Processing of personal data

In the case of Europol, a tailor-made set of rules has been created in order to effectively take into account both the operational needs of the agency and the individuals’ right to effective data protection. As a result, Europol has one of the strongest, most robust data protection frameworks in the world of law enforcement.

What constitutes processing of personal data?

Processing of personal data is any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

How does Europol process personal data?

The collection and processing of data is at the heart of Europol’s activities. Any processing of personal data within Europol has to be explicitly allowed and made compliant with the in-house tailor-made data protection regime.

The main objective of the Europol Regulation is to set a data processing environment that allows Europol to fully assist Member States in preventing and combating serious and organised crime and terrorism when simultaneously respecting fundamental rights such as the right to data protection.

In practical terms, the Europol Regulation redefines the agency’s processing architecture with a particular emphasis on ‘privacy by design.’ Europol no longer pre-defines databases or systems but instead adopts “a ‘privacy by design’ approach and full transparency towards the Data Protection Officer at Europol and the European Data Protection Supervisor, the EDPS.”¹  High data protection and security standards are achieved by means of procedural safeguards that apply to any specific type of information. Thus, the Europol Regulation introduces a technology-neutral approach to data management and processing that provides for much more operational flexibility.

Under the Europol Regulation, there is no reference anymore to different information processing systems (Analysis Work Files (AWFs), Europol Information System (EIS), new systems).²  Instead, the emphasis of the text is on the exact purpose(s) for which data can be processed, namely: (i) cross-checking aimed at identifying connections or relevant links between information; (ii) analyses of a strategic or thematic nature; (iii) operational analysis; and, (iv) facilitating the exchange of information.³

In practice, data processing at Europol is performed with the aid of specifically designed software, refined techniques and sophisticated structures. The prioritisation and targeting of operational action is based on the specific purposes for which the data will be processed. In this way the Europol Regulation provides for a close, functional relationship between the various forms of analysis. It is in particular by means of strategic analysis that the overall priorities can be distinguished and justified. It is by means of thematic analysis that within specific crime areas cases and approaches can be identified. It is within the framework of operational analysis that concrete investigations and operations will be conducted. In this context, the Europol Regulation outlines not only the specific purposes of data processing activities,⁴  but also the sources of information⁵ as well as who may access the relevant data.⁶ The Europol Regulation highlights the holistic approach taken by Europol to protect personal data which foresees next to procedural safeguards the application of technical and organisational measures for the protection of information.

¹ Europol Regulation, Explanatory Memorandum, p. 7.
² Contr., Europol Council Decision, arts. 11–13 (concerning Europol Information System) and arts. 14–16 (concerning Analysis Work Files).
³ Europol Regulation, art. 18.
⁴ Europol Regulation, art. 18.
⁵ Europol Regulation, art. 17.
⁶ Europol Regulation, art. 20.