Europol regulation and other relevant instruments
The centrepiece of legislation is the Regulation (EU) 2016/794 Europol Regulation (ER), which was amended on the 8th of June 2022 by Regulation (EU) 2022/991. It has particular focus on operational personal data, i.e. all personal data processed for the purpose of meeting the objectives of the Agency. Additionally, Europol applies Regulation (EU) 2018/1725 to administrative personal data. Europol’s data protection legal framework is based on the principles contained in Convention 108 of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as on the Council of Europe Committee of Ministers Recommendation No R (87) 15 regulating the use of personal data in the police sector.
In particular, the ER is inspired by the Data Protection Directive for the police and criminal justice sector, which was legislated in one package together with the General Data Protection Regulation (GDPR). One of the main rationales of Europol’s data protection regime is that personal data can only be processed if allowed by law. To ensure legal clarity and reliability in the sensitive area of law enforcement, the rules governing the processing of personal data have to be unequivocal and definitive. The foundation for achieving this aim is clear terminology. Taking this into account, the Europol Regulation makes use of definitions that are common in the world of data protection. So, what exactly is personal data? What is implied by the term processing?
Personal data
Sensitive personal data
There are special categories of personal data (‘sensitive personal data’) which, by their nature, may expose the data subjects to a risk. Therefore, when processed, enhanced protection needs to be in place and it is allowed only with specific safeguards. On the definition of sensitive personal data, both Articles 10 and Articles 76 EUDPR, and the Article 30(2) ER name the following categories:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions, religious or other beliefs;
- personal data concerning trade union membership;
- personal data concerning genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- operational personal data concerning health or concerning a natural person’s sex life or sexual orientation.
In this regard, for operational purposes, the processing of sensitive personal data and of different categories of data subjects is based on the principle of proportionality and necessity.
Moreover, Article 30(1) ER provides further protection for special categories of data subjects: victims, witnesses or other persons who can provide information concerning criminal offences, or minors. The processing their personal data shall be allowed if it is strictly necessary and proportionate for preventing or combating crime.
Europol is under an obligation to stipulate that whenever 'sensitive' categories of personal data are involved, a transmission shall be limited to absolutely necessary cases. It is prohibited for Europol to select a particular group of persons solely on the basis of such data (Art.10 EUDPR).
Moreover, the Data Protection Officer (DPO) shall be informed. Additionally, only Europol shall have direct access to sensitive personal data and only a limited number of Europol staff to have such access if it is necessary for the performance of their tasks, which shall be authorised by the Executive Director.
Data processing
Everything one can do, any kind of action performed on personal data, is considered processing.