«Brussels, 27.3.2013 COM(2013) 173 final 2013/0091 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Union ...»
3. Only Europol shall have access to personal data referred to in paragraphs 1 and 2. The Executive Director shall duly authorise a limited number of officials who would have such access, if this is necessary for the performance of their tasks.
4. No decision which produces legal effects concerning a data subject shall be based solely on automated processing of data referred to in paragraph 2, unless the decision is expressly authorised pursuant to national or Union legislation or, if necessary, by the European Data Protection Supervisor.
5. Personal data referred to in paragraphs 1 and 2 shall not be transmitted to Member States, Union bodies, third countries or international organisations unless strictly necessary in individual cases concerning crime that falls under Europol’s objectives.
Article 37 Time-limits for the storage and erasure of personal data
1. Personal data processed by Europol shall be stored by Europol only as long as necessary for the achievement of its objectives.
2. Europol shall in any case review the need for continued storage no later than three years after the start of initial processing of personal data. Europol may decide on the continued storage of personal data until the following review, which shall take place after another period of three years, if continued storage is still necessary for the performance of Europol’s tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the continued storage of personal data, that data shall be erased automatically after three years.
3. If data concerning persons referred to in Article 36(1) and (2) are stored for a period exceeding five years, the European Data Protection Supervisor shall be informed accordingly.
4. Where a Member State, an Union body, a third country or an international organisation has indicated any restriction as regards the earlier erasure or destruction of the personal data at the moment of transfer in accordance with Article 25(2), Europol shall erase the personal data in accordance with those restrictions. If continued storage of the data is deemed necessary for Europol to perform its tasks, based on information that is more extensive than that possessed by the data provider, Europol shall request the authorisation of the data provider to continue storing the data and present a justification for such a request.
5. Where a Member State, a Union body, a third country or an international organisation erases from its national data files data provided to Europol, it shall inform Europol accordingly.
Europol shall erase the data unless the continued storage of the data is deemed necessary for Europol to achieve its objectives, based on information that is more extensive than that possessed by the data provider. Europol shall inform the data provider of the continued storage of such data and present a justification of such continued storage.
6. Personal data shall not be erased if:
(a) this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only with the consent of the data subject.
(b) their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate, to verify the accuracy of the data;
(c) the personal data have to be maintained for purposes of proof;
(d) the data subject opposes their erasure and requests the restriction of their use instead.
Article 40 Right to rectification, erasure and blocking
1. Any data subject shall have the right to ask Europol to rectify personal data relating to him/her if they are incorrect and, where this is possible and necessary, to complete or update them.
2. Any data subject shall have the right to ask Europol to erase personal data relating to him/her, if they are no longer required for the purposes for which they are lawfully collected or are lawfully further processed.
3. Personal data shall be blocked rather than erased if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose that prevented their erasure.
4. If data as described in paragraphs 1, 2 and 3 held by Europol have been provided to it by third countries, international organisations, or are the results of Europol’s own analyses, Europol shall rectify, erase or block such data.
5. If data as described in paragraphs 1 and 2 held by Europol have been provided directly to Europol by Member States, the Member States concerned shall rectify, erase or block such data in collaboration with Europol.
6. If incorrect data were transferred by another appropriate means or if the errors in the data provided by Member States are due to faulty transfer or were transferred in breach of this Regulation or if they result from their being input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or erase the data in collaboration with the Member States concerned.
7. In the cases referred to in paragraphs 4, 5 and 6 all addressees of such data shall be notified forthwith. In accordance with rules applicable to them, the addressees, shall then rectify, erase or block these data in their systems.
Article 41 Responsibility in data protection matters
1. Europol shall store personal data in a way that ensures its source according to Article 23 can be established.
2. The responsibility for the quality of personal data as referred to in Article 34(d) shall lie with the Member State which provided the personal data to Europol and with Europol for personal data provided by Union bodies, third countries or international organisations, as well for personal data retrieved by Europol from publicly-available sources.
3. The responsibility for compliance with the principles as specified in Article 34(a), (b), (c) and (e) shall lie with Europol.
4. The responsibility for the legality of transfer shall lie:
(a) with the Member State which provided the data in the case of personal data provided by the Member States to Europol; and (b) with Europol in the cases of personal data provided by Europol to Member States, and third countries or international organisations.
5. In case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall lie with Europol. Without prejudice to the preceding sentence, where the data are transferred by Europol following a request from the recipient, both Europol and recipient shall bear the responsibility for the legality of this transfer. In addition, Europol shall be responsible for all data processing operations carried out by it.
Article 43 Logging and documentation
1. For the purposes of verifying the lawfulness of data processing, self-monitoring and ensuring proper data integrity and security Europol shall keep records of collection, alteration, access, disclosure, combination or erasure of personal data. Such logs or documentation shall be deleted after three years, unless the data are further required for on-going control. There shall be no possibility to modify the logs.
2. Logs or documentation prepared under paragraph 1 shall be communicated on request to the European Data Protection Supervisor for the control of data protection. The European Data Protection Supervisor shall use that information only for the control of data protection and ensuring proper data processing as well as data integrity and security.
Article 44 Data Protection Officer
1. The Management Board shall appoint a Data Protection Officer who shall be a member of the staff. In the performance of his/her duties, he/she shall act independently.
2. The Data Protection Officer shall be selected on the basis of his/her personal and professional qualities and, in particular, the expert knowledge of data protection.
3. The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his/her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of this Regulation.
4. The Data Protection Officer shall be appointed for a term of between two and five years.
He/she shall be eligible for reappointment up to a maximum total term of ten years. He/she may be dismissed from the post of Data Protection Officer by the Community institution or body which appointed him/her only with the consent of the European Data Protection Supervisor, if he/she no longer fulfills the conditions required for the performance of his/her duties.
5. After his/her appointment the Data Protection Officer shall be registered with the European Data Protection Supervisor by the institution or body which appointed him/her.
6. With respect to the performance of his/her duties, the Data Protection Officer may not receive any instructions.
7. The Data Protection Officer shall in particular have the following tasks with regard to personal data, with the exception of personal data of Europol staff members as well as administrative
(a) ensuring, in an independent manner, lawfulness and compliance with the provisions of this Regulation concerning the processing of personal data;
(b) ensuring that a record of the transfer and receipt of personal data is kept in accordance with this Regulation;
(c) ensuring that data subjects are informed of their rights under this Regulation at their request;
(d) cooperating with Europol staff responsible for procedures, training and advice on data processing;
(e) cooperating with the European Data Protection Supervisor;
(f) preparing an annual report and communicating that report to the Management Board and to the European Data Protection Supervisor.
8. Moreover, the Data Protection Officer shall carry out the functions foreseen by Regulation (EC) No 45/2001 with regard to personal data of Europol staff members as well as administrative personal data.
9. In the performance of his/her tasks, the Data Protection Officer shall have access to all the data processed by Europol and to all Europol premises.
10. If the Data Protection Officer considers that the provisions of this Regulation concerning the processing of personal data have not been complied with, he/she shall inform the Executive Director, requiring him/her to resolve the non-compliance within a specified time. If the Executive Director does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall inform the Management Board and they shall agree a specified time for a response. If the Management Board does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall refer the matter to the European Data Protection Supervisor.
11. The Management Board shall adopt implementing rules concerning the Data Protection Officer. Those implementing rules shall in particular concern the selection procedure for the position of the Data Protection Officer and his/her dismissal, tasks, duties and powers and safeguards for independence of the Data Protection Officer. Europol shall provide the Data Protection Officer with the staff and resources necessary for him/her to carry out his/her duties. These staff members shall have access to the personal data processed at Europol and to Europol premises only to the extent necessary for the performance of their tasks.
EN EN rights of the data subject. For this purpose, the national supervisory authority shall have access, at the National Unit or at liaison officers’ premises, to data submitted by its Member State to Europol in accordance with the relevant national procedures.
2. For the purpose of exercising their supervisory function, national supervisory authorities shall have access to the offices and documents of their respective liaison officers at Europol.
3. National supervisory authorities shall, in accordance with the relevant national procedures, supervise the activities of National Units and the activities of liaison officers, in so far as such activities are of relevance to the protection of personal data. They shall also keep the European Data Protection Supervisor informed of any actions they take with respect to Europol.
4. Any person shall have the right to request the national supervisory authority to verify that the transfer or communication to Europol of data concerning him/her in any form and the access to the data by the Member State concerned are lawful. This right shall be exercised in accordance with the national law of the Member State in which the request is made.
Article 46 Supervision by the European Data Protection Supervisor
1. The European Data Protection Supervisor shall be responsible for monitoring and ensuring the application of the provisions of this Regulation relating to the protection of fundamental rights and freedoms of natural persons with regard to processing personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of personal data.
To this end, he/ she shall fulfil the duties set out in paragraph 2 and shall exercise the powers granted in paragraph 3.
2. The European Data Protection Supervisor shall have the following duties under this
(a) hear and investigate complaints, and inform the data subject of the outcome within a reasonable period;
(b) conduct inquiries either on his/her own initiative or on the basis of a complaint, and inform the data subjects of the outcome within a reasonable period;
(c) monitor and ensure the application of the provisions of this Regulation and any other Union act relating to the protection of natural persons with regard to the processing of personal data by Europol;