«Brussels, 27.3.2013 COM(2013) 173 final 2013/0091 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Union ...»
(18) To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative and manager, acting in complete independence in the performance of all tasks and ensuring that Europol carries out the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing budgetary and planning documents submitted for the decision of the Management Board, implementing the annual and multiannual work programmes of Europol and other planning documents.
(19) For the purposes of preventing and combating crime falling under its objectives, it is necessary for Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to process data provided to it by Member States, third countries, international organisations and Union bodies as well as coming from publicly available sources to develop an understanding of criminal phenomena and trends, to gather information about criminal networks, and to detect links between different offences.
(20) To improve Europol’s effectiveness in providing accurate crime analyses to the Member States’ law enforcement authorities, it should use new technologies to process data. Europol should be able to swiftly detect links between investigations and common modi operandi across different criminal groups, to check cross-matches of data and to have a clear overview of trends, while EN EN maintaining high level of protection of personal data for individuals. Therefore, Europol databases should not be pre-defined, allowing Europol to choose the most efficient IT structure.
To ensure a high level of data protection, the purpose of processing operations and access rights as well as specific additional safeguards should be laid down.
(21) To respect ownership of data and protection of information, Member States and authorities in third countries and international organisations should be able to determine the purpose for which Europol may process the data they provide and to restrict access rights.
(22) To ensure that data are accessed only by those for whom access is necessary to perform their tasks, this Regulation should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of data should be respected. In order to increase efficiency of preventing and combating crime falling under Europol’s objectives, Europol should notify Member States of information which concerns them.
(23) To enhance operational cooperation between the agencies, and particularly to establish links between data already in possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office (OLAF) to have access to and be able to search against data available at Europol.
(24) Europol should maintain cooperative relations with other Union bodies, law enforcement authorities and law enforcement training institutes of third countries, international organisations, and private parties to the extent required for the accomplishment of its tasks.
(25) To ensure operational effectiveness, Europol should be able to exchange all information, with the exception of personal data, with other Union bodies, law enforcement authorities and law enforcement training institutes of third countries, and international organisations to the extent necessary for the performance of its tasks. Since companies, firms, business associations, nongovernmental organisations and other private parties hold expertise and data of direct relevance to the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such data with private parties. To prevent and combat cybercrime, as related to network and information security incidents, Europol should, pursuant to Directive [name of adopted Directive] of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union,31 cooperate and exchange information, with the exception of personal data, with national authorities competent for the security of network and information systems.
(26) Europol should be able to exchange personal data with other Union bodies to the extent necessary for the accomplishment of its tasks.
(27) Serious crime and terrorism often have links beyond the territory of the EU. Europol should therefore be able to exchange personal data with law enforcement authorities of third countries and with international organisations such as Interpol to the extent necessary for the accomplishment of its tasks.
(28) Europol should be able to transfer personal data to an authority of a third country or an international organisation on the basis of a Commission decision finding that the country or international organisation in question ensures an adequate level of data protection, or, in the absence of an adequacy decision, an international agreement concluded by the Union pursuant To insert reference to the adopted Directive (Proposal: COM (2013) 48 final).
EN EN to Article 218 of the Treaty, or a cooperation agreement concluded between Europol and this third country prior to the entry into force of this Regulation. In view of Article 9 of Protocol 36 on transitional provisions attached to the Treaty, legal effects of such agreements should be preserved until those agreements are repealed, annulled or amended in the implementation of the Treaty.
(29) Where a transfer of personal data cannot be based on an adequacy decision taken by the Commission, or, an international agreement concluded by the Union, or an existing cooperation agreement, the Management Board and the European Data Protection Supervisor should be allowed to authorise a transfer or a set of transfers, provided adequate safeguards are ensured.
Where none of the above applies, the Executive Director should be allowed to authorise the transfer of data in exceptional cases on a case-by-case basis, if it is necessary to safeguard the essential interests of a Member State, to prevent an imminent danger associated with crime or terrorism, if the transfer is otherwise necessary or legally required on important public grounds, if the data subject has consented, or if vital interests of the data subject are at stake.
(30) Europol should be able to process personal data originating from private parties and private persons only if transferred to Europol by a Europol national unit of a Member State in accordance with its national law or, by a contact point in a third country with which there is established cooperation through a cooperation agreement concluded in accordance with Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation or an authority of a third country or an international organisation with which the Union has concluded and international agreement pursuant to Article 218 of the Treaty.
(31) Any information which has clearly been obtained by a third country or international organisation in violation of human rights shall not be processed.
(32) Data protection rules at Europol should be strengthened and draw on the principles underpinning Regulation (EC) No 45/200132 to ensure a high level of protection of individuals with regard to processing of personal data. As Declaration 21 attached to the Treaty recognizes the specificity of personal data processing in the law enforcement context, the data protection rules of Europol should be autonomous and aligned with other relevant data protection instruments applicable in the area of police cooperation in the Union, in particular Convention No. 10833 and Recommendation No R(87) of the Council of Europe34 and Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters35 [to be replaced by the relevant Directive in force at the moment of adoption].
(33) As far as possible personal data should be distinguished according to the degree of their accuracy and reliability. Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by Europol.
(34) Personal data relating to different categories of data subjects are processed in the area of police co-operation. Europol should make distinctions between personal data of different categories of OJ L 8, 12.1.2001, p. 1.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.1.1981.
Council of Europe Committee of Ministers Recommendation No. R(87) 15 to the Member States on regulating the use of personal data in the police sector, 17.9.1987.
OJ L 350, 30.12.2008, p. 60.
EN EN data subjects as clear as possible. Personal data of persons such as victims, witnesses, persons possessing relevant information as well as personal data of minors should in particular be protected. Therefore, Europol should not process them unless it is strictly necessary for preventing and combating crime within its objectives, and if those data supplement other personal data already processed by Europol.
(35) In the light of fundamental rights to protection of personal data, Europol should not store personal data longer than necessary for the performance of its tasks.
(36) To guarantee the security of personal data, Europol should implement appropriate technical and organisational measures.
(37) Any person should have a right of access to personal data concerning them, to have inaccurate data concerning them rectified and to erase or block data concerning them, if the data is no longer required. The rights of the data subject and the exercise thereof should not affect the obligations placed on Europol and should be subject to the restrictions laid down in this Regulation.
(38) The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities under this Regulation. In particular, Member States should be responsible for accuracy and keeping up to date the data they have transferred to Europol and for the legality of such transfer. Europol should be responsible for accuracy and for keeping the data provided by other data suppliers up to date. Europol should also ensure that data are processed fairly and lawfully, are collected and processed for a specific purpose, that they are adequate, relevant, not excessive in relation to the purposes for which they are processed, and stored no longer than is necessary for that purpose.
(39) Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data for the purposes of verification of the lawfulness of the data processing, selfmonitoring and ensuring proper data integrity and security. Europol should be obliged to cooperate with the European Data Protection Supervisor and make the logs or documentation available upon request, so that they can be used for monitoring processing operations.
(40) Europol should designate a data protection officer to assist it in monitoring compliance with the provisions of this Regulation. The data protection officer should be in a position to perform his/her duties and tasks independently and effectively.
(41) National competent authorities for the supervision of the processing of personal data should monitor the lawfulness of the processing of personal data by Member States. The European Data Protection Supervisor should monitor the lawfulness of data processing by Europol exercising its functions with complete independence.
(42) The European Data Protection Supervisor and national supervisory authorities should cooperate with each other on specific issues requiring national involvement and to ensure coherent application of this Regulation throughout the Union.
(43) As Europol is processing also non-operational personal data, not related to any criminal investigations, processing of such data should be subject to Regulation (EC) No 45/2001.
(44) The European Data Protection Supervisor should hear and investigate complaints lodged by data subjects. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of progress and the outcome of the complaint within a reasonable period.
EN EN (45) Any individual should have the right to a judicial remedy against decisions of the European Data Protection Supervisor concerning him/her.
(46) Europol should be subject to general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, with the exception of liability for unlawful data processing.
(47) It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.
(48) To ensure that Europol is a fully accountable and transparent internal organisation, it is necessary, in the light of Article 88 of the Treaty on the Functioning of the European Union, to lay down procedures for scrutiny of Europol activities by the European Parliament together with national Parliaments, taking into due account the need to safeguard confidentiality of operational information.
(49) The Staff Regulations of Officials of the European Communities and the Conditions of Employment of Other Servants of the European Communities laid down in Regulation (EEC, Euratom, ECSC) No 259/6836 should apply to Europol staff. Europol should be able to employ staff engaged from the competent authorities of the Member States as temporary agents whose period of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of staff members into the service of their competent authority facilitates close cooperation between Europol and the competent authorities of the Member States. Member States should take any measure necessary to ensure that staff engaged at Europol as temporary agents may, at the end of this service at Europol, return to the national civil service to which they belong.