. Europol shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing.

2. In respect of automated data processing, Europol shall implement measures designed to:

(a)	deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control);

(b)	prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(c)	prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(d)	prevent the use of automated data-processing systems by unauthorised persons using data-communication equipment (user control);

(e)	ensure that persons authorised to use an automated data-processing system have access only to data covered by their access authorisation (data access control);

(f)	ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted using data communication equipment (communication control);

(g)	ensure that it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control);

(ga)	ensure that it is possible to verify and establish what data have been accessed by which member of personnel and at what time (access log); [Am. 156]

(h)	prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during the transportation of data media (transport control);

(i)	ensure that installed systems may, in the event of interruption, be restored immediately (recovery);

(j)	ensure that the functions of the system perform without fault, that the occurrence of faults in the functions is immediately reported (reliability) and that stored data cannot be corrupted by system malfunctions (integrity).

3. Europol and Member States shall define mechanisms to ensure that security needs are taken on board across information system boundaries.

Article 38a

Data protection by design and by default

1. Europol shall implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of provisions adopted pursuant to this Regulation and ensure the protection of the rights of the data subject.

2. Europol shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed. [Am. 157]

Article 38b

Notification of a personal data breach to the European Data Protection Supervisor

1. In the case of a personal data breach, Europol shall notify, without undue delay and, where feasible, not later than 24 hours after having become aware of it, the personal data breach to the European Data Protection Supervisor. Europol shall provide, on request, a reasoned justification in cases where the notification is not made within 24 hours.

2. The notification referred to in paragraph 1 shall at least:

(a)	describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned;

(b)	recommend measures to mitigate the possible adverse effects of the personal data breach;

(c)	describe the possible consequences of the personal data breach;

(d)	describe the measures proposed or taken by the controller to address the personal data breach.

3. Europol shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken, enabling the European Data Protection Supervisor to verify compliance with this Article. [Am. 158]

Article 38c

Communication of a personal data breach to the data subject

1. Where a personal data breach referred to in Article 38b is likely to adversely affect the protection of the personal data or privacy of the data subject, Europol shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain the identity and contact details of the data protection officer referred to in Article 44.

3. The communication of a personal data breach to the data subject shall not be required if Europol demonstrates to the satisfaction of the European Data Protection Supervisor that it has implemented appropriate technological protection measures, and that those measures were applied to the personal data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

4. The communication to the data subject may be delayed, restricted or omitted where it is necessary and proportionate measure with due regard for the legitimate interests of the person concerned:

(a)	to avoid obstructing official or legal inquiries, investigations or procedures;

(b)	to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;

(c)	to protect public and national security;

(d)	protect the rights and freedoms of third parties. [Am. 159]

Article 39

Right of access for the data subject

1. Any data subject shall have the right, at reasonable intervals, to obtain information on whether personal data relating to him/her are processed by Europol. Where such personal data are being processed, Europol shall provide at least the following information to the data subject: [Am. 160]

(a)	confirmation as to whether or not data related to him/her are being processed;

(b)	information at least as to the purposes of the processing operation, the categories of data concerned, the period for which the data will be stored, and the recipients to whom the data are disclosed; [Am. 161]

(c)	communication in an intelligible form of the data undergoing processing and of any available information as to their sources;

(ca)	an indication of the legal basis for processing the data; [Am. 162]

(cb)	the existence of the right to request from Europol rectification, erasure or restriction of processing of personal data concerning the data subject; [Am. 163]

(cc)	a copy of the data undergoing processing. [Am. 164]

2. Any data subject wishing to exercise the right of access to personal data may make a request to that effect without excessive costs free of charge to the authority appointed for this purpose in the Member State of his/her choice. That authority shall refer the request to Europol without delay and in any case within one month of receipt. Europol shall confirm receipt of the request. [Ams 165 and 234]

3. Europol shall answer the request without undue delay and in any case within three months of its the receipt of the request from the national authority .[Am. 166]

4. Europol shall consult the competent authorities of the Member States concerned on a decision to be taken. A decision on access to data shall be conditional on close cooperation between Europol and the Member States directly concerned by the access of the data subject to such data. If a Member State objects to Europol’s proposed response, it shall notify Europol of the reasons for its objection.

5. Access to personal data The provision of information in response to a request under paragraph 1 shall be refused or restricted, if it constitutes to the extent that such partial or complete refusal is a necessary measure to: [Am. 167]

(a)	enable Europol to fulfil its tasks properly;

(b)	protect security and public order in the Member States or to prevent crime;

(c)	guarantee that any national investigation will not be jeopardised;

(d)	protect the rights and freedoms of third parties.

Any decision on the restriction or refusal of the information requested shall take into account the fundamental rights and interests of the data subject. [Am. 168]

6. Europol shall inform the data subject in writing on any refusal or restriction of access, on the reasons for such a decision and of his right to lodge a complaint to the European Data Protection Supervisor. Information on the factual and legal reasons on which the decision is based may be omitted where the provision of such information would deprive the restriction imposed by paragraph 5 of its effect.

Article 40

Right to rectification, erasure and blocking

1. Any data subject shall have the right to ask Europol to rectify personal data relating to him/her if they are incorrect and, where this is possible and necessary, to complete or update them. [Am. 169]

2. Any data subject shall have the right to ask Europol to erase personal data relating to him/her, if they are no longer required for the purposes for which they are lawfully collected or are lawfully further processed.

3. Personal data shall be blocked rather than erased if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose that prevented their erasure.

4. If data as described in paragraphs 1, 2 and 3 held by Europol have been provided to it by third countries, international organisations, or are the results of Europol's own analyses, Europol shall rectify, erase or block such data and inform, where relevant, the originators of the data . [Am. 170]

5. If data as described in paragraphs 1 and 2 held by Europol have been provided directly to Europol by Member States, the Member States concerned shall rectify, erase or block such data in collaboration with Europol.

6. If incorrect data were transferred by another appropriate means or if the errors in the data provided by Member States are due to faulty transfer or were transferred in breach of this Regulation or if they result from their being input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or erase the data in collaboration with the Member States concerned.

7. In the cases referred to in paragraphs 4, 5 and 6 all addressees of such data shall be notified forthwith. In accordance with rules applicable to them, the addressees, shall then rectify, erase or block these data in their systems.

8. Europol shall inform the data subject in writing without undue delay and in any case within three months that data concerning him/her have been rectified, erased or blocked.

9. Europol shall inform the data subject in writing on any refusal of rectification, of erasure or blocking, and of the possibility of lodging a complaint with the European Data Protection Supervisor and seeking a judicial remedy.

Article 41

Responsibility in data protection matters

1. Europol shall store personal data in a way that ensures its source according to Article 23 can be established.

1a. Europol shall store personal data in such a way that they can be rectified and erased. [Am. 171]

2. The responsibility for the quality of personal data as referred to in Article 34(d) shall lie with the Member State which provided the personal data to Europol and with Europol for personal data provided by Union bodies, third countries or international organisations, as well for personal data retrieved by Europol from publicly-available sources. Union bodies shall be responsible for the quality of the data until and including the moment of the transfer. [Am. 172]

3. The responsibility for compliance with the principles as specified in Article 34(a), (b), (c) and (e) shall lie with Europol.

4. The responsibility for the legality of transfer applicable data protection principles shall lie: [Am. 173]

(a)	with the Member State which provided the data in the case of personal data provided by the Member States to Europol; and

(b)	with Europol in the cases of personal data provided by Europol to Member States, and third countries or international organisations.

5. In case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall lie with Europol. Without prejudice to the preceding sentence, where the data are transferred by Europol following a request from the recipient, both Europol and recipient shall bear the responsibility for the legality of this transfer. In addition, Europol shall be responsible for all data processing operations carried out by it.

Europol shall verify the competence of the recipient and evaluate the necessity for the transfer of the data. If doubts arise as to this necessity, Europol shall seek further information from the recipient. The recipient shall ensure that the need for the transfer of the data can be verified. The recipient shall process the personal data only for the purposes for which they were transmitted. [Am. 174]

Article 42

Prior checking

1. The processing of personal data which will form part of a new filing system to be created in any set of processing operations that serve a single or several related purposes in relation to its core activities shall be subject to prior checking where: [Am. 175]

(a)	special categories of data referred to in Article 36(2) are to be processed;

(b)	the type of processing, in particular using new technologies, mechanisms or procedures, holds otherwise specific risks for the fundamental rights and freedoms, and in particular the protection of personal data, of data subjects.

2. The prior checks shall be carried out by the European Data Protection Supervisor following receipt of a notification from the Data Protection Officer who, in case of doubt as to the need for prior checking, shall consult the European Data Protection Supervisor.

3. The European Data Protection Supervisor shall deliver his/her opinion within two months following receipt of the notification. This period may be suspended at any time until the European Data Protection Supervisor has obtained any further information that he/she may have requested. When the complexity of the matter so requires, this period may also be extended for a further two months, by decision of the European Data Protection Supervisor. No more than two extensions shall be possible. This decision shall be notified to Europol prior to expiry of the initial two-month period. [Am. 176]

If the opinion has not been delivered by the end of the two-month period, or any extension thereof, it shall be deemed to be favourable.

If the opinion of the European Data Protection Supervisor is that the notified processing may involve a breach of any provision of this Regulation, he/she shall where appropriate make proposals to avoid such breach. Where Europol does not modify the processing operation accordingly, the European Data Protection Supervisor may exercise the powers granted to him/her under Article 46(3).

4. The European Data Protection Supervisor shall keep a register of all processing operations have been notified to him/her pursuant to paragraph 1. Such a register shall be integrated into the register referred to in Article 27(5) of Regulation (EC) No 45/2001.

Article 43

Logging and documentation

1. For the purposes of verifying the lawfulness of data processing, self-monitoring and ensuring proper data integrity and security Europol shall keep records of collection, alteration, access, retrieval, disclosure, combination or erasure of personal data. Such logs or documentation shall be deleted after three years, unless the data are further required for on-going control. There shall be no possibility to modify the logs. [Am. 177]

2. Logs or documentation prepared under paragraph 1 shall be communicated on request to the European Data Protection Supervisor for the control of data protection. The European Data Protection Supervisor shall use that information only for the control of data protection and ensuring proper data processing as well as data integrity and security.

Article 44

Data Protection Officer

1. The Management Board shall appoint a Data Protection Officer who shall be a member of the staff. In the performance of his/her duties, he/she shall act independently.

2. The Data Protection Officer shall be selected on the basis of his/her personal and professional qualities and, in particular, the expert knowledge of data protection.

3. The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his/her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of this Regulation.

4. The Data Protection Officer shall be appointed for a term of between two and five years. He/she shall be eligible for reappointment up to a maximum total term of ten years. He/she may be dismissed from the post of Data Protection Officer by the Community institution or body which appointed him/her only with the consent of the European Data Protection Supervisor, if he/she no longer fulfills the conditions required for the performance of his/her duties.

5. After his/her appointment the Data Protection Officer shall be registered with the European Data Protection Supervisor by the institution or body which appointed him/her.

6. With respect to the performance of his/her duties, the Data Protection Officer may not receive any instructions.

7. The Data Protection Officer shall in particular have the following tasks with regard to personal data, with the exception of personal data of Europol staff members as well as administrative personal data:

(a)	ensuring, in an independent manner, lawfulness and compliance with the internal application of the provisions of this Regulation concerning the processing of personal data; [Am. 178]

(b)	ensuring that a record of the transfer and receipt of personal data is kept in accordance with this Regulation;

(c)	ensuring that data subjects are informed of their rights under this Regulation at their request;

(d)	cooperating with Europol staff responsible for procedures, training and advice on data processing;

(e)	cooperating with the European Data Protection Supervisor , especially with regards to the processing operations referred to in Article 42 ; [Am. 179]

(f)	preparing an annual report and communicating that report to the Management Board and to the European Data Protection Supervisor;

(fa)	acting as a contact point for access requests pursuant to Article 39; [Am. 180]

(fb)	keeping a register of all processing operations carried out by Europol, including, where relevant, information regarding the purpose, data categories, recipients, time limits for blocking and erasure, transfers to third countries or international organisations and security measures; [Am. 181]

(fc)	keeping a register of incidents and security breaches affecting operational or administrative personal data. [Am. 182]

8. Moreover, the Data Protection Officer shall carry out the functions foreseen by Regulation (EC) No 45/2001 with regard to personal data of Europol staff members as well as administrative personal data. [Am. 183]

9. In the performance of his/her tasks, the Data Protection Officer shall have access to all the data processed by Europol and to all Europol premises. Such access shall be possible at any time and without prior request . [Am. 184]

10. If the Data Protection Officer considers that the provisions of this Regulation concerning the processing of personal data have not been complied with, he/she shall inform the Executive Director, requiring him/her to resolve the non-compliance within a specified time. If the Executive Director does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall inform the Management Board and they shall agree a specified time for a response. If the Management Board does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall refer the matter to the European Data Protection Supervisor.

11. The Management Board shall adopt implementing rules concerning the Data Protection Officer. Those implementing rules shall in particular concern the selection procedure for the position of the Data Protection Officer and his/her dismissal, tasks, duties and powers and safeguards for independence of the Data Protection Officer. Europol shall provide the Data Protection Officer with the staff and resources necessary for him/her to carry out his/her duties. These staff members shall have access to the personal data processed at Europol and to Europol premises only to the extent necessary for the performance of their tasks. Such access shall be possible at any time and without prior request. [Am. 185]

11a. The Data Protection Officer shall be provided with the resources necessary for the performance of his/her tasks. [Am. 186]

Article 45

Supervision by the national supervisory authority

1. Each Member State shall designate a national supervisory authority with the task of monitoring independently, in accordance with its national law, the permissibility of the transfer, the retrieval and any communication to Europol of personal data by the Member State concerned and to examine whether such transfer, retrieval or communication violates the rights of the data subject. For this purpose, the national supervisory authority shall have access, at the National Unit or at liaison officers’ premises, to data submitted by its Member State to Europol in accordance with the relevant national procedures.

2. For the purpose of exercising their supervisory function, national supervisory authorities shall have access to the offices and documents of their respective liaison officers at Europol.

3. National supervisory authorities shall, in accordance with the relevant national procedures, supervise the activities of National Units and the activities of liaison officers, in so far as such activities are of relevance to the protection of personal data. They shall also keep the European Data Protection Supervisor informed of any actions they take with respect to Europol.

4. Any person shall have the right to request the national supervisory authority to verify that the transfer or communication to Europol of data concerning him/her in any form and the access to the data by the Member State concerned are lawful. This right shall be exercised in accordance with the national law of the Member State in which the request is made.

Article 46

Supervision by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall be responsible for monitoring and ensuring the application of the provisions of this Regulation relating to the protection of fundamental rights and freedoms of natural persons with regard to processing personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of personal data. To this end, he/she shall fulfil the duties set out in paragraph 2 and shall exercise the powers granted in paragraph 3.

2. The European Data Protection Supervisor shall have the following duties under this Regulation:

(a)	hear and investigate complaints, and inform the data subject of the outcome within a reasonable period;

(b)	conduct inquiries either on his/her own initiative or on the basis of a complaint, and inform the data subjects of the outcome within a reasonable period without delay ; [Am. 187]

(c)	monitor and ensure the application of the provisions of this Regulation and any other Union act relating to the protection of natural persons with regard to the processing of personal data by Europol;

(d)

advise Europol, either on his/her own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular before they draw up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal data;

(e)	determine, give reasons for and make public the exemptions, safeguards, authorisations and conditions mentioned in Article 36(4).

(f)	keep a register of processing operations notified to him/her by virtue of Article 42(1) and registered in accordance with 42(4),

(g)	carry out a prior check of processing notified to him/her.

3. The European Data Protection Supervisor may under this Regulation:

(a)	give advice to data subjects in the exercise of their rights;

(b)	refer the matter to Europol in the event of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the data subjects;

(c)	order that requests to exercise certain rights in relation to data be complied with where such requests have been refused in breach of Articles 39 and 40;

(d)	warn or admonish Europol;

(e)

order the rectification, blocking, erasure or destruction of all data when they that have been processed in breach of the provisions governing the processing of personal data and the notification of such actions to third parties to whom the data have been disclosed; [Am. not concerning all languages]

(f)	impose propose to the Management Board that a temporary or definitive partial or total ban be imposed on processing; [Am. 189]

(g)	refer the matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;

(h)	refer the matter to the Court of Justice of the European Union under the conditions provided for in the Treaty;

(i)	intervene in actions brought before the Court of Justice of the European Union.

4. The European Data Protection Supervisor shall have the power:

(a)	to obtain from Europol access to all personal data and to all information necessary for his/her enquiries;

(b)	to obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for presuming that an activity covered by this Regulation is being carried out there.

5. The European Data Protection Supervisor shall draw up an annual report on the supervisory activities on Europol. This report shall be part of the annual report of the European Data Protection Supervisor referred to in Article 48 of Regulation (EC) No 45/2001.

This report shall include statistical information regarding complaints, inquiries, investigations, the processing of sensitive information, transfers of personal data to third countries and international organisations, prior checking and notifications, and the use of the powers referred to in paragraph 3.

This report shall be forwarded and presented to the Joint Parliamentary Scrutiny Group, and shall be forwarded to the Council, the Commission and national parliaments. On the basis of this report, the European Parliament and the Council may request the European Data Protection Supervisor to undertake additional action to ensure the application of the provisions of this Regulation. [Am. 190]

6. Members and staff of the European Data Protection Supervisor shall be bound by the obligation of confidentiality in accordance with Article 69.

Article 47

Cooperation between the European Data Protection Supervisor and national data protection authorities

1. The European Data Protection Supervisor shall act in close cooperation with national supervisory authorities on specific issues requiring national involvement, in particular if the European Data Protection Supervisor or a national supervisory authority finds major discrepancies between the practices of Member States or potentially unlawful transfer in the use of Europol’s channels for exchange of information, or in the context of questions raised by one or more national supervisory authorities on the implementation and interpretation of this Regulation.

2. In the cases referred to in paragraph 1, The European Data Protection Supervisor shall, where relevant, use the expertise and experience of national data protection authorities in carrying out his duties set out in Article 46(2). In carrying out activities in cooperation with the European Data Protection Supervisor, members and staff of national data protection authorities shall, taken due account of the principle of subsidiarity and proportionality, have equivalent powers as those laid down in Article 46(4) and be bound by an equivalent obligation as that laid down in Article 46(6). The European Data Protection Supervisor and the national supervisory authorities shall, each acting within the scope of their respective competences, exchange relevant information, assist each other in carrying out audits and inspections, examine difficulties of interpretation or application of this Regulation, study problems relating to the exercise of independent supervision or the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems and promote awareness of data protection rights, as necessary. [Am. 191]

2a. The European Data Protection Supervisor shall keep national supervisory authorities fully informed of all issues relevant for them. [Am. 192]

2b. In cases where specific issues concern data originating from one or several Member States, the European Data Protection Supervisor shall consult the concerned and competent national supervisory authorities. The European Data Protection Supervisor shall not decide on further action to be taken before the concerned and competent national supervisory authorities have informed the European Data Protection Supervisor of their position, within a deadline specified by the EDPS which shall not be shorter than two months. The EDPS shall take utmost account of the position of the concerned and competent national supervisory authorities. In cases where the EDPS intends not to follow their position, he shall inform them and provide a justification. In cases which the EDPS deems to be extremely urgent, he may decide to take immediate action. In such cases, the EDPS shall immediately inform the concerned and competent national supervisory authorities and justify the urgent nature of the situation as well as the action he has taken. [Am. 193]

2c. The European Data Protection Supervisor shall consult the concerned and competent national supervisory authorities before taking any of the actions stipulated Article 46(3), points (e) to (h). The EDPS shall take utmost account of the position of the concerned and competent national supervisory authorities communicated within a deadline specified by him and which shall not be shorter than two months. If the EDPS intends not to follow the positions of national supervisory authorities, he shall inform them and provide a justification. In cases which the EDPS deems to be extremely urgent, he may decide to take immediate action. In such cases, the EDPS shall immediately inform the concerned and competent national supervisory authorities and justify the urgent nature of the situation as well as the action he has taken. The European Data Protection Supervisor shall refrain from taking action if all national supervisory authorities informed the European Data Protection Supervisor of their negative position. [Am. 194]

3. The heads of the national supervisory authorities and the European Data Protection Supervisor shall meet, where needed at least once per year to discuss strategic and general policy issues or other issues referred to in paragraphs 1 and 2 . The costs and servicing of such meetings shall be borne by the European Data Protection Supervisor. Rules of procedure shall be adopted at the first meeting. Further working methods shall be developed jointly as necessary. [Am. 195]

Article 48

Administrative personal data and Staff data [Am. 196]

Regulation (EC) No 45/2001 shall apply to all personal data of Europol staff members as well as administrative personal data held by Europol. [Am. 197]

Chapter VIII

REMEDIES AND LIABILITY

Article 49

Right to lodge a complaint with the European Data Protection Supervisor

1. Any data subject shall have the right to lodge a complaint with the European Data Protection Supervisor, if he/she considers that the processing of personal data relating to him/her does not comply with the provisions of this Regulation.

2. Where a complaint relates to a decision as referred to in Article 39 or 40, the European Data Protection Supervisor shall consult the national supervisory bodies or the competent judicial body in the Member State (s) that was the source of the data or the Member State (s) directly concerned. The decision of the European Data Protection Supervisor, which may extend to a refusal to communicate any information, shall be taken in close cooperation with the national supervisory body or competent judicial body. [Am. 198]

3. Where a complaint relates to the processing of data provided by a Member State to Europol, the European Data Protection Supervisor shall ensure that the necessary checks have been carried out correctly, in close cooperation with the national supervisory body of the Member State that provided the data , shall ensure that the data processing in the Member State concerned was lawful and that the necessary checks have been carried out correctly . [Am. 199]

4. Where a complaint relates to the processing of data provided to Europol by EU entities, third countries or international organisations, the European Data Protection Supervisor shall ensure that Europol has carried out the necessary checks.

Article 50

Right to a judicial remedy against the European Data Protection Supervisor

Actions against the decisions of the European Data Protection Supervisor shall be brought before the Court of Justice of the European Union.

Article 51

General provisions on liability and the right to compensation

1. Europol’s contractual liability shall be governed by the law applicable to the contract in question.

2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause in a contract concluded by Europol.

3. Without prejudice to Article 52, in the case of non-contractual liability, Europol shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.

4. The Court of Justice of the European Union shall have jurisdiction in disputes over compensation for damages referred to in paragraph 3.

5. The personal liability of Europol staff towards Europol shall be governed by the provisions laid down in the Staff Regulations or Conditions of Employment applicable to them.

Article 52

Liability for incorrect personal data processing and the right to compensation

1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right to receive compensation for damage suffered either from Europol in accordance with Article 340 TFEU, or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The individual shall bring an action against Europol to the Court of Justice of the European Union or against the Member State to a competent national court of this Member State.

2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a majority of two-third of its members, without prejudice of the right to challenge this decision in accordance with article 263 TFEU.

Chapter IX

PARLIAMENTARY SCRUTINY

Article 53

Joint Parliamentary scrutiny

1. The mechanism for the control of Europol's activities by the European Parliament, together with national parliaments, shall take the form of a specialised Joint Parliamentary Scrutiny Group, to be established within the competent committee of the European Parliament, comprising the full members of the competent committee of the European Parliament and one representative of the competent committee of the national parliament for each Member State and a substitute. Member States with bicameral parliamentary systems may instead be represented by a representative from each chamber.

2. The Joint Parliamentary Scrutiny Group meetings shall always be convened in the European Parliament premises by the Chair of the European Parliament's competent committee. The meetings shall be co-chaired by the Chair of the competent committee of the European Parliament and the representative from the national Parliament of the Member State holding the rotating Council Presidency.

3. The Joint Parliamentary Scrutiny Group shall monitor the application of the provisions of this Regulation, in particular in relation to their impact on the fundamental rights and freedoms of natural persons.

4. To this end, the Joint Parliamentary Scrutiny Group shall have the following duties:

1. (a) The the Chairperson of the Management Board and, the Executive Director and a representative of the Commission shall appear before the European Parliament, jointly with national Parliaments, the Joint Parliamentary Scrutiny Group at their its request to discuss matters relating to Europol, taking into account, if appropriate , the obligations of discretion and confidentiality. The Group may decide to invite to its meetings other relevant persons, if appropriate;

2. Parliamentary scrutiny by the European Parliament, together with national Parliaments, of Europol’s activities shall be exercised in accordance with this Regulation.

(b)

the European Data Protection Supervisor shall appear before the Joint Parliamentary Scrutiny Group at its request and at least once per year to discuss matters relating to the protection of fundamental rights and freedoms of natural persons, and in particular the protection of personal data, with regard to Europol's operations, taking into account, if appropriate, the obligations of discretion and confidentiality.

The following documents shall be presented and debated in the Joint Parliamentary Scrutiny Group meetings:

—	the draft annual and multiannual work programmes, referred to in Article 15;

—	the consolidated annual activity report on Europol’s activities, referred to in Article 14;

—	the annual report of the European Data Protection Supervisor on the supervisory activities of Europol, referred to in Article 46;

—	the evaluation report drawn up by the Commission to review the effectiveness and efficiency of Europol, referred to in Article 70.

The following persons shall appear before the Joint Parliamentary Scrutiny Group at its request:

—	the selected candidates for the posts of Executive Director, referred to in Article 56(2);

—	the Executive Director, whose term of office is intended to be extended, as provided for in Article 56(5);

—	the Executive Director, in order to report on the performance of their duties.

The Chairperson of the Management Board shall inform the Joint Parliamentary Scrutiny Group before removing the Executive Director from office, as well as to the reasons or grounds for such decision.

3. 5. In addition to the obligations of information and consultation set out in this Regulation, Europol shall transmit to the European Parliament and to the national parliaments Joint Parliamentary Scrutiny Group , taking into account , if appropriate, the obligations of discretion and confidentiality, for information:

(a)	threat assessments, strategic analyses and general situation reports relating to Europol’s objective as well as the results of studies and evaluations commissioned by Europol;

(b)	the working arrangements adopted pursuant to Article 31(1).

6. The Joint Parliamentary Scrutiny Group may request any relevant document necessary for the fulfilment of its tasks, subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council (16) as well as rules governing the treatment of confidential information by the European Parliament.

7. The Joint Parliamentary Scrutiny Group may draw up summary conclusions on the supervisory activities on Europol to the European Parliament. [Am. 200]

Article 54

Access of the European Parliament to Classified Information processed by or through Europol

1. For the purpose of enabling it to exercise parliamentary scrutiny of Europol’s activities in accordance with Article 53, access to European Union Classified Information and sensitive non-classified information processed by or through Europol may shall be granted to the European Parliament Joint Parliamentary Scrutiny Group and its representatives upon request and where relevant, after the consent of the data provider .

2. Given the sensitive and classified nature of this information, access to European Union Classified Information and sensitive non-classified information shall be in compliance with the basic principles and minimum standards as referred to in Article 69. The rules governing the treatment of confidential information by the European Parliament (17) . Further details shall may be governed by a working arrangement concluded between Europol and the European Parliament. [Am. 201]

Chapter X

STAFF

Article 55

General provisions

1. The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the institutions of the Union for giving effect to those Staff Regulations and the conditions of Employment of other Servants shall apply to the staff of Europol with the exception of staff who at the date of application of this Regulation are under contracts concluded by Europol as established by the Europol Convention.

2. Europol staff shall consist of temporary staff and/or contract staff. The Management Board shall decide which temporary posts provided for in the establishment plan can be filled only by staff engaged from the competent authorities of the Member States. Staff recruited to occupy such posts shall be temporary agents and may be awarded only fixed-term contracts renewable once for a fixed period.

2a. The appointing authority shall make full use of the possibilities given by the Staff Regulation and provide specialised staff such as IT-experts with a higher function group and grade according to their qualification to fulfil the tasks of the Agency pursuant to Article 4 in an ideal manner. [Am. 202]

Article 56

Executive Director

1. The Executive Director shall be engaged as a temporary agent of Europol under Article 2(a) of the Conditions of Employment of Other servants.

2. The Executive Director shall be appointed by the Management Board, from a list of in accordance with a cooperation procedure, which shall be as follows:

(a)

on the basis of a list of at least three candidates proposed by a committee composed of the Commission representative on the Management Board and two other members of the Management Board, following an open and transparent selection procedure , the applicants will be asked, before appointment, to address the Council and the Joint Parliamentary Scrutiny Group and, to reply to questions;

(b)	the Joint Parliamentary Scrutiny Group and the Council will then give their opinions and state their orders of preference;

(c)	the Management Board will appoint the Executive Director taking these opinions into account.

For the purpose of concluding the contract with the Executive Director, Europol shall be represented by the Chairperson of the Management Board.

Before appointment, the candidate selected by the Management Board may be invited to make a statement before the competent committee of the European Parliament and to answer questions put by its members. [Am. 203]

3. The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall undertake an assessment that takes into account an evaluation of the Executive Director’s performance and Europol’s future tasks and challenges.

4. The Management Board, after seeking the opinion of the Joint Parliamentary Scrutiny Group and acting on a proposal from the Commission that takes into account the assessment referred to in paragraph 3, may extend the term of office of the Executive Director once, for no more than five years. [Am. 204]

5. The Management Board shall inform the European Parliament if it intends to extend the Executive Director’s term of office. Within the month before any such extension, the Executive Director may shall be invited to make a statement before the competent committee of the Parliament Joint Parliamentary Scrutiny Group and answer questions put by its members. [Am. 205]

6. An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.

7. The Executive Director may be removed from office only upon a decision of the Management Board acting on a proposal from the Commission , explained to the Joint Parliamentary Scrutiny Group and the Council . [Am. 206]

8. The Management Board shall reach decisions on appointment, extension of the term of office and removal from office of the Executive Director and/or Deputy Executive Director(s) on the basis of a two-thirds majority of its members with voting rights.

Article 57

Deputy Executive Directors

1. Four Three Deputy Executive Directors, including one responsible for training, shall assist the Executive Director. The Deputy Executive Director for Training shall be responsible for managing the Europol Academy and its activities. The Executive Director shall define the tasks of the others. [Am. 207]

2. Article 56 shall apply to the Deputy Executive Directors. The Executive Director shall be consulted prior to their appointment or removal from office.

Article 58

Seconded national experts and other staff

1. Europol may make use of seconded national experts or other staff not employed by the agency.

2. The Management Board shall adopt a decision laying down rules on the secondment of national experts to Europol.

Chapter XI

FINANCIAL PROVISIONS

Article 59

Budget

1. Estimates of all revenue and expenditure for Europol shall be prepared each financial year, corresponding to the calendar year, and shall be shown in Europol’s budget.

2. Europol’s budget shall be balanced in terms of revenue and of expenditure.

3. Without prejudice to other resources, Europol’s revenue shall comprise a contribution from the Union entered in the general budget of the European Union.

4. Europol may benefit from Union funding in the form of delegation agreements or ad-hoc and exceptional grants in accordance with the provisions of the relevant instruments supporting the policies of the Union.

5. The expenditure of Europol shall include staff remuneration, administrative and infrastructure expenses, and operating costs.

Article 60

Establishment of the budget

1. Each year the Executive Director shall draw up a draft statement of estimates of Europol’s revenue and expenditure for the following financial year, including the establishment plan, and send it to the Management Board.

2. The Management Board shall, on the basis of that draft, produce a provisional draft estimate of Europol’s revenue and expenditure for the following financial year. The provisional draft estimate of Europol’s revenue and expenditure shall be sent to the Commission each year by [date set out in the framework Financial Regulation]. The Management Board shall send and submit a final draft estimate, which shall include a draft establishment plan, to the Joint Parliamentary Scrutiny Group, the Commission, the European Parliament and the Council and the national parliaments by 31 March. [Am. 208]

3. The Commission shall send the statement of estimates to the European Parliament and the Council (the budgetary authority) together with the draft general budget of the European Union.

4. On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the European Union the estimates it considers necessary for the establishment plan and the amount of the contribution to be charged to the general budget, which it shall place before the budgetary authority in accordance with Articles 313 and 314 TFEU.

5. The budgetary authority shall authorise the appropriations for Europol’s contribution.

6. The budgetary authority shall adopt Europol’s establishment plan.

7. Europol’s budget shall be adopted by the Management Board. It shall become final following final adoption of the general budget of the Union. Where necessary, it shall be adjusted accordingly.

8. For any project, in particular building projects, likely to have significant implications for the budget, the provisions of [the framework Financial Regulation] shall apply. .

Article 61

Implementation of the budget

1. The Executive Director shall implement Europol’s budget.

2. Each year the Executive Director shall send to the budgetary authority all information relevant to the findings of evaluation procedures.

Article 62

Presentation of accounts and discharge

1. By 1 March following each financial year, Europol’s accounting officer shall communicate the provisional accounts to the Commission’s Accounting Officer and to the Court of Auditors.

2. Europol shall send the report on the budgetary and financial management to the European Parliament, and submit it to the Joint Parliamentary Scrutiny Group, the Council and the Court of Auditors by 31 March of the following financial year. [Am. 209]

3. By 31 March following each financial year, the Commission’s accounting officer shall send Europol’s provisional accounts consolidated with the Commission’s accounts to the Court of Auditors.

4. On receipt of the Court of Auditors’ observations on Europol’s provisional accounts pursuant to Article 148 of the Financial Regulation, the accounting officer shall draw up Europol’s final accounts. The Executive Director shall submit them to the Management Board for an opinion.

5. The Management Board shall deliver an opinion on Europol’s final accounts.

6. The Executive Director shall, by 1 July following each financial year, send and submit the final accounts to the European Parliament Joint Parliamentary Scrutiny Group , the Council, the Commission, the Court of Auditors and national Parliaments parliaments , together with the Management Board’s opinion. [Am. 210]

7. The final accounts shall be published.

8. The Executive Director shall send the Court of Auditors a reply to the observations made in its annual report by [date set out in the framework Financial Regulation]. He/she shall also send the reply to the Management Board.

9. The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 165(3) of the Financial Regulation.

10. On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 63

Financial rules

1. The financial rules applicable to Europol shall be adopted by the Management Board after consultation with the Commission. They shall not depart from [the framework Financial Regulation] unless such a departure is specifically required for Europol's operation and the Commission has given its prior consent. The European Parliament shall be notified of any such departure. [Am. 211]

2. Because of the specificity of the Members of the Network of National Training Institutes which are the only bodies with specific characteristics and technical competences to perform relevant training activities, these members may receive grants without a call for proposals in accordance with Article 190(1)(d) of the Commission Delegated Regulation (EU) No 1268/2012. (18) [Am. 212]

Chapter XII

MISCALLANEOUS PROVISIONS

Article 64

Legal status

1. Europol shall be a body of the Union. It shall have legal personality.

2. In each of the Member States Europol shall enjoy the most extensive legal capacity accorded to legal persons under their laws. Europol may, in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.

3. The seat of Europol shall be The Hague, in the Netherlands.

Article 65

Privileges and immunity

1. The Protocol on the Privileges and Immunities of the European Union shall apply to Europol and its staff.

2. Privileges and immunities of liaison officers and members of their families shall be subject to an agreement between the Kingdom of Netherlands and the other Member States. That agreement shall provide for such privileges and immunities as are necessary for the proper performance of the tasks of liaison officers.

Article 66

Language arrangements

1. The provisions laid down in Regulation No 1 (19) shall apply to Europol.

2. The translation services required for the functioning of Europol shall be provided by the Translation Centre of the bodies of the European Union.

Article 67

Transparency

1. Regulation (EC) No 1049/2001 shall apply to all administrative documents held by Europol. [Am. 213]

2. On the basis of a proposal by the Executive Director, and by six months after the entry into force of this Regulation at the latest, the Management Board shall adopt the detailed rules for applying Regulation (EC) No 1049/2001 with regard to Europol documents.

3. Decisions taken by Europol under Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Union, under the conditions laid down in Articles 228 and 263 TFEU.

3a. Europol shall publish on its website a list of its Management Board members and external and in-house experts, together with their respective declarations of interests and curricula vitae. The minutes of the meetings of the Management Board shall be systematically published. Europol may temporary or permanently restrict the publication of documents if it risks jeopardising the performance of Europol's tasks, taking into account its obligations of discretion and confidentiality. [Am. 214]

Article 67a

Prior notification and red-flag-mechanism

The Commission shall activate a warning system if it has serious concerns that the Management Board may be about to take decisions which would not comply with Europol's mandate, would breach Union law or would be in contradiction with Union policy objectives. In such cases, the Commission shall raise the matter formally with the Management Board and ask it to refrain from adopting the relevant decision. Should the Management Board refuse to comply with the request, the Commission shall formally inform the European Parliament and the Council thereof, with a view to a swift response. The Commission may ask the Management Board to refrain from implementing the contentious decision for as long as the representatives of the institutions are still discussing the issue. [Am. 215]

Article 68

Combating fraud

1. In order to facilitate combating fraud, corruption and other unlawful activities under Regulation (EC) No 1073/1999, within six months from the day Europol becomes operational, it shall accede to the Interinstitutional Agreement of 25 May 1999 concerning internal investigations by the European Anti-Fraud Office (OLAF) (20) and adopt appropriate provisions applicable to all employees of Europol using the template set out in the Annex to that agreement.

2. The European Court of Auditors shall have the power of audit, on the basis of documents and on the spot, over all grant beneficiaries, contractors and subcontractors who have received Union funds from Europol.

3. OLAF may carry out investigations, including on-the-spot checks and inspections, with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by Europol, in accordance with the provisions and procedures laid down in Regulation (EC) No 1073/1999 and Council Regulation (Euratom, EC) No 2185/96 (21).

4. Without prejudice to paragraphs 1, 2 and 3, cooperation agreements with third countries and international organisations, contracts, grant agreements and grant decisions of Europol shall contain provisions expressly empowering the European Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

Article 69

Security rules on the protection of classified information

Europol shall establish its own rules on the obligations of discretion and confidentiality, and on the protection of European Union classified information and sensitive non-classified information, taking into account the basic principles and minimum standards of Decision 2011/292/EU. This shall cover, inter alia, provisions for the exchange, processing and storage of such information.

Article 70

Evaluation and review

1. No later than five years after [the date of application of this Regulation,] and every five years thereafter, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of Europol and its working practices as well as the functioning of the mechanisms for control of Europol's activities by the European Parliament together with national parliaments . The evaluation shall, in particular, address the possible need to modify the objectives of Europol, and the financial implications of any such modification. [Am. 216]

2. The Commission shall forward and submit the evaluation report together with its conclusions on the report , if appropriate accompanied by a proposal to amend this Regulation, to the European Parliament, Joint Parliamentary Scrutiny Group, the Council, the national parliaments and the Management Board. In addition, the Commission shall provide the European Parliament, the Council and the national parliaments with any other information on the evaluation if requested. [Am. 217]

3. On the occasion of every second evaluation, the Commission shall also assess the results achieved by Europol having regard to its objective, mandate and tasks. If the Commission considers that the continuation of Europol is no longer justified with regard to its assigned objectives and tasks, it may propose that this Regulation be amended accordingly or repealed under the ordinary legislative procedure . [Am. 218]

Article 71

Administrative inquiries

The activities of Europol shall be subject to the controls of the European Ombudsman in accordance with Article 228 TFEU.

Article 72

Headquarter

1. The necessary arrangements concerning the accommodation to be provided for Europol in the host Member State and the facilities to be made available by that Member State together with the specific rules applicable in the host Member State to the Executive Director, members of the Management Board, Europol’s staff and members of their families shall be laid down in a Headquarters Agreement between Europol and Member State where the seat is located, concluded after obtaining the approval of the Management Board and no later than [2 years after the entry into force of this Regulation].

2. Europol’s host Member State shall provide the best possible conditions to ensure the functioning of Europol, including multilingual, European-oriented schooling and appropriate transport connections.

Chapter XIII

TRANSITIONAL PROVISIONS

Article 73

General legal succession

1. Europol, as established by this Regulation, shall be the general legal successor in respect of all contracts concluded by, liabilities incumbent on, and properties acquired by Europol, as established by Decision 2009/371/JHA and CEPOL, as established under Decision 2005/681/JHA. [Am. 219]

2. This Regulation shall not affect the legal force of agreements concluded by Europol as established by Decision 2009/371/JHA before the date of entry into force of this Regulation.

3. This Regulation shall not affect the legal force of agreements concluded by CEPOL as established by Decision 2005/681/JHA before the date of entry into force of this Regulation. [Am. 220]

4. By way of derogation from paragraph 3, the Headquarters Agreement concluded on the basis of the Decision 2005/681/JHA shall be terminated from the date of entry into application of this Regulation. [Am. 221]

Article 74

Transitional arrangements concerning the Management Board

1. The term of office of the members of the Governing Board of CEPOL as established on the basis of Article 10 of Decision 2005/681/JHA shall terminate on [date of entry into force of this Regulation]. [Am. 222]

2. The term of office of the members of the Management Board of Europol as established on the basis of Article 37 of Decision 2009/371/JHA shall terminate on [date of entry into application of this Regulation].

3. The Management Board as established on the basis of Article 37 of Decision 2009/371/JHA shall within the period between the date of entry into force and the date of entry into application:

(a)	exercise the functions of the Management Board as referred to in Article 14 of this Regulation;

(b)	prepare the adoption of the rules on the obligations of confidentiality and discretion, and the protection of EU classified information referred to in Article 69 of this Regulation;

(c)	prepare any instrument necessary for the application of this Regulation; and

(d)	revise the non-legislative measures implementing Decision 2009/371/JHA so as to allow the Management Board established pursuant Article 13 of this Regulation to take a decision pursuant to Article 78(2).

4. The Commission shall take the measures necessary without delay after the entry into force of this Regulation to ensure that the Management Board established in accordance with Article 13 starts its work at the [date of entry into application of the Regulation];

5. By 6 months from the date of entry into force of this Regulation at the latest the Member States shall notify the Commission of the names of the persons whom they have appointed as member and alternate member of the Management Board, in accordance with Article 13.

6. The Management Board established pursuant to Article 13 of this Regulation shall hold its first meeting on [the date of entry into application of this Regulation]. On that occasion it shall, if necessary, take a decision as referred to in Article 78(2).

6a. The Management Board shall formulate detailed provisions governing the procedure provided for in Article 67a and submit them to the Commission for approval. [Am. 223]

Article 75

Transitional arrangements concerning the Executive Directors and the Deputy Directors

1. The Executive Director appointed on the basis of Article 38 of Decision 2009/371/JHA shall, for the remaining periods of his/her term of office, be assigned to the responsibilities of the Executive Director as provided for in Article 19 of this Regulation. The other conditions of his/her contract remain unchanged. If the term of office ends after [the date of entry of this Regulation] but before [the date of application of this Regulation], it shall be extended automatically until one year after the date of application of this Regulation.

2. Should the Executive Director be unwilling or unable to act in accordance with paragraph 1, the Commission shall designate a Commission official to act as interim Executive Director and exercise the duties assigned to the Executive Director for a period not exceeding 18 months, pending the appointments provided for in Article 56.

3. Paragraphs 1 and 2 shall apply to the Deputy Directors appointed on the basis of Article 38 of Decision 2009/371/JHA.

4. The Executive Director of CEPOL appointed on the basis of Article 11(1) of Decision 2005/681/JHA shall, for the remaining periods of his/her term of office, be assigned to the functions of the Deputy Executive Director of training of Europol. The other conditions of his/her contract remain unchanged. If the term of office ends after [the date of entry into force of this Regulation] but before [the date of application of this Regulation], he/she shall be extended automatically until one year after the date of application of this Regulation. [Am. 224]

Article 76

Transitional budgetary provisions

1. For each of the three budgetary years following the entry into force of this Regulation, at least EUR 8 million of the operational expenses of Europol shall be reserved for training, as described in Chapter III. [Am. 225]

2. The discharge procedure in respect of the budgets approved on the basis of Article 42 of Decision 2009/371/JHA shall be carried out in accordance with the rules established by Article 43 of Decision 2009/371/JHA and the financial rules of Europol.

Chapter XIV

FINAL PROVISIONS

Article 77

Replacement

This Regulation replaces and repeals Decision 2009/371/JHA and Decision 2005/681/JHA.

References to the replaced Decisions Decision shall be construed as references to this Regulation. [Am. 226]

Article 78

Repeal

1. All legislative measures implementing the Decisions Decision 2009/371/JHA and Decision 2005/681/JHA are repealed with effect from the date of application of this Regulation.

2. All non-legislative measures implementing Decision 2009/371/JHA which sets up the European Police Office (Europol) and Decision 2005/681/JHA which sets up CEPOL shall remain in force following the [date of application of this Regulation], unless otherwise decided by the Management Board of Europol in the implementation of this Regulation. [Am. 227]

Article 79

Entry into force and application

1. This Regulation shall enter into force on the 20th day following that of its publication in the Official Journal of the European Union.

2. It shall apply from [date of application].

However, Articles 73, 74 and 75 shall apply from [the date of entry into force of this Regulation].

Done at

For the European Parliament

The President

For the Council

The President

(1) Position of the European Parliament of 25 February 2014.

(2) Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (OJ L 121, 15.5.2009, p. 37).

(3) OJ C 316, 27.11.1995, p. 1.

(4) OJ L 256, 1.10.2005, p. 63.

(5) OJ C 115, 4.5.2010, p. 1.

(*1) Proposal COM(2013)0048.

(6) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data ( OJ L 8, 12.1.2001, p. 1).

(7) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.1.1981.

(8) Council of Europe Committee of Ministers Recommendation No. R(87) 15 to the Member States on regulating the use of personal data in the police sector, 17.9.1987.

(9) Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters ( OJ L 350, 30.12.2008, p. 60).

(10) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (OJ L 56, 4.3.1968, p. 1).

(11) Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012, p. 1).

(12) Regulation (EC) No 1073/1999 of the European Parliament and of the Council of 25 May 1999 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 136, 31.5.1999, p. 1).

(13) Council Decision 2011/292/EU of 31 March 2011 on the security rules for protecting EU classified information (OJ L 141, 27.5.2011, p. 17).

(14) Council Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting, by designating Europol as the Central Office for combating euro counterfeiting (OJ L 185, 16.7.2005, p. 35).

(15) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(16) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

(17) As laid down in the Decision of the Bureau of the European Parliament of 15 April 2013.

(18) OJ L 362, 31.12.2012, p. 1.

(19) EEC Council: Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385/58).

(20) OJ L 136, 31.5.1999, p. 15.

(21) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).

ANNEX I

List of offences with respect to which Europol shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in accordance with Article 3(1) of this Regulation

—	terrorism,

—	organised crime,

—	unlawful drug trafficking,

—	illegal money-laundering activities,

—	crime connected with nuclear and radioactive substances,

—	illegal immigrant smuggling,

—	trafficking in human beings,

—	motor vehicle crime,

—	murder, grievous bodily injury,

—	illicit trade in human organs and tissue,

—	kidnapping, illegal restraint and hostage taking,

—	racism and xenophobia,

—

robbery,

—	illicit trafficking in cultural goods, including antiquities and works of art,

—	swindling and fraud, including fraud affecting the financial interests of the Union

—	racketeering and extortion,

—	counterfeiting and product piracy,

—	forgery of administrative documents and trafficking therein,

—	forgery of money and means of payment,

—	computer crime,

—	corruption,

—	illicit trafficking in arms, ammunition and explosives,

—	illicit trafficking in endangered animal species,

—	illicit trafficking in endangered plant species and varieties,

—	environmental crime, including ship source pollution

—	illicit trafficking in hormonal substances and other growth promoters,

—	sexual abuse and sexual exploitation of individuals, especially women and children. [Am. 228]

ANNEX II

Categories of personal data and categories of data subjects whose data may be collected and processed for cross-checking purpose as referred to in Article 24(1)(a)

Personal data collected and processed for cross-checking purposes shall relate to:

(a)	persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent or who have been convicted of such an offence;

(b)	persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent.

Data relating to the persons referred to in paragraph 1 may include only the following categories of personal data:

(a)	surname, maiden name, given names and any alias or assumed name;

(b)	date and place of birth;

(c)	nationality;

(d)

sex;

(e)	place of residence, profession and whereabouts of the person concerned;

(f)	social security numbers, driving licences, identification documents and passport data; and

(g)	where necessary, other characteristics likely to assist in identification, including any specific objective physical characteristics not subject to change such as dactyloscopic data and DNA profile (established from the non-coding part of DNA).

In addition to the data referred to in paragraph 2, following categories of personal data concerning the persons referred to in paragraph 1 may be collected and processed:

(a)	criminal offences, alleged criminal offences and when, where and how they were (allegedly) committed;

(b)	means which were or may be used to commit those criminal offences including information concerning legal persons;

(c)	departments handling the case and their filing references;

(d)	suspected membership of a criminal organisation;

(e)	convictions, where they relate to criminal offences in respect of which Europol is competent;

(f)	inputting party.

These data may be provided to Europol even when they do not yet contain any references to persons.

4.	Additional information held by Europol or National Units concerning the persons referred to in paragraph 1 may be communicated to any national unit or Europol should either so request. National units shall do so in compliance with their national law.

5.	If proceedings against the person concerned are definitively dropped or if that person is definitively acquitted, the data relating to the case in respect of which either decision has been taken shall be deleted.

ANNEX III

Categories of personal data and categories of data subjects whose data may be collected and processed for the purpose of analyses of strategic or other general nature and for the purpose of operational analyses (as referred to in Article 24(1)(b) and (c)

Personal data collected and processed for the purpose of analyses of a strategic or other general nature and operational analyses shall relate to:

(a)	persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent or who have been convicted of such an offence;

(b)	persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent.

(c)	persons who might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings;

(d)	persons who have been the victims of one of the offences under consideration or with regard to whom certain facts give reason to believe that they could be the victims of such an offence;

(e)	contacts and associates; and

(f)	persons who can provide information on the criminal offences under consideration.

The following categories of personal data, including associated administrative data, may be processed on the categories of persons referred to in paragraph 1 point (a) and (b):

(a)

Personal details:

(i)	Present and former surnames;

(ii)	Present and former forenames;

(iii)

Maiden name;

(iv)	Father’s name (where necessary for the purpose of identification);

(v)	Mother’s name (where necessary for the purpose of identification):

(vi)

Sex;

(vii)

Date of birth;

(viii)

Place of birth;

(ix)	Nationality;

(x)	Marital status;

(xi)

Alias;

(xii)

Nickname;

(xiii)

Assumed or false name;

(xiv)

Present and former residence and/or domicile;

(b)

Physical description:

(i)	Physical description;

(ii)	Distinguishing features (marks/scars/tattoos etc.)

(c)

Identification means:

(i)	Identity documents/driving licence;

(ii)	National identity card/passport numbers;

(iii)

National identification number/social security number, if applicable

(iv)	Visual images and other information on appearance

(v)	Forensic identification information such as fingerprints, DNA profile (established from the non-coding part of DNA), voice profile, blood group, dental information

(d)

Occupation and skills:

(i)	Present employment and occupation;

(ii)	Former employment and occupation;

(iii)

Education (school/university/professional);

(iv)	Qualifications;

(v)	Skills and other fields of knowledge (language/other)

(e)

Economic and financial information:

(i)	Financial data (bank accounts and codes, credit cards etc.);

(ii)	Cash assets;

(iii)

Share holdings/other assets;

(iv)	Property data;

(v)	Links with companies;

(vi)	Bank and credit contacts;

(vii)

Tax position;

(viii)

Other information revealing a person’s management of their financial affairs

(f)

Behavioural data:

(i)	Lifestyle (such as living above means) and routine;

(ii)	Movements;

(iii)

Places frequented;

(iv)	Weapons and other dangerous instruments;

(v)	Danger rating;

(vi)	Specific risks such as escape probability, use of double agents, connections with law enforcement personnel;

(vii)

Criminal-related traits and profiles;

(viii)

Drug abuse;

(g)	Contacts and associates, including type and nature of the contact or association;

(h)	Means of communication used, such as telephone (static/mobile), fax, pager, electronic mail, postal addresses, Internet connection(s);

(i)	Means of transport used, such as vehicles, boats, aircraft, including information identifying these means of transport (registration numbers);

(j)

Information relating to criminal conduct:

(i)	Previous convictions;

(ii)	Suspected involvement in criminal activities;

(iii)

Modi operandi;

(iv)	Means which were or may be used to prepare and/or commit crimes;

(v)	Membership of criminal groups/organisations and position in the group/organisation;

(vi)	Role in the criminal organisation;

(vii)

Geographical range of criminal activities;

(viii)

Material gathered in the course of an investigation, such as video and photographic images

(k)

References to other information systems in which information on the person is stored:

(i)

Europol;

(ii)	Police/customs agencies;

(iii)

Other enforcement agencies;

(iv)	International organisations;

(v)	Public entities;

(vi)	Private entities

(l)

Information on legal persons associated with the data referred to in points (e) and (j):

(i)	Designation of the legal person;

(ii)

Location;

(iii)

Date and place of establishment;

(iv)	Administrative registration number;

(v)	Legal form;

(vi)

Capital;

(vii)

Area of activity;

(viii)

National and international subsidiaries;

(ix)	Directors;

(x)	Links with banks.

‘Contacts and associates’, as referred to in paragraph 1 point (e), are persons through whom there is sufficient reason to believe that information, which relates to the persons referred to in paragraph 1 point (a) and (b) of this Annex and which is relevant for the analysis, can be gained, provided they are not included in one of the categories of persons referred to in paragraphs 1 (a), (b), (c), (d) and (f). ‘Contacts’ are those persons who have sporadic contact with the persons referred to in paragraph 1 point (a) and (b). ‘Associates’ are those persons who have regular contact with the persons referred to in paragraph 1 point (a) and (b).

In relation to contacts and associates, the data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that such data are required for the analysis of the role of such persons as contacts or associates.

In this context, the following shall be observed:

(a)	the relationship of these persons with the persons referred to in paragraph 1 point (a) and (b) shall be clarified as soon as possible;

(b)	if the assumption that a relationship exists between these persons and the persons referred to in paragraph 1 point (a) and (b) turns out to be unfounded, the data shall be deleted without delay;

(c)

if such persons are suspected of committing an offence falling under Europol’s objectives, or have been convicted for such an offence, or if there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit such an offence, all data pursuant to paragraph 2 may be stored;

(d)	data on contacts and associates of contacts as well as data on contacts and associates of associates shall not be stored, with the exception of data on the type and nature of their contacts or associations with the persons referred to in paragraph 1 point (a) and (b);

(e)	if a clarification pursuant to the previous points is not possible, this shall be taken into account when deciding on the need and the extent of storage for further analysis.

With regard to persons who, as referred to in paragraph 1 point (d), have been the victims of one of the offences under consideration or who, certain facts give reason to believe, could be the victims of such an offence, data referred to in paragraph 2 point (a) intent ‘i’ to paragraph 2 (c) intent ‘iii’ of this Annex, as well as the following categories of data, may be stored:

(a)	Victim identification data;

(b)	Reason for victimisation;

(c)	Damage (physical/financial/psychological/other);

(d)	Whether anonymity is to be guaranteed;

(e)	Whether participation in a court hearing is possible;

(f)	Crime-related information provided by or through persons referred to in paragraph1 point ‘d’, including information on their relationship with other persons, where necessary, to identify the persons referred to in paragraph 1 points ‘a’ and ‘b’

Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of a person’s role as victim or potential victim.

Data not required for any further analysis shall be deleted.

With regard to persons who, as referred to in paragraph 1 (c), might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings, data referred to in paragraph 2 point (a) indent ‘i’ to paragraph 2 (c) indent ‘iii’ of this Annex as well as categories of data complying with the following criteria, may be stored:

(a)	crime-related information provided by such persons, including information on their relationship with other persons included in the analysis work file;

(b)	whether anonymity is to be guaranteed;

(c)	whether protection is to be guaranteed and by whom;

(d)	new identity;

(e)	whether participation in a court hearing is possible.

Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons’ role as witnesses.

Data not required for any further analysis shall be deleted.

With regard to persons who, as referred to in paragraph 1 point (f), can provide information on the criminal offences under consideration, data referred to in paragraph 2 point (a) indent ‘i’ to paragraph 2 (c) indent ‘iii’ of this Annex may be stored, as well as categories of data complying with the following criteria:

(a)	coded personal details;

(b)	type of information supplied;

(c)	whether anonymity is to be guaranteed;

(d)	whether protection is to be guaranteed and by whom;

(e)	new identity;

(f)	whether participation in court hearing is possible;

(g)	negative experiences;

(h)	rewards (financial/favours).

Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons’ role as informants.

Data not required for any further analysis shall be deleted.

If, at any moment during the course of an analysis, it becomes clear on the basis of serious and corroborating indications that a person should be placed under a different category of persons, as defined in this Annex, from the category in which that person was initially placed, Europol may process only the data on that person which is permitted under that new category, and all other data shall be deleted.

If, on the basis of such indications, it becomes clear that a person should be included in two or more different categories as defined in this Annex, all data allowed under such categories may be processed by Europol.