Protecting personal data that is used by police and criminal justice authorities (from 2018)

KEY POINTS

The directive requires that the data collected by law enforcement authorities are:

• processed lawfully and fairly;
• collected for specified, explicit and legitimate purposes and processed only in a manner compatible with these purposes;
• adequate, relevant and not excessive in relation to the purpose for which they are processed;
• accurate and updated where necessary;
• kept in a form which allows identification of the individual for no longer than is necessary for the purpose of the processing;
• appropriately secured, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures.

Time limits

Member States must establish time limits for erasing the personal data or for a regular review of the need to store such data.

Individuals concerned (data subjects)

The directive requires that law enforcement authorities make a clear distinction between the data of different categories of persons, including:

• those for whom there are serious grounds to believe they have committed or are about to commit a criminal offence;
• those who have been convicted of a criminal offence;
• victims of criminal offences or those whom it is reasonably believed could be victims of criminal offences;
• those who are parties to a criminal offence, including potential witnesses.

Information to data subjects and access to data

Individuals have the right to have certain information made available – and in some cases provided – to them by the competent law enforcement authorities, including:

• the name and contact details of the competent authority which decides the purpose and means of the data processing;
• the purposes for processing their data;
• the right to launch a complaint with a supervisory authority and the contact details of the authority;
• the existence of the right to request access to and correction or deletion of their personal data, as well as the right to restrict processing of their personal data.

Individuals have the right to obtain confirmation from competent authorities as to whether their personal data are being processed, and to access such data and information relating to their processing.

Security and logging

National authorities must take technical and organisational measures to ensure a level of security for personal data that is appropriate to the risk. Where data processing is automated, a number of measures must be put in place, including:

• denying unauthorised persons access to equipment used for processing;
• preventing the unauthorised reading, copying, changing or removal of data media¹;
• preventing the unauthorised input of personal data and the unauthorised viewing, changing or deleting of stored personal data.

National authorities must keep logs with information such as the date and time of access to personal data and the names of those who have consulted the data or to whom the data have been disclosed. The logs shall mainly be used for verifying the lawfulness of the processing, ensuring the security and integrity of the processing and for criminal proceedings.

Repeal

The directive replaced Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with effect from 6 May 2018.

Review

The European Commission has issued a communication entitled ‘Way forward on aligning the former third pillar acquis with data protection rules’ in June 2020.

The first report on the evaluation and review of the directive is due by 5 May 2022.