Supervision of Europol

In line with Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 (the Europol Regulation), the EDPS has the task of supervising the lawfulness of personal data processing by Europol as of 1 May 2017.

Europol is an EU body which actively cooperates with the law enforcement authorities of the EU Member States to combat serious international crime and terrorism. Europol also works with many non-EU partner States and international organisations, particularly regarding the fight against terrorism, cybercrime and people smuggling.

The Europol Regulation applies to the processing of operational data, namely data processed by Europol to support the Member States in preventing and combating organised and serious crime, as well as terrorism. Since the amendment of the Europol Regulation that entered into force on 28 June 2022, Chapter IX of the EUDPR (Regulation 2018/1725) is also applicable to Europol.

The Europol Regulation provides any individual with the right to obtain access to his or her data held at Europol (Art. 36). This right of access is described further in Article 80 of the EUDPR.

Similarly, data subjects can ask for rectification, erasure and restriction (Art. 37) of their data, as further described in Article 82 of the EUDPR. 

The EDPS, as an independent supervisory authority, ensures that that the processing of personal data at Europol complies with data protection law.

The EDPS is committed to exercise this supervisory role, reinforcing safeguards in a practical and modern way in line with the new challenges for law enforcement.

To perform this supervision work, the EDPS takes on different duties, also taking into account the cross-border dimension (at European and international level) of the data processing:

  • One of the tools laid down under Europol Regulation to ensure compliance are Inspections, to be carried out by the EDPS in cooperation with national supervisory authorities.
  • The EDPS advises Europol, either on our own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular when it draws up internal rules or administrative measures relating to the protection of fundamental rights and freedoms with regard to the processing of personal data or with reference to the transfer and exchange of personal data.
  • Where new types of processing operations by Europol (due in particular to the categories of data involved or the use of new technologies or procedures) present high risks to individuals, these processing operations need to be submitted to the EDPS for prior consultation. Based on the facts submitted by Europol, the EDPS will examine the processing of personal data in relation to the data protection safeguards laid down under Europol Regulation, the EUDPR and with all relevant data protection principles and rules. In most cases, this exercise leads to a set of recommendations that the controller has to implement so as to ensure compliance with data protection rules.
  • The EDPS hears and investigates complaints from individuals who consider that their personal data have been mishandled by Europol. If a complaint is admissible, the EDPS carries out an inquiry. In cases relating to data originating from one or more Member States, the EDPS will consult the national supervisory authority of the Member State concerned. The EDPS then adopts a decision which is communicated to the complainant and Europol.
  • The EDPS may carry out inquiries for the monitoring of compliance with reference to a specific topic, either as a follow up to a complaint or on our own initiative, for example on the basis on the information Europol has to provide to the EDPS under the Europol Regulation (about new operational analysis projects, data stored for over 5 years, certain transfers to third countries or international organisations, etc.).
  • Europol has a specific duty to report operational data breaches to the EDPS, as well as to the competent authorities of Member States, without undue delay. Operational data are data processed by Europol in the framework of their core business of supporting Member States in preventing and combating cross-border crime and terrorism. If the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms, Europol must also inform the  individuals concerned without unnecessary delay. Europol must ensure that they have prevention and detection mechanisms in place for personal data breaches, as well as investigation and internal reporting procedures. They must also ensure that when they identify a personal data breach, they are able to respond effectively to mitigate the negative effects of the breach on the individuals whose data has been compromised. Europol must document operational data breaches, including all details about the breach, and the DPO must keep a register of all personal data breaches. For administrative data, Europol is subject to the same rules as the other EU institutions under Regulation 2018/1725.

As mentioned, an essential aspect of this supervision is the cooperation with national supervisory authorities, in particular within the newly established Coordinated Supervision Committeea specific forum within the European Data Protection Board for discussion of common issues, for developing guidelines and best practices, and launching coordinated supervisory actions.

In order to monitor compliance with the Europol Regulation, the EDPS cooperates with the Data Protection Officer (DPO) appointed in Europol.

As part of its annual report, the EDPS will publish a summary of its supervisory activities on Europol including information on complaints, inquiries, inspections, transfers of personal data to third countries and international organisations, as well as prior consultations.

The EDPS is also accountable for our supervisory activities before the Joint Parliamentary Scrutiny Group (JPSG), composed of representatives of the European and of national Parliament, established under the Europol Regulation.

Archived website of the former Joint Supervisory Body of Europol.

Regulation 2018/1725 applies to Europol's processing of administrative data, which includes data on staff and visitors, for example.




EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity

On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.

Available languages: English
Available languages: English



Remarks at the LIBE meeting on the follow-up to the EDPS admonishment of Europol

Remarks by the European Data Protection Supervisor, Wojciech Wiewiórowski, at the Committee on Civil Liberties, Justice and Home Affairs (LIBE) meeting on the follow-up to the EDPS admonishment of Europol in Brussels, Belgium.

Available languages: English