Relations with partners

page

Not only in the world of soccer, but also in a law enforcement context, the theme ‘You'll never walk alone’ is well-known since serious crime and terrorism can only be tackled effectively by means of a joint effort.

In so far as necessary for the performance of its tasks, Europol may establish and maintain cooperative relations with Union bodies in accordance with the objectives of those bodies, the authorities of third countries, international organisations and private parties. The modalities of cooperation vary depending on the partners involved. However, a number of principles apply across the board.

One of them is the so-called ‘data owner principle’, which refers to the obligation of Europol to comply with any restrictions the owner of the information has indicated upon submission of the data. Such restrictions, which are known as handling codes, can only be lifted if this is absolutely necessary in the interest of preventing an imminent threat to life.

Another principle is that there are fewer restrictions for information which does not qualify as personal data. For instance, the legal obligation to ensure detailed records for all transfers, including the grounds for those transfers, only applies to personal data. On the other hand, Europol must not process any information which has clearly been obtained in obvious violation of human rights, whether it is personal or non-personal data. Special rules kick in if information is formally classified. Beyond that, the following needs to be considered.

This section includes Union bodies, third countries and international organisations, private parties and private persons, publicly available sources, and Member States: Liaison Bureaux.

  1. The Europol regime in the world of data protection
  2. Integrated data management concept
  3. Relations with partners
  4. Exercising the rules: who watches the watchdog?
  5. Data protection and law enforcement - a successful union

Union Bodies

Exchanges of personal data with Union bodies deemed as institutions, bodies, missions, offices and agencies set up by, or on the basis of, the TEU and the TFEU are data protection compliant insofar as the information exchange is necessary and proportionate for the legitimate performance of tasks. This privileged partnership is based on the common EU data protection acquis.

  • Eurojust
  • European Commission
  • ECB – European Central Bank
  • ECDC – European Centre for Disease Prevention and Control
  • OLAF – European Anti-Fraud Office
  • ENISA – European Network and Information Security Agency
  • CEPOL – European Police College
  • EIGE – European Institute for Gender Equality
  • EMCDDA – European Monitoring Centre for Drugs and Drug Addiction
  • Frontex – European Border and Coast Guard Agency
  • EUIPO – European Union Intellectual Property Office
  • European Asylum Agency
  • EU-LISA – European Union Agency for the Operational Management of Large-Scale IT Systems
  • ECCC – European Cybersecurity Competence Centre and Network
  • FRA – European Union Agency for Fundamental Rights
  • EIB – European Investment Bank
  • EPPO – European Public Prosecutor’s Office

Third Countries and International Organisations

Europol cooperates with third countries and international organisations outside the EU based on operational agreements, strategic agreements and working arrangements. As of July 2023, Europol concluded 35 agreements with third countries, including Canada, Colombia, Israel, China and Brazil, among others. Concerning international organisations, Europol collaborates with Interpol, the United Nations Office on Drugs and Crime (UNODC), the World Customs Organisation (WCO), the International Criminal Court (ICC) and the Kosovo Specialist Chambers and Specialist Prosecutor’s Office.

When it comes to transfers of personal data outside the EU, the legislator has introduced very strict safeguards. Namely, Europol may transfer personal data to an authority of a third country or to an international organisation only, insofar as such transfer is necessary for the performance of Europol's tasks, on the basis of one of the following:

a decision of the Commission adopted in accordance with Article 36 of Directive (EU) 2016/680, finding that the third country or a territory or a processing sector within that third country or the international organisation in question ensures an adequate level of protection ('adequacy decision');

an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 TFEU adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals; 

a cooperation agreement allowing for the exchange of personal data concluded, before 1 May 2017, between Europol and that third country or international organisation in accordance with Article 23 Decision of 2009/371/JHA.

If none of these conditions can be met, the Executive Director may authorise the exceptional transfer of personal data to third countries or international organisations on a case-by-case basis if the transfer is:

  1. necessary in order to protect the vital interests of the data subject or of another person;
  2. necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides;
  3. essential for the prevention of an immediate and serious threat to the public security of a Member State or a third country;
  4. necessary in individual cases for the purposes of the prevention, investigation, detection;
  5. necessary in individual cases for the establishment, exercise or defence of legal claims relating.

Personal data shall not be transferred if the Executive Director determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer referred to in points (4) and (5).

Derogations may not be applicable to systematic, massive or structural transfers and the Executive Director needs to inform both the Management Board and the EDPS as soon as possible whenever they make use of this exception clause.

Furthermore, the Management Board may, in agreement with the EDPS, authorise for a period not exceeding one year, which shall be renewable, a set of transfers in accordance with points (1) to (5) above, taking into account the existence of adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. Such authorisation shall be duly justified and documented.

In the absence of an adequacy decision, the Management Board may authorise Europol to transfer personal data to a competent authority of a third country or to an international organisation. This is permitted if there are appropriate safeguards with respect to the right of data protection regulated on the agreement, or the data transfer has the appropriate safeguards with regard to the protection of personal data. Europol shall inform the EDPS about these categories of transfers.

Private Parties and Private Persons

Building trust and confidence between the private sector and law enforcement authorities is of utmost importance in the fight against serious crime and terrorism but, in particular, in the area of cybercrime. Building trusted networks by involving industry and other actors such as research communities and civil society organisations is crucial to facilitate public-private partnerships.

The ER defines private parties as entities and bodies established under the law of a Member State or third country, in particular companies and firms, business associations, non-profit organisations and other legal persons that are not international organisations. Private persons are described as natural persons.

Insofar as is necessary for Europol to perform its tasks, Europol may process personal data obtained from private parties or private persons on condition that they are received via:

a national unit in accordance with national law;

the contact point of a third country or an international organisation with which Europol has concluded, before 1 May 2017, a cooperation agreement allowing for the exchange of personal data in accordance with Article 23 of Decision 2009/371/JHA; or,

an authority of a third country or an international organisation which is the subject of an adequacy decision as referred to in point (a) of Article 25(1) of the Europol Regulation or with which the Union has concluded an international agreement pursuant to Article 218 TFEU.

In cases where Europol nonetheless receives personal data directly from private parties and where the national unit, contact point or authority concerned, as referred to above, cannot be identified, Europol may process those personal data solely for the purpose of such identification.

Subsequently, the personal data shall be forwarded immediately to the national unit, contact point or authority concerned and shall be deleted unless the national unit, contact point or authority concerned resubmits those personal data in accordance with Article 19(1) within four months after the transfer takes place. Europol shall ensure by technical means that, during that period, the data in question are not accessible for processing for any other purpose.

If Europol receives personal data from a private party or private person in a third country with which there is no agreement concluded either on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 TFEU, or which is not the subject of an adequacy decision as referred to above, Europol may forward those data only to a Member State, or to a third country concerned with which such an agreement has been concluded.

Europol may not transfer personal data to private parties except where, on a case-by-case basis this is strictly necessary and subject to due observance of handling codes and Europol’s security rules.

Furthermore, one of the following conditions has to be met:

The transfer or transmission is undoubtedly in the interests of the data subject.

The transfer or transmission is absolutely necessary in the interests of preventing the imminent perpetration of a crime, including terrorism, that falls within Europol’s objectives.

The transfer or transmission of personal data (which is publicly available) is strictly necessary for providing support to Member States in preventing and combating crimes under Europol’s mandate, and the following conditions are met:

  • the transfer or transmission concerns an individual and specific case; and
  • no fundamental rights and freedoms of the data subjects concerned override the public interest necessitating the transfer in the case at hand.

Europol shall prepare an annual report on the personal data exchanged with private parties for the Management Board.

If the personal data received or to be transferred affects the interests of a Member State, Europol shall immediately inform the national unit of the Member State concerned. Europol shall not contact private parties to retrieve personal data.

The same principles for private parties also apply to the processing of personal data obtained from private persons with the exception that the provision of personal data from Europol to private persons is not even foreseen in exceptional circumstances.

This means that Europol would inform the competent national law enforcement authorities in case of any emergency situations in order to safeguard the fundamental rights of concerned data subjects.

To address online dissemination of online child sexual abuse material and online crisis situations, special conditions apply regarding the receipt and transfer or transmission of personal data to private parties. Firstly, online crisis situations refer to the disclosure of a threat to life or physical integrity online with the aim or the effect of seriously intimidating the population. There must be a link to terrorism or violent extremism and that the viral disclosure on the internet is anticipated.

In both cases, the ER allows Europol to receive personal data directly from a private party and transfer or transmit personal data on a case-by-case basis when it is strictly necessary and the fundamental rights of the data subject concerned do not override the public interest. If the private party is not established within the EU or in a third country collaborating with Europol, the transfer requires the authorisation of the Executive Director.

Publicly-available Sources

Europol can process information and personal data obtained from publicly available sources, including the internet and public data. However, Europol shall assess the accuracy of the information and the reliability of its source. This obligation is aligned with the principle of data quality, which stipulates personal data should be processed only if it is accurate and up-to-date, and collected from reliable sources. Hence, Europol is responsible for the accuracy of the personal data retrieved by the organisation from publicly available sources.

Data retrieved by Europol from publicly available sources should be reviewed no longer than three years from its collection.

Member States: Liaison Bureaux

Europol and Member States shall cooperate with each other for the prevention and investigation of crimes under Europol’s mandate. For that purpose, each Member State has its own Europol National Unit, understood as the liaison body between Europol and the competent national authorities. Nevertheless, in some cases Member States may allow direct contacts between their competent authorities and Europol.

Member States shall, via their respective Europol National Units or directly (Art. 7(6) ER):

  • Provide Europol with information necessary for it to fulfil its objectives;
  • Ensure effective communication and cooperation of all relevant competent authorities with Europol;
  • Raise awareness of Europol’s activities;
  • Ensure compliance with national law when supplying information to Europol.

Member States and third countries through the Europol Liaison Bureaux shall provide this personal information through the Liaison Bureaux.

Members shall supply information to Europol. Nevertheless, there are some exceptions where Member States are not obliged to supply information: if that exchange would be contrary to the essential interest of the Member State’s security, jeopardise the success of an ongoing investigation or the safety of an individual, or disclose information relating to intelligence activities.

Regarding Member States’ access to information stored by Europol, Member States shall have access to Europol’s information for the sole purposes of preventing, detecting, investigating and prosecuting forms of crime under Europol’s mandate and other forms of serious crime.

Member States have access to all information which has been provided for the purposes of cross-checking and strategic and thematic analysis, when no restriction in this regard has been put in place by the information provider.

Member States can have indirect access on the basis of a hit/no hit system to information provided for operational analysis, when no restriction in this regard has been put in place by the information provider. However, direct access can be granted by Europol to a select group of Member States for joint operational analysis in specific investigations.

Exercising the rules: who watches the watchdog?