Under Article 36 of the Europol Regulation[1] , any individual is entitled to obtain information on whether personal data relating to him or her are processed by Europol. There is no charge for exercising this right.
Type of information
Europol shall provide the requester with the following information:
- confirmation as to whether or not data related to him or her are being processed;
- information on at least the purposes of the processing operation, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed;
- an indication of the legal basis for processing the data;
- the envisaged period for which the personal data will be stored;
- the existence of the right to request from Europol rectification, erasure or restriction of processing of personal data concerning the data subject.
The requester has the right to receive in an intelligible form the data undergoing processing and any available information as to Europol’s sources.
According to Article 36 (6) of the Europol Regulation, the provision of information in response to any request may be refused or restricted if such refusal or restriction constitutes a measure that is necessary in order to:
- enable Europol to fulfil its tasks properly;
- protect security and public order or prevent crime;
- guarantee that any national investigation will not be jeopardised; or
- protect the rights and freedoms of third parties.
How to exercise your right of access
According to Article 36 (3) of the Europol Regulation, you can exercise your right of access by making a request to the authority appointed for that purpose in the Member State of your choice. Your request will then be sent to Europol without delay and in any case within one month of receipt.
After receiving the request, Europol should provide you with an answer without undue delay and in any case within three months of receiving it from the national authority.
Where to direct a request for access
To exercise your right of access you should send a written request for access to one of the following competent authorities listed below. You may choose to which of these authorities to make your request to. The right of access will be exercised in accordance with the law of the Member State in which that authority is located
National Competent Authorities |
|
Austria |
Bundesministerium für Inneres
|
België/Belgique |
Controleorgaan op de politionele informatie/Organe de contrôle de l’information policière |
Bulgaria |
Ministry of Interior |
Croatia |
Ministry of the Interior |
Cyprus |
Cyprus Police |
Czech Republic |
Policie České republiky |
Danmark |
Rigspolitichefen |
Estonia |
Europol National Unit |
Finland |
Central Criminal Police |
France |
Commission Nationale de l'Informatique et des Libertés (CNIL) |
Germany |
Bundeskriminalamt |
Greece |
Ministry of Interior |
Hungary |
National Police Headquarters |
Ireland |
Europol National Unit |
Latvia |
Data State Inspectorate Blaumana |
Lithuania |
International Liaison Office of Lithuanian Criminal Police Bureau, |
Luxembourg |
Commission Nationale pour la Protection des Données |
Malta |
The Data Protection Officer |
Nederland |
Politie / Landelijke Eenheid |
Poland |
Komenda Główna Policji |
Portugal |
Polícia Judiciária (PJ) |
Romania |
Center for International Police Cooperation |
Slovenia |
Policija, Ministrstvo za notranje zadeve |
Slovak Republic |
Ministerstvo Vnútra Slovenskej Republiky |
Spain |
División de Cooperación Internacional, Dirección General de la Policía |
Sweden |
Swedish Police Authority |
United Kingdom |
National Crime Agency |
How to exercise your right to rectification, erasure and restriction
Under Article 37 of the Europol Regulation any data subject having already accessed personal data concerning him or her, processed by Europol, have the right to request Europol, through the authority appointed for that purpose in the Member State of his or her choice, to rectify personal data concerning him or her held by Europol if they are incorrect or to complete or update them and have the right to request Europol to erase personal data relating to him or her if they are no longer required for the purposes for which they are collected or are further processed. That authority shall refer the request to Europol without delay and in any case within one month of receipt.
Europol shall inform you in writing without undue delay, and in any case within three months of receipt of a request, that data concerning you have been rectified, erased or restricted.
Within three months of receipt of your request, Europol shall inform you in writing of any refusal of rectification, erasure or restricting, of the reasons for such a refusal and of the possibility of lodging a complaint with the EDPS and of seeking a judicial remedy.
Europol’s tasks
According to Article 36 (5) Europol shall consult the competent authorities of the Member States and the provider of the data concerned prior taking a decision regarding your request for access.
A decision on access to personal data shall be conditional on close cooperation between Europol and the Member States and the provider of the data directly concerned by the access of the data subject to such data.
If a Member State or the provider of the data objects to Europol's proposed response, it shall notify Europol of the reasons for its objection. Europol shall take the utmost account of any such objection.
Europol shall subsequently notify its decision to the competent authorities concerned and to the provider of the data.
Europol shall restrict rather than erase personal data if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Restricted data shall be processed only for the purpose that prevented their erasure.
If personal data held by Europol have been provided to it by third countries, international organisations or Union bodies, have been directly provided by private parties or have been retrieved by Europol from publicly available sources or result from Europol's own analyses, Europol shall rectify, erase or restrict such data and, where appropriate, inform the providers of the data.
If personal data held by Europol have been provided to Europol by Member States, the Member States concerned shall rectify, erase or restrict such data in collaboration with Europol, within their respective competences. If incorrect personal data have been transferred by another appropriate means or if the errors in the data provided by Member States are due to faulty transfer or transfer in breach of this Regulation or if they result from data being input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or erase such data in collaboration with the provider of the data concerned. In the above-mentioned cases, all addressees of the data concerned shall be notified forthwith. In accordance with the rules applicable to them, the addressees shall then rectify, erase or restrict those data in their systems.
Right to lodge a complaint with the EDPS
Under Article 47 of the Europol Regulation, you have the right to lodge a complaint with the European Data Protection Supervisor (EDPS)[2] if you consider that the processing by Europol of personal data relating to you does not comply with the Europol Regulation.
Where a complaint relates to a decision taken on the right of access or right to rectification, erasure or restriction, the EDPS shall consult the national supervisory authorities of the Member State that provided the data or the Member State directly concerned. In adopting his or her decision, which may extend to a refusal to communicate any information, the EDPS shall take into account the opinion of the national supervisory authority.
Where a complaint relates to the processing of data provided by a Member State to Europol, the EDPS and the national supervisory authority of the Member State that provided the data.
shall, each acting within the scope of their respective competences, ensure that the necessary checks on the lawfulness of the processing of the data have been carried out correctly.
Where a complaint relates to the processing of data provided to Europol by Union bodies, third countries or international organisations, or of data retrieved by Europol from publicly available sources or resulting from Europol's own analyses, the EDPS shall ensure that Europol has correctly carried out the necessary checks on the lawfulness of the processing of the data.
Right to a judicial remedy against the EDPS
According to Article 47 of the Europol Regulation any action against a decision of the EDPS shall be brought before the Court of Justice of the European Union.
Other rights
Under Article 42(4) of the Europol Regulation, you have the right to request the national supervisory authority to verify the legality of any transfer or communication to Europol of data concerning you in any form and of access to those data by the Member State concerned. That right shall be exercised in accordance with the national law of the Member State in which the request is made.
[1]Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA, OJ L 135, 24.5.2016, p. 53–114.
[2] EDPS postal address: Rue Wiertz 60, B-1047 Brussels, Belgium E-mail | Website