The new Europol: no more European FBI, not yet European NSA…

NOTA BENE THE NUMBERING OF ARTICLES AND PARAGRAPHS IS STILL PROVISIONAL AND SUBJECT TO LEGAL LINGUISTIC REVISION

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 88 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national Parliaments,
Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)        Europol was set up by Decision 2009/371/JHA[2] as an entity of the Union funded from the general budget of the Union to support and strengthen action by competent authorities of the Member States and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime affecting two or more Member States. Decision 2009/371/JHA replaced the Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office (Europol Convention).[3]
(2)        Article 88 of the Treaty provides for Europol to be governed by a regulation to be adopted in accordance with the ordinary legislative procedure. It also requires the establishment of procedures for the scrutiny of Europol’s activities by the European Parliament, together with national Parliaments, subject to Article 12(c) of the Treaty on European Union and Article 9 of Protocol No 1 on the role of national parliaments in the European Union, in order to enhance the democratic legitimacy and accountability of Europol to the European citizens. Therefore, Decision 2009/371/JHA should be replaced by a regulation laying down rules on parliamentary scrutiny.
(4)        The ‘Stockholm Programme – An open and secure Europe serving and protecting citizens’[4] calls for Europol to evolve and become a “hub for information exchange between the law enforcement authorities of the Member States, a service provider and a platform for law enforcement services.” On the basis of an assessment of Europol’s functioning, further enhancement of its operational effectiveness is needed to meet this objective.
(5)        Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to the safety and livelihood of its citizens. Available threat assessments show that criminal groups are becoming increasingly poly-criminal and cross-border in their activities. National law enforcement authorities therefore need to cooperate more closely with their counterparts in other Member States. In this context, it is necessary to equip Europol to support Member States more in Union-wide crime prevention, analyses and investigations. This has also been confirmed in the evaluation of Decision 2009/371/JHA.
(7)        This Regulation aims to amend and expand the provisions of Decision 2009/371/JHA as well as Decisions 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA implementing Decision 2009/371/JHA. Since the amendments to be made are of substantial number and nature, these Decisions should in the interests of clarity be replaced in their entirety in relation to the Member States bound by this Regulation. Europol as established by this Regulation should replace and assume the functions of Europol as established by Decision 2009/371/JHA, which, as a consequence, should be repealed.
(8)        As serious crime often occurs across internal borders, Europol should support and strengthen Member State actions and their cooperation in preventing and combating serious crime affecting two or more Member States. As terrorism is one of the most important threats for the security of the Union, Europol should assist Member States in facing common challenges in this regard. As the EU law enforcement agency, Europol should also support and strengthen actions and cooperation on tackling forms of crime that affect the interests of the EU. Among the forms of crime which Europol is competent to deal with, organised crime will continue to fall within Europol’s main objectives, as it also calls for a common approach by the Member States, owing to its scale, significance and consequences. Europol should also offer support in preventing and combating related criminal offences which are committed in order to procure the means, to facilitate, to carry out or to ensure the impunity of acts in respect of which Europol is competent.
(8b)      Europol should provide strategic analyses and threats assessments to assist the Council and the Commission in laying down strategic and operational priorities of the Union for fighting crime and in the operational implementation of those priorities. Where the Commission so requests in accordance with Article 8 of Council Regulation (EU) No 1053/2013^39c Europol should also carry out risk analyses, including on organised crime, in so far as these may undermine the application of the Schengen acquis by the Member States. Moreover, at the request of the Council or the Commission where appropriate Europol should provide strategic analyses and threat assessments to contribute to the evaluation of States which are candidates for accession to the Union.
(10a)    Attacks against information systems affecting Union bodies or two or more Member States are a growing menace in the Union, in particular in view of their speed, impact and difficulties to identify their sources. When considering requests by Europol to initiate an investigation into a serious attack of suspected criminal origin against information systems affecting Union bodies or two or more Member States, Member States should respond to Europol without delay, taking into account that rapidity of response is a key factor to successfully tackle computer crime.
(13aa)   Given the importance of the inter-agency cooperation, Europol and Eurojust should ensure that necessary arrangements are established to optimise their operational cooperation, taking due account of their respective missions and mandates and of the interests of Member States. In particular, Europol and Eurojust should keep each other informed of any activity involving the financing of joint investigation teams.
(13ab)   When a joint investigation team is set up, the relevant agreement should determine the conditions relating to the participation of the Europol staff in the team. Europol should keep a record of its participation in such joint investigation teams targeting criminal activities falling within its objectives.
(13b)    Europol should be able to request Member States to initiate, conduct or coordinate criminal investigations in specific cases where cross-border cooperation would add value. Europol should inform Eurojust of such requests.
(11)      Europol should be a hub for information exchange in the Union. Information, collected, stored, processed, analysed and exchanged by Europol includes criminal intelligence, which relates to information about crime or criminal activities, falling within Europol’s objectives, with a view to establishing whether concrete criminal acts have been committed or may be committed in the future.
(11a)    In order to ensure Europol’s effectiveness as a hub of information exchange, clear obligations for Member States to provide Europol with the data necessary for it to fulfil its objectives should be laid down. While implementing such obligations, Member States should pay particular attention to providing data relevant for the fight against crimes considered to be strategic and operational priorities within relevant policy instruments of the Union, in particular the priorities set by the Council in the framework of the EU Policy Cycle for organised and serious international crime. Member States should also endeavour to provide Europol with a copy of bilateral and multilateral exchanges of information with other Member States on crime falling under Europol’s objectives.
When supplying Europol with the necessary information, Member States should also include information about any alleged cyber attacks affecting Union bodies located in their territory.
At the same time, Europol should increase the level of its support to Member States, so as to enhance mutual cooperation and sharing of information. Europol should submit an annual report to the European Parliament, the Council, the Commission and to national Parliaments on the information provided by the individual Member States.
(12)      To ensure effective cooperation between Europol and Member States, a National Unit should be set up in each Member State. It should be the liaison between national competent authorities and Europol, thereby having a coordinating role in respect of Member States’ cooperation with Europol, and thus contributing to ensuring that each Member State responds to Europol requests in a uniform way. To ensure continuous, effective exchange of information between Europol and National Units and to facilitate their cooperation, each National Unit should second at least one liaison officer to Europol.
(13)      Taking into account the decentralised structure of some Member States and the need to ensure rapid exchanges of information, Europol should be allowed to cooperate directly with competent authorities in Member States, subject to the conditions defined by Member States while keeping Europol National Units informed at their request.
(13a)    The establishment of joint investigation teams should be encouraged and Europol staff should be able to participate in them. To ensure that such participation is possible in every Member State, Council Regulation (Euratom, ECSC, EEC) No 549/69[5], as amended by Council Regulation (EC) No 371/2009[6], provides that Europol staff do not benefit from immunities while they are participating in joint investigation teams.
(15)      It is also necessary to improve the governance of Europol, by seeking efficiency gains and streamlining procedures.
(16)      The Commission and the Member States should be represented on the Management Board of Europol to effectively supervise its work. The members and the alternate members of the Management Board should be appointed taking into account their relevant managerial, administrative and budgetary skills and knowledge of law enforcement cooperation. Alternate members should act as members in the absence of the member.
(16a)    All parties represented in the Management Board should make efforts to limit the turnover of their representatives, to ensure continuity of the Management Board’s work. All parties should aim to achieve a balanced representation between men and women on the Management Board.
(16b)    The Management Board may invite non-voting observers whose opinion may be relevant for the discussion, including a representative designated by the JPSG.
(17)      The Management Board should be given the necessary powers, in particular to set the budget, verify its execution, adopt the appropriate financial rules and planning documents, as well as adopt rules for the prevention and management of conflicts of interests in respect of its members, establish transparent working procedures for decision-making by the Executive Director of Europol, and adopt the annual activity report. It should exercise the powers of appointing authority towards staff of the agency including the Executive Director.
(18)      To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative and manager, acting independently in the performance of his/her duties and ensuring that Europol carries out the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing budgetary and planning documents submitted for the decision of the Management Board, implementing the multiannual programming and annual work programmes of Europol and other planning documents.
(19)      For the purposes of preventing and combating crime falling under its objectives, it is necessary for Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to process data provided to it by Member States, Union bodies, third countries, international organisations and, under stringent conditions set out in this Regulation, private parties as well as coming from publicly available sources to develop an understanding of criminal phenomena and trends, to gather information about criminal networks, and to detect links between different offences.
(20)      To improve Europol’s effectiveness in providing accurate crime analyses to the Member States’ competent authorities, it should use new technologies to process data. Europol should be able to swiftly detect links between investigations and common modi operandi across different criminal groups, to check cross-matches of data and to have a clear overview of trends, while guaranteeing high level of protection of personal data for individuals. Therefore, Europol databases should be structured in such a way as to allow Europol to choose the most efficient IT structure. Europol should also be able to act as a service provider, in particular by providing a secure network for the data exchange, such as SIENA, aiming to facilitate the exchange of information between Member States, Europol, other Union bodies, third states and international organisations. To ensure a high level of data protection, the purpose of processing operations and access rights as well as specific additional safeguards should be laid down. In particular, the principles of necessity and proportionality should be observed with regard to personal data processing.
(20a)    Europol should ensure that all personal data processed for operational analyses are allocated a specific purpose. Nonetheless, in order for Europol to fulfil its mission, it should be allowed to process all personal data received to identify links between multiple crime areas and investigations, and not be limited to identifying connections only within one crime area.
(21)      To respect ownership of data and protection of information, Member States, Union bodies, third countries and international organisations should be able to determine the purpose or the purposes for which Europol may process the data they provide and to restrict access rights. Purpose limitation is a fundamental principle of personal data processing; in particular, it contributes to transparency, legal certainty and predictability and is especially of high importance in the area of law enforcement cooperation, where data subjects are usually unaware when their personal data are being collected and processed and where the use of personal data may have a very significant impact on the lives and freedoms of individuals.
(22)      To ensure that data are accessed only by those for whom access is necessary to perform their tasks, this Regulation should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of data should be respected. In order to increase efficiency of preventing and combating crime falling under Europol’s objectives, Europol should notify Member States of information which concerns them.
(23)      To enhance operational cooperation between the agencies, and particularly to establish links between data already in possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office (OLAF) to have access on the basis of a hit/no hit system to data available at Europol. Europol and Eurojust should be able to conclude a working arrangement ensuring in a reciprocal manner within their respective mandates, the access to and the possibility to search all information that has been provided for the purpose of cross-checking in accordance with specific safeguards and data protection guarantees provided for in this Regulation. Any access to data available at Europol would by technical means be limited to information falling within the respective mandates of these Union bodies.
(24)      Europol should maintain cooperative relations with other Union bodies, authorities of third countries, international organisations, and private parties to the extent required for the accomplishment of its tasks.
(25)      To ensure operational effectiveness, Europol should be able to exchange all relevant information, with the exception of personal data, with other Union bodies, authorities of third countries, and international organisations to the extent necessary for the performance of its tasks. Since companies, firms, business associations, non-governmental organisations and other private parties hold expertise and information of direct relevance to the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such information with private parties. To prevent and combat cybercrime, as related to network and information security incidents, Europol should, pursuant to Directive [name of adopted Directive] of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union,[7] cooperate and exchange information, with the exception of personal data, with national authorities competent for the security of network and information systems.
(26)      Europol should be able to exchange relevant personal data with other Union bodies to the extent necessary for the accomplishment of its tasks.
(27)      Serious crime and terrorism often have links beyond the territory of the EU. Europol should therefore be able to exchange personal data with authorities of third countries and with international organisations such as Interpol to the extent necessary for the accomplishment of its tasks.
(27a)    All Member States are affiliated to the International Criminal Police Organisation – Interpol. To fulfil its mission, Interpol receives, stores, and circulates data to assist competent law enforcement authorities to prevent and combat international crime. Therefore, it is appropriate to strengthen cooperation between Europol and Interpol by promoting an efficient exchange of personal data whilst ensuring the respect for fundamental rights and freedoms regarding the automatic processing of personal data. When personal data is transferred from Europol to Interpol, this Regulation should apply, in particular the provisions on international transfers.
(27b)    To guarantee purpose limitation, it is important to ensure that personal data can be transferred by Europol to Union bodies, third countries and international organisations only if this is necessary for preventing and combating crime that falls under Europol’s objectives. To this end, it has to be ensured when transferring personal data that the recipient gives an undertaking that the data will be used by the recipient or transferred onward to a competent authority of a third country solely for the purpose for which they were originally transferred. Further onward transfer of the data should take place in compliance with this Regulation.
(28)      Europol should be able to transfer personal data to an authority of a third country or an international organisation on the basis of a Commission decision finding that the country or international organisation in question ensures an adequate level of data protection, or, in the absence of an adequacy decision, an international agreement concluded by the Union pursuant to Article 218 of the Treaty, or a cooperation agreement allowing for the exchange of personal data concluded between Europol and this third country prior to the entry into force of this Regulation. In view of Article 9 of Protocol 36 on transitional provisions attached to the Treaty, legal effects of such agreements should be preserved until those agreements are repealed, annulled or amended in the implementation of the Treaty. Where appropriate and in accordance with Regulation 45/2001, the Commission may consult the European Data Protection Supervisor before and during the negotiation of an international agreement. Where the Management Board identifies an operational need for cooperation with a third country or international organisation, it should be able suggest to the Council to draw the attention of the Commission to the need for an adequacy decision or for a recommendation for the opening of negotiations on an international agreement as referred to above.
(29)      Where a transfer of personal data cannot be based on an adequacy decision taken by the Commission, or, an international agreement concluded by the Union, or an existing cooperation agreement, the Management Board in agreement with the European Data Protection Supervisor should be allowed to authorise a set of transfers, where specific conditions so require and provided adequate safeguards are ensured. The Executive Director should be allowed to authorise the transfer of data in exceptional cases on a case-by-case basis, where specific strict conditions so require.
(30)      Europol should be able to process personal data originating from private parties and private persons only if transferred to Europol by a Europol National Unit of a Member State in accordance with its national law or, by a contact point in a third country or an international organisation with which there is established cooperation through a cooperation agreement allowing for the exchange of personal data concluded in accordance with Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation or an authority of a third country or an international organisation which is subject to an adequacy decision or with which the Union has concluded an international agreement pursuant to Article 218 of the Treaty. In cases where Europol nonetheless receives personal data directly from private parties and where the National Unit, contact point or authority concerned cannot be identified, Europol may process that personal data solely for the purpose of identifying these entities, and such data should be deleted unless these entities resubmit that personal data within four months after the transfer takes place. Europol should ensure by technical means that during that period such data would not be accessible for processing for any other purpose.
(30a)    Taking into account the exceptional and specific threat posed to the internal security of the Union by terrorism and other forms of serious crime, especially as facilitated, promoted or committed using the Internet, the activities that Europol should undertake on the basis of this Regulation, stemming from its implementation of the Conclusions of the Council of 12 March 2015 and the call by the special European Council of 23 April 2015 in relation especially to those priority areas, in particular the corresponding practice of direct exchanges of personal data with private parties should be evaluated by the Commission two years after the date of application of this Regulation.
(31)      Any information which has clearly been obtained in obvious violation of human rights shall not be processed.
(32)      Data protection rules at Europol should be strengthened and draw on the principles underpinning Regulation (EC) No 45/2001[8] to ensure a high level of protection of individuals with regard to processing of personal data. As Declaration 21 attached to the Treaty recognizes the specificity of personal data processing in the law enforcement context, the data protection rules of Europol should be autonomous while at the same time coherent with other relevant data protection instruments applicable in the area of police cooperation in the Union, in particular [Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data[9]].
(32a)    Any processing of personal data by Europol must be lawful and fair in relation to the data subjects concerned. The principle of fair processing requires transparency of processing allowing data subjects concerned to exercise their rights under this Regulation. The access to their personal data can nevertheless be refused or restricted, if, with due regard to the interests of the data subjects concerned, this constitutes a necessary measure to enable Europol to fulfil its tasks properly, to protect security and public order or to prevent crime, to guarantee that any national investigation will not be jeopardised or to protect the rights and freedoms of third parties. To enhance transparency, Europol should make publicly available a document setting out in an intelligible form the applicable provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects. Europol should also publish on its website a list of adequacy decisions, agreements, and administrative arrangements relating to the transfer of personal data to third countries and international organisations. Moreover, in order to increase Europol’s transparency towards European citizens and its accountability, Europol should publish on its website a list of its Management Board members and the summaries of the outcome of the meetings of the Management Board, where appropriate, while respecting data protection requirements.
(33)      As far as possible personal data should be distinguished according to the degree of their accuracy and reliability. Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by Europol. In the case of information from publicly available sources, particularly sources on the internet, Europol should as far as possible assess the accuracy of such information and the reliability of its source with particular diligence in order to meet the risks associated with the internet as regards the protection of personal data and privacy.
(34)      Personal data relating to different categories of data subjects are processed in the area of law enforcement co-operation. Europol should make distinctions between personal data of different categories of data subjects as clear as possible. Personal data of persons such as victims, witnesses, persons possessing relevant information as well as personal data of minors should in particular be protected. Europol should only process sensitive data if those data supplement other personal data already processed by Europol.
(35)      In the light of fundamental rights to protection of personal data, Europol should not store personal data longer than necessary for the performance of its tasks. The need for continued storage of such data should be reviewed no later than three years after the start of its initial processing.
(36)      To guarantee the security of personal data, Europol and Member States should implement necessary technical and organisational measures.
(37)      Any person should have a right of access to personal data concerning them, to have inaccurate data concerning them rectified and to erase or block data concerning them, if the data is no longer required. The costs related to exercising the right of access to personal data should never represent a barrier for effectively exercising this right. The rights of the data subject and the exercise thereof should not affect the obligations placed on Europol and should be subject to the restrictions laid down in this Regulation.
(38)      The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities under this Regulation. In particular, Member States should be responsible for accuracy and keeping up to date the data they have transferred to Europol and for the legality of such transfer. Europol should be responsible for accuracy and for keeping the data provided by other data suppliers or which results from Europol’s own analyses up to date. Europol should also ensure that data are processed fairly and lawfully, are collected and processed for a specific purpose, that they are adequate, relevant, not excessive in relation to the purposes for which they are processed, stored no longer than is necessary for that purpose, and are processed in a manner that ensures appropriate security of personal data and confidentiality of data processing.
(39)      Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security. Europol should be obliged to co-operate with the European Data Protection Supervisor and make the logs or documentation available upon request, so that they can be used for monitoring processing operations.
(40)      Europol should designate a data protection officer to assist it in monitoring compliance with the provisions of this Regulation. The data protection officer should be in a position to perform his/her duties and tasks independently, effectively and should be provided with the necessary resources.
(41)      Independent, transparent, accountable and effective structures for supervision are essential for the protection of individuals with regard to the processing of personal data as required by Article 8(3) of the Charter of Fundamental Rights. National competent authorities for the supervision of the processing of personal data should monitor the lawfulness of personal data provided by Member States to Europol. The European Data Protection Supervisor should monitor the lawfulness of data processing by Europol exercising its functions with complete independence. In this regard, the prior consultation mechanism is an important safeguard for new types of processing operations. This should not apply to specific individual operational activity, such as the operational analysis projects, but to the use of new IT systems for the processing of personal data or any substantial changes thereto.
(42)      It is important to ensure a strengthened and effective supervision of Europol and to guarantee that the European Data Protection Supervisor can make use of appropriate law enforcement data protection expertise when it takes on the responsibility for data protection supervision of Europol. The European Data Protection Supervisor and national supervisory authorities should closely co-operate with each other on specific issues requiring national involvement and to ensure coherent application of this Regulation throughout the Union.
(42a)    In order to facilitate the cooperation between the European Data Protection Supervisor and the national supervisory authorities, but without prejudice to the independence of the European Data Protection Supervisor and his/her responsibility for data protection supervision of Europol, they should regularly meet within the Cooperation Board which, as an advisory body, should deliver opinions, guidelines, recommendations and best practices on various issues requiring national involvement.
(43)      As Europol is processing also non-operational personal data, not related to any criminal investigations, such as personal data of staff of Europol, services providers or visitors, processing of such data should be subject to Regulation (EC) No 45/2001.
(44)      The European Data Protection Supervisor should hear and investigate complaints lodged by data subjects. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of progress and the outcome of the complaint within a reasonable period.
(45)      Any individual should have the right to a judicial remedy against decisions of the European Data Protection Supervisor concerning him/her.
(46)      Europol should be subject to general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, with the exception of liability for unlawful data processing.
(47)      It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.
(48)      While respecting the role of the European Parliament, together with national parliaments in the scrutiny of Europol’s activity, it is necessary that Europol be a fully accountable and transparent internal organisation. To that end, in the light of Article 88 of the Treaty on the Functioning of the European Union, procedures for scrutiny of Europol activities by the European Parliament together with national Parliaments, should be established. Such procedures should be subject to Article 12(c) of the Treaty on European Union and the provisions on interparliamentary cooperation laid down in Article 9 of Protocol No 1 on the role of national parliaments in the European Union, providing that the European Parliament and national Parliaments should together determine the organisation and promotion of effective and regular interparliamentary cooperation within the Union. The procedures for scrutiny of Europol activities should be established taking into due account the need to ensure that the European Parliament and the national parliaments stand on an equal footing as well as the need to safeguard confidentiality of operational information. However, the way in which national Parliaments scrutinise their governments in relation to the activities of the Union is a matter for the particular constitutional organisation and practice of each Member State.
(49)      The Staff Regulations of Officials of the European Communities and the Conditions of Employment of Other Servants of the European Communities laid down in Regulation (EEC, Euratom, ECSC) No 259/68[10] should apply to Europol staff. Europol should be able to employ staff engaged from the competent authorities of the Member States as temporary agents whose period of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of staff members into the service of their competent authority facilitates close cooperation between Europol and the competent authorities of the Member States. Member States should take any measure necessary to ensure that staff engaged at Europol as temporary agents may, at the end of this service at Europol, return to the national civil service to which they belong.
(50)      Given the nature of the duties of Europol and the role of the Executive Director, the Executive Director may be invited to appear before the competent committee of the European Parliament before his appointment, as well as before any extension of his term of office. The Executive Director should also present the annual report to the European Parliament and to the Council. Furthermore, the European Parliament and the Council should be able to invite the Executive Director to report on the performance of his duties.
(51)      To guarantee the full autonomy and independence of Europol, it should be granted an autonomous budget, with revenue coming essentially from a contribution from the budget of the Union. The Union budgetary procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general budget of the Union are concerned. The auditing of accounts should be undertaken by the Court of Auditors.
(52)      Commission Delegated Regulation (EU) No 1271/2013 of 30.9.2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council^14a should apply to Europol.
(52a)    Given their specific legal and administrative powers and their technical competences in conducting cross-border information exchange activities, operations and investigations, including in joint investigation teams, and in providing facilities for training, the competent authorities of Member States should be able to receive grants from Europol without call for proposals in accordance with Article 190(1)(d) of Commission Delegated Regulation (EU) No 1268/2012[11].
(53)      Regulation (EU) No 883/2013 of the European Parliament and of the Council concerning investigations conducted by the European Anti-Fraud Office (OLAF) should apply to Europol.
(54)      Europol processes data that require particular protection as they include sensitive non-classified and EU classified information. Europol should therefore draw up rules on confidentiality and processing of such information. The rules on the protection of European Union classified information should be consistent with Council Decision 2013/488/EU on the security rules for protecting European Union classified information[12].
(55)      It is appropriate to evaluate the application of this Regulation regularly.
(56)      The necessary provisions regarding accommodation for Europol in the Hague where it has its headquarters, and the specific rules applicable to all Europol’s staff and members of their families should be laid down in a headquarters agreement. Furthermore, the host Member State should provide the necessary conditions for the smooth operation of Europol, including multilingual, European-oriented schooling and appropriate transport connections, so as to attract high-quality human resources from as wide a geographical area as possible.
(57)      Europol, as set up by this Regulation replaces and succeeds Europol as established by Decision 2009/371/JHA. It should therefore be a legal successor of all its contracts, including employment contracts, liabilities and properties acquired. International agreements concluded by Europol as established on the basis of Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention before 1 January 2010 should remain in force.
(58)      To enable Europol to continue to fulfil the tasks of Europol as established on the basis of Decision 2009/371/JHA to the best of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, the Executive Director and staff employed under a contract of indefinite duration as a local staff member concluded by Europol as established by the Europol Convention, who should be offered a possibility of employment as a member of temporary or contract staff under the Conditions of employment of other servants.
(58a)    The Council Act 1999/C 26/07^[13] on Europol staff regulations, as amended by Council Decision 1999/C 364/02^[14], still applies to staff employed by Europol before the entry into force of the Council Decision 2009/371/JHA^[15]. Therefore, transitional provisions should provide that contracts concluded in accordance with such staff regulations remain governed by them.
(59)      Since the objective of this Regulation, namely the establishment of an entity responsible for law-enforcement cooperation at Union level, cannot be sufficiently achieved by the Member States and can, therefore, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity, as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective.
(60)      In accordance with Articles 3 and 4a(1) of Protocol (No 21) on the position of United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Ireland has notified its wish to participate in the adoption and application of this Regulation.
(60a)    In accordance with Articles 1, 2 and 4a(1) of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, and without prejudice to Article 4 of that Protocol, the United Kingdom is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(61)      In accordance with Articles 1 and 2 of the Protocol (No 22) on the position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.
(61a)    The European Data Protection Supervisor has been consulted and issued an opinion on 31 May 2013.
(62)      This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data and the right to privacy as protected by Articles 8 and 7 of the Charter, as well as by Article 16 of the Treaty.

HAVE ADOPTED THIS REGULATION:

Chapter I GENERAL PROVISIONS, OBJECTIVES AND TASKS OF EUROPOL

Article 1 Establishment of the European Union Agency for Law Enforcement Cooperation
A European Union Agency for Law Enforcement Cooperation (Europol) is hereby established with a view to supporting cooperation among law enforcement authorities in the European Union.

Europol, as established by this Regulation, shall replace and succeed Europol as established by Decision 2009/371/JHA.

Article 2 Definitions

For the purposes of this Regulation:

‘the competent authorities of the Member States’ means all police authorities and other law enforcement services existing in the Member States, which are responsible under national law for preventing and combating criminal offences. The competent authorities shall also comprise other public authorities existing in the Member States which are responsible under national law for preventing and combating criminal offences in respect of which Europol is competent;
(bb)      “strategic analysis” means all methods and techniques by which information is collected, stored, processed and assessed with the aim of supporting and developing a criminal policy that contributes to an efficient and effective prevention of and fight against criminal offences;
(bbb)    “operational analysis” means all methods and techniques by which information is collected, stored, processed and assessed with the aim of supporting criminal investigations;
(c)        ‘Union bodies’ means institutions, bodies, missions, offices and agencies set up by, or on the basis of, the Treaty on European Union and the Treaty on the Functioning of the European Union;
(f)         ‘international organisations’ means international organisations and their subordinate bodies governed by public international law or other bodies which are set up by, or on the basis of, an agreement between two or more countries;
(g)        ‘private parties’ means entities and bodies established under the law of a Member State or a third country, in particular companies and firms, business associations, non-profit organisations and other legal persons that are not covered by point (f);
(h)        ‘private persons’ means all natural persons;
(i)         ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(ia)       ‘genetic data’ means all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question;
(j)         ‘processing of personal data’ hereinafter referred to as ‘processing’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
[(k)       ‘recipient’ means a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not;]
(l)         ‘transfer of personal data’ means the communication of personal data, actively made available, between a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data;
(la)       ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
[(n)       ‘the data subject’s consent’ means any freely given specific and informed indication of his/her wishes by which the data subject signifies his/her agreement to personal data relating to him/her being processed;]
(o)        ‘administrative personal data’ means all personal data processed by Europol apart from those that are processed to meet the objectives laid down in Article 3(1) and (2).

Article 3 Objectives

 

• Europol shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy, listed in Annex 1.
• In addition to paragraph 1, Europol’s objectives shall also cover related criminal offences. The following offences shall be regarded as related criminal offences:

 

• criminal offences committed in order to procure the means of perpetrating acts in respect of which Europol is competent;
• criminal offences committed in order to facilitate or carry out acts in respect of which Europol is competent;
• criminal offences committed in order to ensure the impunity of acts in respect of which Europol is competent.

Article 4 Tasks

 

• Europol shall perform the following tasks to achieve the objectives set out in Article 3:

 

(a)        collect, store, process, analyse and exchange information, including criminal intelligence;
(b)        notify the Member States, via the National Units established or designated in accordance with Article 7(2), without delay of any information and connections between criminal offences concerning them;
(c)        coordinate, organise and implement investigative and operational action to support and strengthen action of Member States’ competent authorities
(i) carried out jointly with the competent authorities of the Member States; or
(ii)        in the context of joint investigation teams, in accordance with Article 8a, where appropriate, in liaison with Eurojust;
(d)        participate in joint investigation teams as well as propose that they are set up in accordance with Article 8a;
(e)        provide information and analytical support to Member States in connection with major international events;
(f)         prepare threat assessments, strategic and operational analyses and general situation reports;
(g)        develop, share and promote specialist knowledge of crime prevention methods, investigative procedures and technical and forensic methods, and provide advice to Member States;
(h)        support Member States’ cross-border information exchange activities, operations and investigations, as well as joint investigation teams, including by providing operational, technical and financial support;
(i)         provide specialised training and assist Member States in organising training, including financial support, within the scope of its objectives and in accordance with the staffing and budgetary resources at its disposal in coordination with the European Police College (CEPOL);
(j)         cooperate with the Union bodies established on the basis of Title V of the Treaty and with the European Anti-Fraud Office (OLAF), in particular through the exchange of information and by providing them with analytical support in the areas that fall under their competence;
(k)        provide information and support to EU crisis management structures and missions established on the basis of the Treaty on European Union within the scope of Europol’s objectives set out in Article 3;
(l)         develop Union centres of specialised expertise for combating certain types of crime falling under Europol’s objectives, in particular the European Cybercrime Centre.
(m)       to support Member States’ actions in preventing and combating forms of crime listed in Annex 1 which are facilitated, promoted or committed using the internet, including, in cooperation with Member States, the making of referrals of internet content, by which such forms of crime are facilitated, promoted or committed, to the online service providers concerned for their voluntary consideration of compatibility of the referred with their own terms and conditions.

2. Europol shall provide strategic analyses and threats assessments to assist the Council and the Commission in laying down strategic and operational priorities of the Union for fighting crime. Europol shall also assist in the operational implementation of those priorities.
3. Europol shall provide strategic analyses and threat assessments to assist the efficient and effective use of the resources available at national and Union level for operational activities and the support of those activities.
4. Europol shall act as the Central Office for combating euro counterfeiting in accordance with Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting^[16]. Europol shall also encourage the coordination of measures carried out to fight euro counterfeiting by the competent authorities of the Member States or in the context of joint investigation teams, where appropriate in liaison with Union bodies and the authorities of third countries.
5. Europol shall not apply coercive measures in carrying out its tasks.

Chapter II COOPERATION BETWEEN MEMBER STATES AND EUROPOL

Article 8a Participation in joint investigation teams

Europol staff may participate in the activities of joint investigation teams dealing with crime falling within Europol’s objectives. The agreement setting up a joint investigation team shall determine the conditions relating to the participation of the Europol staff in the team, including the information on the rules on liability.

Europol staff may, within the limits provided by the laws of the Member States in which a joint investigation team is operating, assist in all activities and exchanges of information with all members of the joint investigation team.

2a.        Europol staff participating in the joint investigation team may, in accordance with this Regulation, provide all members of the team with necessary information processed by Europol for the purposes set out in Article 24(1). Europol shall at the same time inform the National Units of the Member States represented in the team as well as those of the Member States which provided the information.

2b.       Information obtained by Europol staff while part of the joint investigation team may, with the consent and under the responsibility of the Member State which provided the information, be processed by Europol for the purposes set out in Article 24 (1), under the conditions laid down in this Regulation.
Where Europol has reasons to believe that setting up a joint investigation team would add value to an investigation, it may propose this to the Member States concerned and take measures to assist them in setting up the joint investigation team.

Article 8b Requests by Europol for the initiation of criminal investigations

In specific cases where Europol considers that a criminal investigation should be initiated into a crime falling within its objectives, it shall request the competent authorities of the Member States concerned via the National Units to initiate, conduct or coordinate such a criminal investigation.

3. The National Units shall inform Europol without delay of the decision of the competent authorities of the Member States concerning any request made pursuant to paragraph 1.
4. If the competent authorities of the Member States concerned decide not to proceed with a request made by Europol pursuant to paragraph 1, they shall inform Europol of the reasons for their decision, without undue delay, preferably within one month of the receipt of the request. However, the reasons may be withheld if giving them would:

(a)        be contrary to the essential interests of the Member State’s security; or
(b)        jeopardise the success of current investigations or the safety of individuals.

5. Europol shall immediately inform Eurojust of any requests made pursuant to paragraph 1 and of any decision of a competent authority of a Member State pursuant to paragraph 3.

Article 7 Europol National Units

The Member States and Europol shall cooperate with each other in the fulfilment of their tasks set out in this Regulation.

Each Member State shall establish or designate a National Unit which shall be the liaison body between Europol and the competent authorities of that Member State. An official shall be appointed by each Member State as the head of the National Unit.

3. Each Member State shall ensure that under national law its National Unit is able to fulfil the tasks set out in this Regulation, in particular that they have access to national law enforcement data and other relevant data necessary for cooperation with Europol.

3a.        Each Member State shall determine the organisation and the staff of the National Unit according to its national legislation.

4. In accordance with paragraph 2, the national unit shall be the liaison body between Europol and the competent authorities of the Member States. However, subject to conditions determined by Member States, including prior involvement of the National Unit, the Member States may allow direct contacts between their competent authorities and Europol. The National Unit shall at the same time receive from Europol any information exchanged in the course of direct contacts between Europol and the competent authorities, unless the National Unit indicates that it does not need to receive such information.

The Member States shall, via their National Unit or, subject to paragraph 4, a competent authority, in particular:
(a)        supply Europol with the information necessary for it to fulfil its objectives, including with information relating to forms of crime that are considered a priority by the Union;
(b)        ensure effective communication and cooperation of all relevant competent authorities of the Member States with Europol;
(c)        raise awareness of Europol’s activities.
(cc)      in accordance with Article 41(4)(a), ensure compliance with national law when supplying information to Europol.
5a.        Without prejudice to Member States discharging the responsibilities incumbent upon them with regard to the maintenance of law and order and the safeguarding of internal security, Member States shall not in any particular case be obliged to supply information in accordance with paragraph 5(a) that would:
(a)        be contrary to the essential interests of the Member State’s security;
(b)        jeopardise the success of a current investigation or the safety of individuals; or
(c)        disclose information relating to organisations or specific intelligence activities in the field of national security.
Information shall be supplied as soon as it no longer falls under points (a), (b) or (c) of the first sub-paragraph.
5b.       The Member States shall ensure that their Financial Intelligence Units established pursuant to Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing[17] are allowed to cooperate with Europol via their National Unit regarding analyses, within the limits of their mandate and competence.
The heads of National Units shall meet on a regular basis, in particular to discuss and resolve problems that occur in the context of their operational cooperation with Europol.

8. The costs incurred by National Units in communications with Europol shall be borne by the Member States and, with the exception of the costs of connection, shall not be charged to Europol.
9. Europol shall draw up an annual report on the information provided by each Member State pursuant to paragraph 5(a) on the basis of the quantitative and qualitative evaluation criteria defined by the Management Board. The annual report shall be sent to the European Parliament, the Council, the Commission and national Parliaments.

Article 8 Liaison officers

1. Each National Unit shall designate at least one liaison officer to Europol. Except as otherwise laid down in this Regulation, liaison officers shall be subject to the national law of the designating Member State.

Liaison officers shall constitute the national liaison bureaux at Europol and shall be instructed by their National Units to represent the interests of the latter within Europol in accordance with the national law of the designating Member State and the provisions applicable to the administration of Europol.

Liaison officers shall assist in the exchange of information between Europol and their Member States.

4. Liaison officers shall assist in the exchange of information between their Member States and the liaison officers of other Member States, third countries and international organisations in accordance with national law. Europol’s infrastructure may be used, in line with national law, for such bilateral exchanges also to cover crimes outside the objectives of Europol. The Management Board shall determine the rights and obligations of liaison officers in relation to Europol. All such exchanges of information shall be in accordance with applicable Union and national law.
5. Liaison officers shall enjoy the privileges and immunities necessary for the performance of their tasks in accordance with Article 65(2).
6. Europol shall ensure that liaison officers are fully informed of and associated with all of its activities, insofar as this is necessary for the performance of their tasks.
7. Europol shall cover the costs of providing Member States with the necessary premises in the Europol building and adequate support for liaison officers to carry out their duties. All other costs that arise in connection with the designation of liaison officers shall be borne by the designating Member State, including the costs of equipment for liaison officers, unless the budgetary authority decides otherwise on the recommendation of the Management Board.

Chapter III (DELETED)

Chapter IV ORGANISATION OF EUROPOL

Article 12 Administrative and management structure of Europol

The administrative and management structure of Europol shall comprise:
(a)        Management Board;
(b)        an Executive Director;
(d)        if appropriate, any other advisory body established by the Management Board in accordance with Article 14(1)(p);

SECTION 1 MANAGEMENT BOARD

Article 13 Composition of the Management Board

1. The Management Board shall be composed of one representative from each Member State and one representative of the Commission, all with voting rights.
2. The members of the Management Board shall be appointed taking into account their knowledge of law enforcement cooperation.
3. Each member of the Management Board shall have an alternate member who shall be appointed taking into account the criterion set out in paragraph 2. The alternate member shall represent the member in the member’s absence.

The principle of a balanced representation between men and women on the Management Board shall also be taken into account.

5. Without prejudice to the Member States’ and Commission’s right to terminate the mandate of members and alternate members, their term of office shall be four years. That term shall be extendable.

Article 14 Functions of the Management Board

1. The Management Board shall:

(a)        adopt each year, by a majority of two-thirds of members and in accordance with Article 15, a programming document containing Europol’s multiannual programming and the annual work programme for the following year;
(c)        adopt, by a majority of two thirds of its members, the annual budget of Europol and exercise other functions in respect of Europol’s budget pursuant to Chapter XI;
(d)        adopt a consolidated annual activity report on Europol’s activities and, by 1 July of the following year, send it to the European Parliament, the Council, the Commission, the Court of Auditors and national Parliaments. The consolidated annual activity report shall be made public;
(e)        adopt the financial rules applicable to Europol in accordance with Article 63;
(na)      adopt an internal anti-fraud strategy, proportionate to fraud risks, taking into account the costs and benefits of the measures to be implemented;
(nb)      adopt rules for the prevention and management of conflicts of interest in respect of its members, including in relation to their declaration of interests;
(i)         in accordance with paragraph 2, exercise, with respect to the staff of Europol, the powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude a Contract of Employment (‘the appointing authority powers’);
(j)         adopt appropriate implementing rules giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110 of the Staff Regulations;
(ja)       adopt internal rules regarding the selection procedure of the Executive Director, including the rules on the composition of the selection committee ensuring its independence and impartiality;
(k)        propose to the Council a shortlist of candidates for the post of the Executive Director and Deputy Executive Directors and where relevant propose to the Council to extend their term of office or remove them from the office in accordance with Articles 56 and 57;
(l)         establish performance indicators and oversee the Executive Director’s performance, including the implementation of Management Board decisions;
(la)       appoint a Data Protection Officer, who shall be functionally independent in the performance of his/her duties;
(m)       appoint an Accounting Officer, subject to the Staff Regulations and the Conditions of Employment of Other Servants, who shall be functionally independent in the performance of his/her duties;
(ma)     establish, where appropriate, an internal audit capability;
(o)        ensure adequate follow-up to findings and recommendations stemming from the internal or external audit reports and evaluations, as well as from investigations of the European Anti-fraud Office (OLAF) and the European Data Protection Supervisor (EDPS);
(ob)      define the evaluation criteria for the annual report in accordance with Article 7(10);
(oc)      adopt guidelines further specifying the procedures for processing of information by Europol in accordance with Article 24, and, after having consulted the European Data Protection Supervisor;
(od)      decide upon the conclusion of working and administrative arrangements in accordance with Article 29(2b) and Article 31(1);
(p)        decide, taking into consideration both business and financial requirements, upon the establishment of Europol’s internal structures, including Union centres referred to in Article 4(1)(l), upon the proposal of the Executive Director;
(q)        adopt its rules of procedure, including provisions concerning the tasks and the functioning of its secretariat;
(qa)      adopt, where appropriate, other internal rules.
1a.        If the Management Board considers it necessary for the performance of Europol’s tasks, it may suggest to the Council to draw the attention of the Commission to the need for an adequacy decision as referred to in Article 31(1)(a) or for a recommendation for a decision authorising the opening of negotiations of an international agreement as referred to in Article 31(1)(b).

2. The Management Board shall adopt, in accordance with Article 110 of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants delegating the relevant appointing authority powers to the Executive Director and defining the conditions under which such delegation of powers may be suspended. The Executive Director shall be authorised to sub-delegate those powers.

Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the delegation of the appointing authority powers to the Executive Director and those sub-delegated by the latter and exercise them itself or delegate those powers to one of its members or to a staff member other than the Executive Director.

Article 15 Annual and multi-annual programming

1. The Management Board shall adopt the programming document containing the multiannual programming and the annual work programme the latest by 30 November each year, based on a draft put forward by the Executive Director, taking into account the opinion of the Commission and in relation to the multiannual programming after consulting the JPSG. The programming document shall be forwarded to the JPSG, the Council and the Commission.
2. The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multi-annual programming referred to in paragraphs 1 and 1a. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year.
3. The Management Board shall amend the adopted annual work programme if a new task is given to Europol.

Any substantial amendment to the annual work programme shall be adopted by the same procedure as the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.
1a.        The multi-annual programming shall set out overall strategic programming including objectives, expected results and performance indicators. It shall also set out resource planning including multi-annual budget and staff. It shall include the strategy for relations with third countries or international organisations.
The multi-annual programming shall be implemented through annual work programmes and shall, where appropriate, be updated following the outcome of external and internal evaluations. The conclusion of these evaluations shall also be reflected, where appropriate, in the annual work programme for the following year.

Article 16 Chairperson of the Management Board

1. The Management Board shall elect a Chairperson and a Deputy Chairperson from within the group of three Member States who have jointly prepared the Council’s eighteen-month programme. They shall serve for the eighteen-month period corresponding to that Council programme.

1b.       The Chairperson and the Deputy Chairperson shall be elected by a majority of two-thirds of the members of the Management Board.
The Deputy Chairperson shall automatically replace the Chairperson if he/she is prevented from attending to his/her duties.
(second subparagraph of paragraph 1) If, however, their membership of the Management Board ends at any time during their term of office as Chairperson or Deputy Chairperson, their term of office shall automatically expire on that date.

Article 17 Meetings of the Management Board

1. The Chairperson shall convene the meetings of the Management Board.
2. The Executive Director of Europol shall take part in the deliberations.
3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson or at the request of the Commission or at the request of at least one-third of its members.
4. The Management Board may invite any person whose opinion may be relevant for the discussion including, where appropriate, a representative of the JPSG, to attend its meeting as a non-voting observer.
5. Advisers or experts may assist the members or the alternate members of the Management Board, subject to the provisions of its Rules of Procedure.
6. Europol shall provide the secretariat for the Management Board.

Article 18 Voting rules

1. Without prejudice to Articles 14(1)(a) and (c), Article 16(1b), Article 52(2), Article 56(8) and Article 66, the Management Board shall take decisions by a majority of members.
2. Each member shall have one vote. In the absence of a voting member, his/her alternate shall be entitled to exercise his/her right to vote.
3. The Executive Director shall not take part in voting.
4. The Management Board’s rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member, and any quorum requirements, where necessary.

SECTION 2 EXECUTIVE DIRECTOR

Article 19 Responsibilities of the Executive Director

1. The Executive Director shall manage Europol. He/she shall be accountable to the Management Board.
2. Without prejudice to the powers of the Commission, the Management Board or the Executive Board, the Executive Director shall be independent in the performance of his/her duties and shall neither seek nor take instructions from any government, nor from any other body.
3. The Council may invite the Executive Director to report on the performance of his/her duties.
4. The Executive Director shall be the legal representative of Europol.
5. The Executive Director shall be responsible for the implementation of the tasks assigned to Europol by this Regulation. In particular, the Executive Director shall be responsible for:

(a)        the day-to-day administration of Europol;
(aa)      making proposals to the Management Board as regards the establishment of Europol’s internal structures;
(b)        implementing decisions adopted by the Management Board;
(c)        preparing the draft annual work programme and multi-annual programming and submitting them to the Management Board after consulting the Commission;
(d)        implementing the annual work programme and the multi-annual programming and reporting to the Management Board on their implementation;
(dd)      preparing appropriate draft implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of Other Servants in accordance with Article 110 of the Staff Regulations;
(e)        preparing the draft consolidated annual report on Europol’s activities and presenting it to the Management Board for adoption;
(f)         preparing an action plan following up conclusions of internal or external audit reports and evaluations, as well as investigation reports and recommendations from investigations by OLAF and EDPS and reporting on progress twice a year to the Commission and regularly to the Management Board;
(g)        protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities and, without prejudice to the investigative competence of OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;
(h)        preparing a draft internal anti-fraud strategy for Europol and presenting it to the Management Board for adoption;
(ha)      preparing draft internal rules for the prevention and management of conflict of interest in respect of the members of the Management Board and presenting them to the Management Board for adoption;
(i)         preparing draft financial rules applicable to Europol;
(j)         preparing Europol’s draft statement of estimates of revenue and expenditure and implementing its budget;
(l)         supporting the Chairperson of the Management Board in preparing Management Board meetings;
(m)       informing the Management Board on a regular basis regarding the implementation of Union strategic and operational priorities for fighting crime;
(n)        performing other tasks stemming from this Regulation.

Chapter V PROCESSING OF INFORMATION

Article 23 Sources of information

1. Europol shall only process information that has been provided to it:

(a)        by Member States in accordance with their national law and Article 7;
(b)        by Union bodies, third countries and international organisations in accordance with Chapter VI;
(c)        by private parties and private persons in accordance with Chapter VI.

2. Europol may directly retrieve and process information, including personal data, from publicly available sources, including the internet and public data.
3. In so far as Europol is entitled under Union, international or national legal instruments to gain computerised access to data from information systems of national, Union or international nature Europol may retrieve and process information, including personal data, by such means if that is necessary for the performance of its tasks. The applicable provisions of such Union, international or national legal instruments shall govern the access to and use of that information by Europol insofar as they provide for stricter rules on access and use than those of this Regulation. The access to such information systems shall be granted only to duly authorised staff of Europol as far as this is necessary and proportionate for the performance of their tasks.

Article 24 Purposes of information processing activities

1. In so far as necessary for the achievement of its objectives as laid down in Article 3, Europol may process information, including personal data.

1a.        Personal data may be processed only for the purposes of:
(a)        cross-checking aimed at identifying connections or other relevant links between information related to:
(i)         persons who are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted for such an offence,
(ii)        persons regarding whom there are factual indications or reasonable grounds to believe that they will commit criminal offences in respect of which Europol is competent;
(b)        analyses of a strategic or thematic nature;
(c)        operational analyses;
(d)        facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations.
1b.       Processing for the purpose of operational analyses as referred to in point (c) of paragraph 1a shall be performed by means of operational analysis projects, for which the following specific safeguards shall apply:
(i)         for every operational analysis project, the Executive Director shall define the specific purpose, categories of personal data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use and shall inform the Management Board and the European Data Protection Supervisor thereof;
(ii)        personal data may only be collected and processed for the purpose of the specified operational analysis project. Where it becomes apparent that personal data may be relevant for another operational analysis project, further processing of that personal data shall only be permitted in so far as further processing is necessary and proportionate and the personal data are compatible with the provisions set out in subparagraph (i) that apply to the other analysis project;
(iii)       only authorised staff may access and process the data of the relevant project.
1c.        The processing as referred to in paragraph 1a and 1b shall be carried out in compliance with the data protection safeguards provided for in this Regulation. Europol shall duly document those processing operations. The documentation shall be made available, at request, to the Data Protection Officer and to the European Data Protection Supervisor for the purpose of verifying the lawfulness of the processing operations.

2. Categories of personal data and categories of data subjects whose data may be collected and processed for each purpose referred to under paragraph1a are listed in Annex 2.

2a.        Europol may temporarily process data for the purpose of determining whether such data are relevant to its tasks and for which of the purposes referred to under paragraph 1a. The Management Board, acting on a proposal from the Director and after consulting the European Data Protection Supervisor, shall further specify the conditions relating to the processing of such data, in particular with respect to access to and the use of the data, as well as time limits for the storage and deletion of the data that may not exceed six months, having due regard to the principles referred to in Article 34.
2b.       The Management Board, after having consulted the European Data Protection Supervisor, shall, as appropriate, adopt guidelines further specifying procedures for processing of information for the purposes listed in paragraph 1a in accordance with Article 14(1)(oc).

Article 25 Determination of the purpose of, and restrictions on, the processing of information by Europol

1. A Member State, a Union body, a third country or an international organisation providing information to Europol shall determine the purpose or the purposes for which it shall be processed as referred to in Article 24. If it has not done so, Europol in agreement with the provider of information concerned shall process the information in order to determine the relevance of such information as well as the purpose or the purposes for which it shall be further processed. Europol may process information for a different purpose than the one for which information has been provided only if authorised by the provider of the information.
2. Member States, Union bodies, third countries and international organisations may indicate, at the moment of providing the information, any restriction on access or use, in general or specific terms, including as regards transfer, erasure or destruction. Where the need for such restrictions becomes apparent after the provision of information, they shall inform Europol accordingly. Europol shall comply with such restrictions.
3. In duly justified cases Europol may assign restrictions to access or use by Member States, Union bodies, third countries and international organisations of information retrieved from publicly-available sources.

Article 26 Access by Member States and Europol’s staff to information stored by Europol

1. Member States shall in accordance with national law and Article 7(4) have access to and be able to search all information which has been provided for the purposes of Article 24(1)(a) and (b), without prejudice to the right for Member States, Union bodies and third countries and international organisations to indicate any restrictions in accordance with Article 25(2).
2. Member States shall in accordance with national law and Article 7(4) have indirect access on the basis of a hit/no hit system to information provided for the purposes of Article 24(1)(c), without prejudice to any restrictions indicated by the Member States, Union bodies and third countries or international organisations providing the information, in accordance with Article 25(2). In the case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the provider of the information to Europol.

2a.        In accordance with national law information referred to in paragraphs 1 and 2 shall be accessed and further processed by Member States only for the purpose of preventing and combating:
(i)         forms of crime in respect of which Europol is competent, and
(ii)        other forms of serious crime, as set out in the Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant.

3. Europol staff duly empowered by the Executive Director shall have access to information processed by Europol to the extent required for the performance of their duties and without prejudice to Article 69.

Article 27 Access by Eurojust and OLAF to information stored by Europol

1. Europol shall take all appropriate measures to enable Eurojust and the European Anti-Fraud Office (OLAF), within their respective mandates, to have indirect access on the basis of a hit/no hit system to information provided for the purposes under Article 24(1) (a), (b) and (c), without prejudice to any restrictions indicated by the providing Member States, Union bodies and third countries or international organisations, in accordance with Article 25(2). In case of a hit, Europol shall initiate the procedure by which the information that generated the hit may be shared, in accordance with the decision of the provider of the information to Europol and only to the extent that the data generating the hit are necessary for the performance of Eurojust’s or OLAF’s tasks respectively.

2a.        Europol and Eurojust may conclude a working arrangement ensuring in a reciprocal manner within their respective mandates, the access to and the possibility to search all information that has been provided for the purpose of Article 24(1)(a), without prejudice to the right for Member States, Union bodies and third countries and international organisations to indicate restrictions to the access and use of such data and in accordance with data protection guarantees provided for in this Regulation.

3. Searches of information in accordance with paragraphs 2 and 2a shall be made only for the purpose of identifying whether information available at Eurojust or OLAF, respectively, matches with information processed at Europol.
4. Europol shall allow searches in accordance with paragraphs 2 and 2a only after obtaining from Eurojust information about which National Members, Deputies, Assistants, as well as Eurojust staff members, and from OLAF information about which staff members, have been designated as authorised to perform such searches.
5. If during Europol’s information processing activities in respect of an individual investigation, Europol or a Member State identifies the necessity for coordination, cooperation or support in accordance with the mandate of Eurojust or OLAF, Europol shall notify them thereof and shall initiate the procedure for sharing the information, in accordance with the decision of the Member State providing the information. In such a case Eurojust or OLAF shall consult with Europol.
6. Eurojust, including the College, the National Members, Deputies, Assistants, as well as Eurojust staff members, and OLAF, shall respect any restriction to access or use, in general or specific terms, indicated by Member States, Union bodies, third countries and international organisations in accordance with Article 25(2).

6a.        Europol, Eurojust and OLAF shall inform each other if, after consultation of each other’s data in accordance with paragraph 2a or as a result of a hit in accordance with paragraph 2, there are indications that data may be incorrect or conflicting with other data.

Article 28 Duty to notify Member States

1. Europol, in accordance with its task pursuant to Article 4(1)(b), shall promptly inform a Member State about information concerning it. If such information is subject to access restrictions pursuant to Article 25(2), that would prohibit sharing it, Europol shall consult with the provider of the information stipulating the access restriction and seek its authorisation for sharing.

Without an explicit authorisation, the information shall not be shared.

2. Irrespective of any access restrictions, Europol shall inform a Member State about information concerning it if this is absolutely necessary in the interest of preventing an imminent threat to life.

In such a case, Europol shall at the same time inform the provider of the information of sharing this information and justify its analysis of the situation.

Chapter VI  RELATIONS WITH PARTNERS

SECTION 1 COMMON PROVISIONS

Article 29 Common provisions

1. In so far as necessary for the performance of its tasks, Europol may establish and maintain cooperative relations with the Union bodies in accordance with the objectives of those bodies, the authorities of third countries, international organisations and private parties.
2. In so far as relevant to the performance of its tasks and subject to any restriction stipulated pursuant to Article 25(2) and Article 69, Europol may directly exchange all information, with the exception of personal data, with entities referred to in paragraph 1.

2a.        The Executive Director shall inform the Management Board about any regular cooperative relations it intends to establish and maintain in line with paragraphs 1 and 2 and about the development of such relations once established.
2b.       For the purposes set out in paragraphs 1 and 2, Europol may conclude working arrangements with entities referred to in paragraph 1. Those working arrangements shall not allow the exchange of personal data and shall not bind the Union or its Member States.

3. Europol may receive and process personal data from entities referred to in paragraph 1 in so far as necessary and proportionate for the legitimate performance of its tasks and subject to the provisions of this Chapter.
4. Without prejudice to Article 36 (5), personal data shall only be transferred by Europol to Union bodies, third countries and international organisations, if this is necessary for preventing and combating crime that falls under Europol’s objectives and in accordance with this Regulation and if the recipient gives an undertaking that the data will be processed only for the purpose for which they were transferred. If the data to be transferred have been provided by a Member State, Europol shall seek that Member State’s consent, unless the Member State has granted its prior authorisation to such onward transfer, either in general terms or subject to specific conditions. Such consent may be withdrawn at any moment.
5. Onward transfers of personal data held by Europol by Member States, Union bodies, third countries and international organisations shall be prohibited unless Europol has given its prior explicit authorisation.

5a.        Europol shall ensure that detailed records of all transfers of personal data and their grounds are recorded in accordance with this Regulation.
5b.       Any information which has clearly been obtained in obvious violation of human rights shall not be processed.

SECTION 2 TRANSFER AND EXCHANGE OF PERSONAL DATA

Article 30 Transfer of personal data to Union bodies

Subject to any possible restrictions stipulated pursuant to Article 25(2) or (3) and Article 69 Europol may directly transfer personal data to Union bodies in so far as it is necessary for the performance of its tasks or those of the recipient Union body.

Article 31Transfer of personal data to third countries and international organisations

1. Subject to any possible restrictions stipulated pursuant to Article 25(2) or (3) and Article 69 Europol may transfer personal data to an authority of a third country or to an international organisation, in so far as this is necessary for it to perform its tasks, on the basis of:

(a)        a decision of the Commission adopted in accordance with Article 34 of [Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data[18]] that the third country or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection (adequacy decision); or
(b)        an international agreement concluded between the Union and that third country or international organisation pursuant to Article 218 of the Treaty adducing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals; or
(c)        a cooperation agreement allowing for the exchange of personal data concluded between Europol and that third country or international organisation in accordance with Article 23 of Decision 2009/371/JHA prior to the date of application of this Regulation.
Europol may conclude administrative arrangements to implement such agreements or adequacy decisions.
The Executive Director shall inform the Management Board about the exchange of personal data on the basis of adequacy decisions.
1a.        Europol shall publish on its website and keep up to date a list of adequacy decisions, agreements, administrative arrangements and other instruments relating to the transfer of personal data in accordance with paragraph 1.
1b.       Within five years after the entry into force of this Regulation, the Commission shall assess the provisions contained in the cooperation agreements referred to in Article 31(1)(c), in particular on data protection. The Commission shall inform the European Parliament and the Council about the outcome of this assessment, and, if appropriate, may submit to the Council a recommendation for a decision authorising the opening of negotiations of international agreements referred to in Article 31(1)(b).

2. By way of derogation from paragraph 1, the Executive Director may authorise the transfer of personal data to third countries or international organisations on a case-by-case basis if:

(aa)      the transfer is necessary in order to protect the vital interests of the data subject or another person; or
(bb)      the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or
(cc)      the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country; or
(dd)      the transfer is necessary in individual cases for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions; or
(ee)      the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal sanction.
Personal data shall not be transferred if the Executive Director determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer set out in points (d) and (e).
Derogations may not be applicable to systematic, massive or structural transfers.
3a.        By way of derogation from paragraph 1, the Management Board may, in agreement with the European Data Protection Supervisor, authorise a set of transfers in conformity with paragraph 2, points (aa) to (ee), taking into account the existence of adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, for a period not exceeding one year, renewable. Such authorisation shall be duly justified and documented.

3. The Executive Director shall as soon as possible inform the Management Board and the European Data Protection Supervisor of cases where he/she applied paragraph 2.

3b.       Europol shall keep detailed records of all transfers under this Article.

Article 32 Exchanges of personal data with private parties

1. In so far as necessary for Europol to perform its tasks, Europol may process personal data from private parties on condition that they are received via:

(a)        a National Unit of a Member State in accordance with national law;
(b)        the contact point of a third country or an international organisation with which Europol has concluded a cooperation agreement allowing for the exchange of personal data in accordance with Article 23 of the Decision 2009/371/JHA prior to date of application of this Regulation; or
(c)        an authority of a third country or an international organisation which is subject to an adequacy decision as referred to in Article 31(1)(a) or with which the Union has concluded an international agreement pursuant to Article 218 of the Treaty.
1a.        In cases where Europol nonetheless receives personal data directly from private parties and where the National Unit, contact point or authority concerned referred to in paragraph 1 cannot be identified, Europol may process that personal data solely for the purpose of identifying these entities. Subsequently, the personal data shall be forwarded immediately to the National Unit, contact point or authority concerned and shall be deleted unless the National Unit, contact point or authority concerned resubmits that personal data in accordance with Article 25(1) within four months after the transfer takes place. Europol shall ensure by technical means that during that period such data shall not be accessible for processing for any other purpose.
1aa.      Following the transfer of personal data in accordance with paragraph (1c)(c), Europol may in connection thereto receive personal data directly from private parties which that private party declares is legally allowed to transmit according to the applicable law in order to process such data for the performance of the task set out in Article 4(1)(m).
1b.       If Europol receives personal data from a private party in a third country with which there is no agreement, either concluded on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 of the Treaty or which is not subject to an adequacy decision as referred to in Article 31(1)(a), Europol may forward that information only to a Member State, or a third country concerned with which such agreement has been concluded.
1c.        Europol may not transfer personal data to private parties except where, on a case-by-case basis where strictly necessary and subject to any possible restrictions stipulated pursuant to Article 25(2) or (3) and Article 69:
(a)        the transfer is undoubtedly in the interests of the data subject and either the data subject has consented or circumstances are such as to allow a clear presumption of such a consent; or
(b)        the transfer is absolutely necessary in the interests of preventing the imminent perpetration of a crime, including terrorism, for which Europol is competent.
(c)        the transfer of personal data, which is publicly available, is strictly necessary for the performance of the task set out in Article 4(1)(m) and the following conditions are fulfilled:
(i)         the transfer concerns individual and specific cases; and
(ii)        no fundamentals rights and freedoms of the data subjects concerned override the public interest necessitating the transfer in the case at hand.
With regard to points (a) and (b) above, if the private party concerned is not established within the Union or in a country with which Europol has a cooperation agreement allowing for the exchange of personal data or with which the EU has concluded an international agreement pursuant to Article 218 of the Treaty or which is subject to an adequacy decision as referred to in Article 31(1)(a), the transfer shall only be authorised if:
(aa)      the transfer is necessary in order to protect the vital interests of the data subject or another person; or
(bb)      the transfer is necessary to safeguard legitimate interests of the data subject; or
(cc)      the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country; or
(dd)      the transfer is necessary in individual cases for the purposes of prevention, investigation, detection or prosecution of criminal offences for which Europol is competent; or
(ee)      the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence for which Europol is competent.
Europol shall ensure that detailed records of all the transfers of personal data and the grounds of such transfers are recorded in accordance with this Regulation, and communicated on request to the European Data Protection Supervisor pursuant to Article 43.

2. If the personal data received or to be transferred affect the interests of a Member State, Europol shall immediately inform the National Unit of the Member State concerned.
3. Europol shall not contact private parties to retrieve personal data.
4. The Commission shall evaluate the practice of direct exchanges of personal data with private parties within two years after this Regulation is applicable.

Article 33 Information from private persons

1. In so far as necessary for Europol to perform its tasks, Europol may receive and process information originating from private persons. Personal data originating from private persons may only be processed by Europol on condition that they are received via:

(a)        a National Unit of a Member State in accordance with national law;
(b)        the contact point of a third country or an international organisation with which Europol has concluded a cooperation agreement allowing for the exchange of personal data in accordance with Article 23 of the Decision 2009/371/JHA prior to the date of application of this Regulation; or
(c)        an authority of a third country or an international organisation which is subject to an adequacy decision as referred to in Article 31(1)(a) or with which the European Union has concluded an international agreement pursuant to Article 218 of the Treaty.

2. If Europol receives information, including personal data, from a private person residing in a third country with which there is no international agreement, either concluded on the basis of Article 23 of Decision 2009/371/JHA or on the basis of Article 218 of the Treaty or which is not subject to an adequacy decision as referred to in Article 31(1)(a), Europol may only forward that information to a Member State or a third country concerned with which such an international agreement has been concluded.

2a.        If the personal data received affect the interests of a Member State, Europol shall immediately inform the National Unit of the Member State concerned.

3. Europol shall not contact private persons to retrieve information..
4. Without prejudice to Articles 39 and 40, Europol may not transfer personal data to private persons.

Chapter VII DATA PROTECTION SAFEGUARDS

Article 34 General data protection principles

Personal data shall be:
(a)        processed fairly and lawfully;
(b)        collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing of personal data for historical, statistical or scientific research purposes shall not be considered incompatible provided that Europol provides appropriate safeguards, in particular to ensure that data are not processed for any other purposes;
(c)        adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
(d)        accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e)        kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed;
(f)         processed in a manner that ensures appropriate security of personal data.
1a.        Europol shall make publicly available a document setting out in an intelligible form the provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects.

Article 35 Assessment of reliability and accuracy of information

1. The reliability of the source of information originating from a Member State shall be assessed as far as possible by the providing Member State using the following source evaluation codes:

(A): where there is no doubt as to the authenticity, trustworthiness and competence of the source, or if the information is provided by a source which has proved to be reliable in all instances;
(B): where the information is provided by a source which has in most instances proved to be reliable;
(C): where the information is provided by a source which has in most instances proved to be unreliable;
(X): where the reliability of the source cannot be assessed.

2. The accuracy of information originating from a Member State shall be assessed as far as possible using the following information evaluation codes:

(1): information the accuracy of which is not in doubt;
(2): information known personally to the source but not known personally to the official passing it on;
(3): information not known personally to the source but corroborated by other information already recorded;
(4): information not known personally to the source and cannot be corroborated.

3. Where Europol, on the basis of information already in its possession, comes to the conclusion that the assessment needs to be corrected, it shall inform the Member State concerned and seek to agree on an amendment to the assessment. Europol shall not change the assessment without such agreement.
4. Where Europol receives information from a Member State without an assessment, Europol shall attempt to assess the reliability of the source or the accuracy of information on the basis of information already in its possession. The assessment of specific data and information shall take place in agreement with the supplying Member State. A Member State may also agree with Europol in general terms on the assessment of specified types of data and specified sources. If no agreement is reached in a specific case, or no agreement in general terms exists, Europol shall evaluate the information or data and shall attribute to such information or data the evaluation codes (X) and (4), referred to in paragraphs 1 and 2.

5. Where Europol receives data or information from a Union body, third country, international organisation or a private party, this Article shall apply accordingly.
6. Information from publicly-available sources shall be assessed by Europol using the evaluation codes set out in paragraphs 1 and 2.
7. Where information is the result of an analysis made by Europol in the performance of its tasks, Europol shall assess such information in accordance with this Article, and in agreement with the Member States participating in the analysis.

Article 36 Processing of special categories of personal data and of different categories of data subjects

1. Processing of personal data on victims of a criminal offence, witnesses or other persons who can provide information on criminal offences, or on persons under the age of 18 shall be allowed if it is strictly necessary and proportionate for preventing or combating crime that falls under Europol’s objectives.
2. Processing of personal data, by automated or other means, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and of genetic data or data concerning health or sex life shall be prohibited, unless when it is strictly necessary and proportionate for preventing or combating crime that falls under Europol’s objectives and if those data supplement other personal data processed by Europol. The selection of a particular group of persons solely on the basis of such personal data shall be prohibited.
3. Only Europol shall have direct access to personal data referred to in paragraphs 1 and 2. The Executive Director shall duly authorise a limited number of officials who would have such access, if this is necessary for the performance of their tasks.
4. No decision by a competent authority which produces adverse legal effects concerning a data subject shall be based solely on automated processing of data referred to in paragraph 2, unless the decision is expressly authorised pursuant to national or Union legislation.
5. Personal data referred to in paragraphs 1 and 2 shall not be transmitted to Member States, Union bodies, third countries or international organisations unless strictly necessary and proportionate in individual cases concerning crime that falls under Europol’s objectives and in accordance with Chapter VI.
6. Every year Europol shall provide a statistical overview of all personal data referred to in paragraph 2 processed by it to the European Data Protection Supervisor.

Article 37 Time-limits for the storage and erasure of personal data

1. Personal data processed by Europol shall be stored by Europol only as long as necessary and proportionate for the purposes for which the data are processed.
2. Europol shall in any case review the need for continued storage no later than three years after the start of initial processing of personal data. Europol may decide on the continued storage of personal data until the following review, which shall take place after another period of three years, if continued storage is still necessary for the performance of Europol’s tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the continued storage of personal data, that data shall be erased automatically after three years.
3. If personal data referred to in Article 36(1) and (2) are stored for a period exceeding five years, the European Data Protection Supervisor shall be informed accordingly.
4. Where a Member State, a Union body, a third country or an international organisation has indicated any restriction as regards the earlier erasure or destruction of the personal data at the moment of transfer in accordance with Article 25(2), Europol shall erase the personal data in accordance with those restrictions. If continued storage of the data is deemed necessary for Europol to perform its tasks, based on information that is more extensive than that possessed by the data provider, Europol shall request the authorisation of the data provider to continue storing the data and present a justification for such a request.
5. Where a Member State, a Union body, a third country or an international organisation erases from its own data files data provided to Europol, it shall inform Europol accordingly. Europol shall erase the data unless the continued storage of the data is deemed necessary for Europol to perform its tasks, based on information that is more extensive than that possessed by the data provider. Europol shall inform the data provider of the continued storage of such data and present a justification of such continued storage.
6. Personal data shall not be erased if:

(a)        this would damage the interests of a data subject who requires protection. In such cases, the data shall be used only with the express and written consent of the data subject.
(b)        their accuracy is contested by the data subject, for a period enabling Member States or Europol, where appropriate, to verify the accuracy of the data;
(c)        the personal data have to be maintained for purposes of proof or for the establishment, exercise or defence of legal claims;
(d)        the data subject opposes their erasure and requests the restriction of their use instead.

Article 38 Security of processing

1. Europol shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, accidental loss or unauthorised disclosure, alteration and access or any other unauthorised form of processing.
2. In respect of automated data processing, Europol and each Member State shall implement measures designed to:

(a)        deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control);
(b)        prevent the unauthorised reading, copying, modification or removal of data media (data media control);
(c)        prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);
(d)        prevent the use of automated data-processing systems by unauthorised persons using data-communication equipment (user control);
(e)        ensure that persons authorised to use an automated data-processing system have access only to data covered by their access authorisation (data access control);
(f)         ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted using data communication equipment (communication control);
(g)        ensure that it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control);
(ga)      ensure that it is possible to verify and establish what data have been accessed by which member of personnel and at what time (access log);
(h)        prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during the transportation of data media (transport control);
(i)         ensure that installed systems may, in the event of interruption, be restored immediately (recovery);
(j)         ensure that the functions of the system perform without fault, that the occurrence of faults in the functions is immediately reported (reliability) and that stored data cannot be corrupted by system malfunctions (integrity).

3. Europol and Member States shall define mechanisms to ensure that security needs are taken on board across information system boundaries.

Article 38a Data protection by design

Europol shall implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and protect the rights of the data subjects.

Article 38b Notification of a personal data breach to the authorities concerned

1. In the case of a personal data breach, Europol shall notify, without undue delay the personal data breach to the European Data Protection Supervisor as well as the competent authorities of the Member States, in accordance with the conditions laid down in Article 7(4), and the provider of the data concerned.
2. The notification referred to in paragraph 1 shall at least:

(a)        describe the nature of the personal data breach including, where possible and appropriate, the categories and number of data subjects concerned and the categories and number of data records concerned;
(b)        describe the likely consequences of the personal data breach;
(c)        describe the measures proposed or taken by Europol to address the personal data breach.
(d)        where appropriate, recommend measures to mitigate the possible adverse effects of the personal data breach;

3. Europol shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken, enabling the European Data Protection Supervisor to verify compliance with this Article.

Article 38c Communication of a personal data breach to the data subject

1. Subject to paragraphs 3 and 3b, where a personal data breach referred to in Article 38b is likely to severely adversely affect the rights and freedoms of the data subject, Europol shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject concerned referred to in paragraph 1 shall describe the nature of the personal data breach, where possible, recommend measures to mitigate the possible adverse effects of the personal data breach, and contain the identity and contact details of the data protection officer referred to in Article 44.

2a.        In case Europol does not have the contact details of the data subject concerned, it shall request the provider of the data to communicate the personal data breach to the data subject concerned and inform Europol about the decision taken. Member States providing the data shall communicate the breach to the data subject concerned in accordance with the procedures of their national law.

3. The communication of a personal data breach to the data subject shall not be required if:

(a)        Europol has implemented appropriate technological protection measures, and that those measures were applied to the personal data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it; or
(b)        Europol has taken subsequent measures which ensure that the data subjects’ rights and freedoms are no longer likely to be severely affected; or
(c)        it would involve disproportionate effort, in particular owing to the number of cases involved. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. The communication to the data subject may be delayed, restricted or omitted where it is a necessary measure with due regard for the legitimate interests of the person concerned:

(a)        to avoid obstructing official or legal inquiries, investigations or procedures;
(b)        to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties;
(c)        to protect public and national security;
(d)        protect the rights and freedoms of third parties.

Article 39 Right of access for the data subject

1. Any data subject shall have the right, at reasonable intervals, to obtain information on whether personal data relating to him/her are processed by Europol.

3a.        Without prejudice to paragraph 4, Europol shall provide the following information to the data subject:
(a)        confirmation as to whether or not data related to him/her are being processed;
(b)        information at least as to the purposes of the processing operation, the categories of data concerned, and the recipients or the categories of recipients to whom the data are disclosed;
(c)        communication in an intelligible form of the data undergoing processing and of any available information as to their sources.
(ca)      an indication of the legal basis for processing the data;
(d)        the envisaged period for which the personal data will be stored;
(e)        the existence of the right to request from Europol rectification, erasure or restriction of processing of personal data concerning the data subject.

2. Any data subject wishing to exercise the right of access to personal data relating to him/her may make a request to that effect without excessive costs to the authority appointed for this purpose in the Member State of his/her choice. That authority shall refer the request to Europol without delay and in any case within one month of receipt. Europol shall confirm receipt of the request.
3. Europol shall answer the request without undue delay and in any case within three months of the receipt by Europol of the request from the national authority.
4. Europol shall consult the competent authorities of the Member States, in accordance with the conditions laid down in Article 7(4), and the provider of the data concerned on a decision to be taken. A decision on access to data shall be conditional on close cooperation between Europol and the Member States and the provider of the data directly concerned by the access of the data subject to such data. If a Member State or the provider of the data objects to Europol’s proposed response, it shall notify Europol of the reasons for its objection in line with paragraph 5. Europol shall take utmost account of any such objection. Europol shall subsequently notify the competent authorities concerned, in accordance with the conditions laid down in Article 7(4), and the provider of the data of the content of Europol’s decision.
5. The provision of information in response to any requests under paragraph 1 may be refused or restricted if such a refusal or restriction constitutes a necessary measure to:

(a)        enable Europol to fulfil its tasks properly;
(b)        protect security and public order or to prevent crime;
(c)        guarantee that any national investigation will not be jeopardised; or
(d)        protect the rights and freedoms of third parties.
When the applicability of an exemption is assessed, the fundamental rights and interests of the person concerned shall be taken into account.

6. Europol shall inform the data subject in writing on any refusal or restriction of access, on the reasons for such a decision and of his right to lodge a complaint to the European Data Protection Supervisor. Where the provision of such information would deprive the restriction imposed by paragraph 5 of its effect, Europol shall only notify the data subject concerned that it has carried out the checks without giving any information which might reveal to him/her whether or not personal data concerning him/her are processed by Europol.

Article 40 Right to rectification, erasure and blocking

1. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with Article 39 of this Regulation shall have the right to ask Europol through the authority appointed for this purpose in the Member State of his/her choice to rectify personal data relating to him/her held by Europol if they are incorrect and to complete or update them. That authority shall refer the request to Europol without delay and in any case within one month of receipt.
2. Any data subject having accessed personal data concerning him or her processed by Europol in accordance with Article 39 of this Regulation shall have the right to ask Europol through the authority appointed for this purpose in the Member State of his/her choice to erase personal data relating to him/her held by Europol, if they are no longer required for the purposes for which they are collected or are further processed. That authority shall refer the request to Europol without delay and in any case within one month of receipt.
3. Personal data shall be blocked rather than erased if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Blocked data shall be processed only for the purpose that prevented their erasure.
4. If data as described in paragraphs 1, 2 and 3 held by Europol have been provided to it by third countries, international organisations, Union bodies, directly provided by private parties or have been retrieved by Europol from publicly-available sources or are the results of Europol’s own analyses, Europol shall rectify, erase or block such data and inform, where appropriate, the providers of the data.
5. If data as described in paragraphs 1, 2 and 3 held by Europol have been provided to Europol by Member States, the Member States concerned shall rectify, erase or block such data in collaboration with Europol within their respective competences.
6. If incorrect data were transferred by another appropriate means or if the errors in the data provided by Member States are due to faulty transfer or transfer in breach of this Regulation or if they result from data being input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or erase the data in collaboration with the provider of the data concerned.
7. In the cases referred to in paragraphs 4, 5 and 6 all addressees of such data shall be notified forthwith. In accordance with rules applicable to them, the addressees shall then rectify, erase or block these data in their systems.
8. Europol shall inform the data subject in writing without undue delay and in any case within three months of receipt of the request that data concerning him/her have been rectified, erased or blocked.
9. Europol shall inform the data subject in writing within three months of receipt of the request on any refusal of rectification, of erasure or blocking, the reasons for such a decision and of the possibility of lodging a complaint with the European Data Protection Supervisor and seeking a judicial remedy.

Article 41 Responsibility in data protection matters

1. Europol shall store personal data in a way that ensures that its source according to Article 23 can be established.
2. The responsibility for the quality of personal data as referred to in Article 34(d) shall lie with the Member State and the Union body which provided the personal data to Europol and with Europol for personal data provided by third countries, international organisations or directly provided by private parties, as well as for personal data retrieved by Europol from publicly-available sources or which result from Europol’s own analyses and for data stored by Europol in accordance with Article 37(5).

2a.        If Europol becomes aware that personal data provided pursuant to Article 23(1)(a) and (b) are factually incorrect or have been unlawfully stored, it shall inform the provider of that data accordingly.

3. The responsibility for compliance with the principles as specified in Article 34(a), (b), (c), (e) and (f) shall lie with Europol.
4. The responsibility for the legality of transfer shall lie:

(a)        with the Member State which provided the data in the case of personal data provided by the Member States to Europol; and
(b)        with Europol in the cases of personal data provided by Europol to Member States, and third countries or international organisations.

5. In case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall lie with Europol. Without prejudice to the preceding sentence, where the data are transferred by Europol following a request from the recipient, both Europol and recipient shall bear the responsibility for the legality of this transfer.
6. Europol shall be responsible for all data processing operations carried out by it with the exception of the bilateral exchange of data using Europol’s infrastructure between Member States, Union bodies, third countries and international organisations to which Europol has no access. Such exchange shall take place under the responsibility of the concerned entities and in accordance with their law. The security of such exchange shall be ensured in accordance with Article 38.

Article 42 Prior consultation

1. Any new type of processing operations to be carried out shall be the subject to prior consultation where:

(a)        special categories of data referred to in Article 36(2) are to be processed;
(b)        the type of processing, in particular using new technologies, mechanisms or procedures, holds otherwise specific risks for the fundamental rights and freedoms, and in particular the protection of personal data, of data subjects.

2. The prior consultation shall be carried out by the European Data Protection Supervisor following receipt of a notification from the Data Protection Officer that shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate the compliance with the provisions in this Regulation, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
3. The European Data Protection Supervisor shall deliver his/her opinion to the Management Board within two months following receipt of the notification. This period may be suspended until the European Data Protection Supervisor has obtained any further information that he/she may have requested.

If the opinion has not been delivered after 4 months it shall be deemed to be favourable.

If the opinion of the European Data Protection Supervisor is that the notified processing may involve a breach of any provision of this Regulation, he/she shall where appropriate make proposals to avoid such breach. Where Europol does not modify the processing operation accordingly, the European Data Protection Supervisor may exercise the powers granted to him/her under Article 46(3).

4. The European Data Protection Supervisor shall keep a register of all processing operations have been notified to him/her pursuant to paragraph 1. This register shall not be made public.

Article 43 Logging and documentation

1. For the purposes of verifying the lawfulness of data processing, self-monitoring and ensuring proper data integrity and security Europol shall keep records of collection, alteration, access, disclosure, combination or erasure of personal data. Such logs or documentation shall be deleted after three years, unless the data which they contain are further required for on-going control. There shall be no possibility to modify the logs.
2. Logs or documentation prepared under paragraph 1 shall be communicated on request to the European Data Protection Supervisor, the Data Protection Officer and, if required for a specific investigation, to the National Unit concerned. That information shall only be used for the control of data protection and ensuring proper data processing as well as data integrity and security.

Article 44 Data Protection Officer

1. The Management Board shall appoint a Data Protection Officer who shall be a member of the staff. In the performance of his/her duties, he/she shall act independently.
2. The Data Protection Officer shall be selected on the basis of his/her personal and professional qualities and, in particular, the expert knowledge of data protection.
3. In selecting the Data Protection Officer, it shall be ensured that no conflict of interests may result from his/her duty as Data Protection Officer and any other official duties, in particular those relating to the application of the provisions of this Regulation.
4. The Data Protection Officer shall be appointed for a term of four years. He/she shall be eligible for reappointment up to a maximum total term of eight years. He/she may be dismissed from the function of Data Protection Officer by the Management Board only with the consent of the European Data Protection Supervisor, if he/she no longer fulfills the conditions required for the performance of his/her duties.
5. After his/her appointment the Data Protection Officer shall be registered with the European Data Protection Supervisor by the Management Board.
6. With respect to the performance of his/her duties, the Data Protection Officer may not receive any instructions.
7. The Data Protection Officer shall in particular have the following tasks with regard to personal data, with the exception of administrative personal data:

(a)        ensuring, in an independent manner, the internal application of the provisions of this Regulation concerning the processing of personal data;
(b)        ensuring that a record of the transfer and receipt of personal data is kept in accordance with this Regulation;
(c)        ensuring that data subjects are informed of their rights under this Regulation at their request;
(d)        cooperating with Europol staff responsible for procedures, training and advice on data processing;
(e)        cooperating with the European Data Protection Supervisor;
(f)         preparing an annual report and communicating that report to the Management Board and to the European Data Protection Supervisor.
(fc)       keeping a register of personal data breaches.

8. Moreover, the Data Protection Officer shall carry out the functions foreseen by Regulation (EC) No 45/2001 with regard to administrative personal data.
9. In the performance of his/her tasks, the Data Protection Officer shall have access to all the data processed by Europol and to all Europol premises.
10. If the Data Protection Officer considers that the provisions of this Regulation concerning the processing of personal data have not been complied with, he/she shall inform the Executive Director, requiring him/her to resolve the non-compliance within a specified time. If the Executive Director does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall inform the Management Board and they shall agree a specified time for a response. If the Management Board does not resolve the non-compliance of the processing within the time specified, the Data Protection Officer shall refer the matter to the European Data Protection Supervisor.
11. The Management Board shall adopt implementing rules concerning the Data Protection Officer. Those implementing rules shall in particular concern the selection procedure for the position of the Data Protection Officer and his/her dismissal, tasks, duties and powers and safeguards for independence of the Data Protection Officer. Europol shall provide the Data Protection Officer with the staff and resources necessary for him/her to carry out his/her duties. These staff members shall have access to all the data processed at Europol and to Europol premises only to the extent necessary for the performance of their tasks.
12. The Data Protection Officer and his/her staff shall be bound by the obligation of confidentiality in accordance with Article 69.

Article 45 Supervision by the national supervisory authority

1. Each Member State shall designate a national supervisory authority with the task of monitoring independently, in accordance with its national law, the permissibility of the transfer, the retrieval and any communication to Europol of personal data by the Member State concerned and to examine whether such transfer, retrieval or communication violates the rights of the data subject. For this purpose, the national supervisory authority shall have access, at the National Unit or at liaison officers’ premises, to data submitted by its Member State to Europol in accordance with the relevant national procedures and to logs and documentation referred to in Article 43.
2. For the purpose of exercising their supervisory function, national supervisory authorities shall have access to the offices and documents of their respective liaison officers at Europol.
3. National supervisory authorities shall, in accordance with the relevant national procedures, supervise the activities of National Units and the activities of liaison officers, in so far as such activities are of relevance to the protection of personal data. They shall also keep the European Data Protection Supervisor informed of any actions they take with respect to Europol.
4. Any person shall have the right to request the national supervisory authority to verify that the transfer or communication to Europol of data concerning him/her in any form and the access to the data by the Member State concerned are lawful. This right shall be exercised in accordance with the national law of the Member State in which the request is made.

Article 46 Supervision by the European Data Protection Supervisor

1. The European Data Protection Supervisor shall be responsible for monitoring and ensuring the application of the provisions of this Regulation relating to the protection of fundamental rights and freedoms of natural persons with regard to processing of personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of personal data. To this end, he/ she shall fulfil the duties set out in paragraph 2, and shall exercise the powers granted in paragraph 3 while closely cooperating with the national supervisory authorities in accordance with Article 47.
2. The European Data Protection Supervisor shall have the following duties under this Regulation:

(a)        hear and investigate complaints, and inform the data subject of the outcome within a reasonable period;
(b)        conduct inquiries either on his/her own initiative or on the basis of a complaint, and inform the data subjects of the outcome within a reasonable period;
(c)        monitor and ensure the application of the provisions of this Regulation and any other Union act relating to the protection of natural persons with regard to the processing of personal data by Europol;
(d)        advise Europol, either on his/her own initiative or in response to a consultation, on all matters concerning the processing of personal data, in particular before it draws up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of personal data;
 
(f)         keep a register of new type of processing operations notified to him/her by virtue of Article 42(1) and registered in accordance with 42(4),
(g)        carry out a prior consultation on processing notified to him/her.

3. The European Data Protection Supervisor may under this Regulation:

(a)        give advice to data subjects in the exercise of their rights;
(b)        refer the matter to Europol in the event of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the data subjects;
(c)        order that requests to exercise certain rights in relation to data be complied with where such requests have been refused in breach of Articles 39 and 40;
(d)        warn or admonish Europol;
(e)        order Europol to carry out the rectification, blocking, erasure or destruction of personal data which have been processed in breach of the provisions governing the processing of personal data and the notification of such actions to third parties to whom such data have been disclosed;
(f)         impose a temporary or definitive ban on those processing operations by Europol in breach of the provisions governing the processing of personal data;
(g)        refer the matter to Europol and, if necessary, to the European Parliament, the Council and the Commission;
(h)        refer the matter to the Court of Justice of the European Union under the conditions provided for in the Treaty;
(i)         intervene in actions brought before the Court of Justice of the European Union.

4. The European Data Protection Supervisor shall have the power:

(a)        to obtain from Europol access to all personal data and to all information necessary for his/her enquiries;
(b)        to obtain access to any premises in which Europol carries on its activities when there are reasonable grounds for presuming that an activity covered by this Regulation is being carried out there.

5. The European Data Protection Supervisor shall draw up an annual report on the supervisory activities on Europol after having consulted the national supervisory authorities. This report shall be part of the annual report of the European Data Protection Supervisor referred to in Article 48 of Regulation (EC) No 45/2001.

This report shall include statistical information regarding complaints, inquiries, and investigations, carried out in line with paragraph 2, as well as regarding the transfers of personal data to third countries and international organisations, cases of prior consultation, and the use of the powers referred to in paragraph 3.

6. Members and staff of the European Data Protection Supervisor shall be bound by the obligation of confidentiality in accordance with Article 69.

Article 47 Cooperation between the European Data Protection Supervisor and national data protection supervisory authorities

1. The European Data Protection Supervisor shall act in close cooperation with national supervisory authorities on issues requiring national involvement, in particular if the European Data Protection Supervisor or a national supervisory authority finds major discrepancies between the practices of Member States or potentially unlawful transfer in the use of Europol’s channels for exchange of information, or in the context of questions raised by one or more national supervisory authorities on the implementation and interpretation of this Regulation.
2. The European Data Protection Supervisor shall use the expertise and experience of national supervisory authorities in carrying out his/her duties set out in Article 46(2). In carrying out joint inspections together with the European Data Protection Supervisor, members and staff of national supervisory authorities shall, taken due account of the principle of subsidiarity and proportionality, have equivalent powers as those laid down in Article 46(4) and be bound by an equivalent obligation as that laid down in Article 46(6). The European Data Protection Supervisor and the national supervisory authorities shall, each acting within the scope of their respective competences, exchange relevant information and assist each other in carrying out audits and inspections.

2a.        The European Data Protection Supervisor shall keep national supervisory authorities fully informed of all issues directly affecting or otherwise relevant to them. Upon request of one or more national supervisory authorities, the European Data Protection Supervisor shall inform them on specific issues.
2b.       In cases relating to data originating from one or several Member States, including in cases referred to in Article 49(2), the European Data Protection Supervisor shall consult the national supervisory authorities concerned. The European Data Protection Supervisor shall not decide on further action to be taken before those national supervisory authorities have informed the European Data Protection Supervisor of their position, within a deadline specified by him/her which shall not be shorter than one month and not longer than three months. The European Data Protection Supervisor shall take utmost account of the position of the national supervisory authorities concerned. In cases where the European Data Protection Supervisor intends not to follow their position, he/she shall inform them, provide a justification and submit the matter to the Cooperation Board referred to in paragraph 3 for discussion.

In cases which the European Data Protection Supervisor deems to be extremely urgent, he/she may decide to take immediate action. In such cases, the European Data Protection Supervisor shall immediately inform the national supervisory authorities concerned and justify the urgent nature of the situation as well as the action he/she has taken.

3. A Cooperation Board with an advisory function is hereby set up. The Cooperation Board shall be composed of a representative of a national supervisory authority of each Member State and of the European Data Protection Supervisor. It shall meet, where needed and at least twice a year. It may issue opinions, guidelines, recommendations and best practices.

5.         The Cooperation Board shall act independently when performing its tasks pursuant to paragraph 6 and shall neither seek nor take instructions from anybody.

6. The Cooperation Board shall have the following tasks:

– discuss general policy and strategy on data protection supervision of Europol and the permissibility of the transfer, the retrieval and any communication to Europol of personal data by the Member States;
– examine difficulties of interpretation or application of this Regulation;
(c)        study general problems relating to the exercise of independent supervision or the exercise of the rights of data subjects;
(d)        discuss and draw up harmonised proposals for joint solutions on matters referred to in paragraph 1;
(e)        discuss cases submitted by the European Data Protection Supervisor in accordance with paragraph 2b;
(f)         discuss cases submitted by any national supervisory authority; and
(g)        promote awareness of data protection rights.

7. Without prejudice to their independence, the European Data Protection Supervisor and the national supervisory authorities shall, each acting within the scope of their respective competences, take utmost account of the opinions, guidelines, recommendations and best practices agreed by the Cooperation Board.
8. The costs and servicing of the meetings of the Cooperation Board shall be borne by the European Data Protection Supervisor.
9. Rules of procedure of the Cooperation Board shall be adopted at the first meeting by the simple majority of its members. Further working methods shall be developed jointly as necessary.

Article 48 Administrative personal data

Regulation (EC) No 45/2001 shall apply to all administrative personal data held by Europol.

Chapter VIII REMEDIES AND LIABILITY

Article 49 Right to lodge a complaint with the European Data Protection Supervisor

1. Any data subject shall have the right to lodge a complaint with the European Data Protection Supervisor, if he/she considers that the processing by Europol of personal data relating to him/her does not comply with the provisions of this Regulation.
2. Where a complaint relates to a decision as referred to in Article 39 or 40, the European Data Protection Supervisor shall consult the national supervisory authorities in the Member State that was the source of the data or the Member State directly concerned. The decision of the European Data Protection Supervisor, which may extend to a refusal to communicate any information, shall be taken taking into account the opinion of the national supervisory authority.
3. Where a complaint relates to the processing of data provided by a Member State to Europol, the European Data Protection Supervisor and the national supervisory authority of the Member State that provided the data, shall, each acting within the scope of their respective competences, ensure that the necessary checks on the lawfulness of the processing of the data have been carried out correctly.
4. Where a complaint relates to the processing of data provided to Europol by Union bodies, third countries or international organisations, or data retrieved by Europol from publicly-available sources or which result from Europol’s own analyses the European Data Protection Supervisor shall ensure that Europol has correctly carried out the necessary checks on the lawfulness of the processing of the data.

Article 50 Right to a judicial remedy against the European Data Protection Supervisor

Actions against the decisions of the European Data Protection Supervisor shall be brought before the Court of Justice of the European Union.

Article 51 General provisions on liability and the right to compensation

1. Europol’s contractual liability shall be governed by the law applicable to the contract in question.
2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause in a contract concluded by Europol.
3. Without prejudice to Article 52, in the case of non-contractual liability, Europol shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.
4. The Court of Justice of the European Union shall have jurisdiction in disputes over compensation for damages referred to in paragraph 3.
5. The personal liability of Europol staff towards Europol shall be governed by the provisions laid down in the Staff Regulations or Conditions of Employment applicable to them.

Article 52 Liability for incorrect personal data processing and the right to compensation

1. Any individual who has suffered damage as a result of an unlawful data processing operation shall have the right to receive compensation for damage suffered either from Europol in accordance with Article 340 of the Treaty, or from the Member State in which the event that gave rise to the damage occurred, in accordance with its national law. The individual shall bring an action against Europol to the Court of Justice of the European Union or against the Member State to a competent national court of this Member State.
2. Any dispute between Europol and Member States over the ultimate responsibility for compensation awarded to an individual in accordance with paragraph 1 shall be referred to the Management Board, which shall decide by a majority of two-third of its members, without prejudice of the right to challenge this decision in accordance with Article 263 of the Treaty.

Chapter IX JOINT PARLIAMENTARY SCRUTINY

Article 53 Joint Parliamentary scrutiny

1. Pursuant to Article 88 TFEU the scrutiny of Europol’s activities shall be carried out by the European Parliament together with national Parliaments. This shall constitute a specialised Joint Parliamentary Scrutiny Group (JPSG) established together by the national parliaments and the competent committee of the European Parliament. The organisation and the rules of procedure of the JPSG shall be determined together by the European Parliament and the national parliaments in accordance with Article 9 of Protocol No 1 to the TFEU.
2. The JPSG shall politically monitor Europol’s activities in fulfilling its mission, including as regards their impact on the fundamental rights and freedoms of natural persons.

To that end:

1. a) the Chairperson of the Management Board, the Executive Director or their Deputies shall appear before the JPSG at its request to discuss matters relating to the activities mentioned in the first subparagraph of this paragraph, including the budgetary aspects of such activities, the structural organisation of the Agency and the potential establishment of new units and specialised centres, taking into account the obligations of discretion and confidentiality. The Group may decide to invite to its meetings other relevant persons, if appropriate;

(b)        the European Data Protection Supervisor shall appear before the JPSG at its request and at least once per year to discuss general matters relating to the protection of fundamental rights and freedoms of natural persons, and in particular the protection of personal data, with regard to Europol’s activities, taking into account the obligations of discretion and confidentiality.
(c)        The JPSG shall be consulted in relation to the multiannual programming of Europol in accordance with Article 15(1).

3. Europol shall transmit the following documents for information to the JPSG, taking into account the obligations of discretion and confidentiality:

(a)        threat assessments, strategic analyses and general situation reports relating to Europol’s objective as well as the results of studies and evaluations commissioned by Europol;
(b)        the administrative arrangements adopted pursuant to Article 31(1);
(c)        the programming document containing the multiannual programming and the annual work programme of Europol, referred to in Article 15(1);
(d)        the consolidated annual activity report on Europol’s activities, referred to in Article 14(1)(d);
(e)        the evaluation report drawn up by the Commission, referred to in Article 70(1).

4. The JPSG may request other relevant documents necessary for the fulfilment of its tasks relating to the political monitoring of Europol’s activities, subject to Regulation (EC) No 1049/2001[19] and without prejudice to Articles 54 and 69.
5. The JPSG may draw up summary conclusions on the political monitoring of Europol’s activities and submit those conclusions to the European Parliament and national parliaments. The European Parliament shall forward them for information to the Council, the Commission and Europol.

Article 54 Access by the European Parliament to information processed by or through Europol

1. For the purpose of enabling it to exercise parliamentary scrutiny of Europol’s activities in accordance with Article 53, access to sensitive non-classified information processed through or by Europol to the European Parliament upon its request shall be in compliance with the rules referred to in Article 69(1).
2. Access by the European Parliament to European Union Classified Information processed through or by Europol shall be consistent with the Interinstitutional Agreement between the European Parliament and the Council concerning the forwarding to and the handling by the European Parliament of classified information held by the Council on matters other than those in the area of the common foreign and security policy[20] and in compliance with the rules referred to in Article 69(2).
3. The necessary details regarding access by the European Parliament to the information referred to in paragraphs 1 and 2 shall be governed by working arrangements concluded between Europol and the European Parliament.

Chapter X STAFF

Article 55 General provisions

1. The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the institutions of the Union for giving effect to those Staff Regulations and the conditions of Employment of other Servants shall apply to the staff of Europol with the exception of staff who at the date of application of this Regulation are under contracts concluded by Europol as established by the Europol Convention without prejudice to Article 75(5). Notwithstanding Article 77(1), such contracts shall continue to be governed by Council Act 1999/C 26/07 of 3 December 1998.
2. Europol staff shall consist of temporary staff and/or contract staff. The Management Board shall be informed on a yearly basis in so far as the Director grants contracts of indefinite duration. The Management Board shall decide which temporary posts provided for in the establishment plan can be filled only by staff engaged from the competent authorities of the Member States. Staff recruited to occupy such posts shall be temporary agents and may be awarded only fixed-term contracts renewable once for a fixed period.

Article 56 Executive Director

1. The Executive Director shall be engaged as a temporary agent of Europol under Article 2(a) of the Conditions of Employment of Other servants.
2. The Executive Director shall be appointed by the Council from a shortlist of candidates proposed by the Management Board, following an open and transparent selection procedure.

The shortlist shall be drawn up by a selection committee set up by the Management Board and composed of members designated by Member States and a Commission representative.
For the purpose of concluding the contract with the Executive Director, Europol shall be represented by the Chairperson of the Management Board.
Before appointment, the candidate selected by the Council may be invited to appear before the competent committee of the European Parliament which shall then give its non-binding opinion.

3. The term of office of the Executive Director shall be four years. By the end of that period, the Commission, in association with the Management Board, shall undertake an assessment that takes into account an evaluation of the Executive Director’s performance and Europol’s future tasks and challenges.
4. The Council, acting on a proposal from the Management Board that takes into account the assessment referred to in paragraph 3, may extend the term of office of the Executive Director once, for no more than four years.
5. The Management Board shall inform the European Parliament if it intends to propose to the Council to extend the Executive Director’s term of office. Within the month before any such extension, the Executive Director may be invited to appear before the competent committee of the European Parliament.
6. An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.
7. The Executive Director may be removed from office only upon a decision of the Council acting on a proposal from the Management Board. The European Parliament shall be informed about that decision.
8. The Management Board shall reach decisions regarding the proposals to be made to the Council on appointment, extension of the term of office and removal from office of the Executive Director on the basis of a two-thirds majority of its members with voting rights.

Article 57 Deputy Executive Directors

1. Three Deputy Executive Directors shall assist the Executive Director. The Executive Director shall define their tasks.
2. Article 56 shall apply to the Deputy Executive Directors. The Executive Director shall be consulted prior to their appointment, the extension of their term of office or their removal from office.

Article 58 Seconded national experts

1. Europol may make use of seconded national experts.
2. The Management Board shall adopt a decision laying down rules on the secondment of national experts to Europol.

Chapter XI FINANCIAL PROVISIONS

Article 59 Budget

1. Estimates of all revenue and expenditure for Europol shall be prepared each financial year, corresponding to the calendar year, and shall be shown in Europol’s budget.
2. Europol’s budget shall be balanced in terms of revenue and of expenditure.
3. Without prejudice to other resources, Europol’s revenue shall comprise a contribution from the Union entered in the general budget of the European Union.
4. Europol may benefit from Union funding in the form of delegation agreements or ad-hoc grants in accordance with its financial rules referred to in Article 63 and the provisions of the relevant instruments supporting the policies of the Union.
5. The expenditure of Europol shall include staff remuneration, administrative and infrastructure expenses, and operating costs.
6. Budgetary commitments for actions relating to large scale projects extending over more than one financial year may be broken down over several years into annual instalments.

Article 60 Establishment of the budget

1. Each year the Executive Director shall draw up a draft statement of estimates of Europol’s revenue and expenditure for the following financial year, including the establishment plan, and send it to the Management Board.
2. The Management Board shall, on the basis of that draft, adopt a provisional draft estimate of Europol’s revenue and expenditure for the following financial year. The provisional draft estimate of Europol’s revenue and expenditure shall be sent to the Commission each year by 31 January. The Management Board shall send a final draft estimate, which shall include a draft establishment plan, to the Commission, the European Parliament and the Council by 31 March.
3. The Commission shall send the statement of estimates to the European Parliament and the Council (the budgetary authority) together with the draft general budget of the European Union.
4. On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the European Union the estimates it considers necessary for the establishment plan and the amount of the contribution to be charged to the general budget, which it shall place before the budgetary authority in accordance with Articles 313 and 314 of the Treaty.
5. The budgetary authority shall authorise the appropriations for the contribution to Europol.
6. The budgetary authority shall adopt Europol’s establishment plan.
7. Europol’s budget shall be adopted by the Management Board. It shall become final following final adoption of the general budget of the Union. Where necessary, it shall be adjusted accordingly.
8. For any building projects likely to have significant implications for Europol’s budget, the provisions of Commission Delegated Regulation (EU) No 1271/2013[21] shall apply.

Article 61 Implementation of the budget

1. The Executive Director shall implement Europol’s budget.
2. Each year the Executive Director shall send to the budgetary authority all information relevant to the findings of any evaluation procedures.

Article 62 Presentation of accounts and discharge

1. By 1 March following each financial year, Europol’s accounting officer shall communicate the provisional accounts to the Commission’s accounting officer and to the Court of Auditors.
2. Europol shall send the report on the budgetary and financial management to the European Parliament, the Council and the Court of Auditors by 31 March of the following financial year.
3. By 31 March following each financial year, the Commission’s accounting officer shall send Europol’s provisional accounts consolidated with the Commission’s accounts to the Court of Auditors.
4. On receipt of the Court of Auditors’ observations on Europol’s provisional accounts pursuant to Article 148 of the Financial Regulation, Europol’s accounting officer shall draw up Europol’s final accounts. The Executive Director shall submit them to the Management Board for an opinion.
5. The Management Board shall deliver an opinion on Europol’s final accounts.
6. Europol’s accounting officer shall, by 1 July following each financial year, send the final accounts to the European Parliament, the Council, the Commission, the Court of Auditors and national Parliaments, together with the Management Board’s opinion.
7. The final accounts shall be published in the Official Journal of the European Union by 15 November of the following year.
8. The Executive Director shall send to the Court of Auditors a reply to the observations made in its annual report by 30 September of the following year at the latest. He/she shall also send the reply to the Management Board.
9. The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for the financial year in question, as laid down in Article 109(3) of Commission Delegated Regulation (EU) No 1271/2013.
10. On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 63 Financial rules

1. The financial rules applicable to Europol shall be adopted by the Management Board after consultation with the Commission. They shall not depart from Commission Delegated Regulation (EU) No 1271/2013 unless such a departure is specifically required for Europol’s operation and the Commission has given its prior consent.
2. Europol may award grants related to the fulfilment of tasks as referred to in Article 4.
3. Grants may be awarded without a call for proposals to the Member States for performing their cross-border operations and investigations and for providing training in relation to the tasks referred to Article 4(1)(h) and Article4(1)(i).
4. In respect of the financial support to joint investigation teams’ activities, Europol and Eurojust shall jointly establish the rules and conditions upon which the applications shall be processed.

Chapter XII MISCELLANEOUS PROVISIONS

Article 64 Legal status

1. Europol shall be an agency of the Union. It shall have legal personality.
2. In each of the Member States Europol shall enjoy the most extensive legal capacity accorded to legal persons under their laws. Europol may, in particular, acquire and dispose of movable and immovable property and be a party to legal proceedings.
3. In accordance with Protocol N° 6 on the location of the seats of the institutions and of certain bodies, agencies and departments of the European Union, annexed to the Treaties, Europol shall have its seat in The Hague.

Article 65 Privileges and immunity

1. The Protocol on the Privileges and Immunities of the European Union shall apply to Europol and its staff.
2. Privileges and immunities of liaison officers and members of their families shall be subject to an agreement between the Kingdom of Netherlands and the other Member States. That agreement shall provide for such privileges and immunities as are necessary for the proper performance of the tasks of liaison officers.

Article 66 Language arrangements

1. The provisions laid down in Regulation No 1[22] shall apply to Europol.

1a.        The Management Board shall decide by a majority of two-thirds of its members on the internal language arrangements of Europol.

2. The translation services required for the functioning of Europol shall be provided by the Translation Centre of the bodies of the European Union.

Article 67 Transparency

1. Regulation (EC) No 1049/2001[23] shall apply to documents held by Europol.
2. By six months after the entry into force of this Regulation at the latest, the Management Board shall adopt the detailed rules for applying Regulation (EC) No 1049/2001 with regard to Europol documents.
3. Decisions taken by Europol under Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the Ombudsman or of an action before the Court of Justice of the European Union, under the conditions laid down in Articles 228 and 263 of the Treaty respectively.

3a.        Europol shall publish on its website a list of its Management Board members and the summaries of the outcome of the meetings of the Management Board. The publication of those summaries shall be temporary or permanently omitted or restricted if such publication would risk jeopardising the performance of Europol’s tasks, taking into account its obligations of discretion and confidentiality and the operational character of the agency.

Article 68 Combating fraud

1. In order to facilitate combating fraud, corruption and other unlawful activities under Regulation (EU) No 883/2013, within six months from … [date of application of this Regulation], Europol shall accede to the Interinstitutional Agreement of 25 May 1999 concerning internal investigations by the European Anti-Fraud Office (OLAF)[24] and adopt appropriate provisions applicable to all employees of Europol using the template set out in the Annex to that agreement.
2. The European Court of Auditors shall have the power of audit, on the basis of documents and on the spot, over all grant beneficiaries, contractors and subcontractors who have received Union funds from Europol.
3. OLAF may carry out investigations, including on-the-spot checks and inspections, with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by Europol, in accordance with the provisions and procedures laid down in Regulation (EU) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities.[25]
4. Without prejudice to paragraphs 1, 2 and 3, working arrangements with Union bodies, authorities of third countries, international organisations and private parties, contracts, grant agreements and grant decisions of Europol shall contain provisions expressly empowering the European Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

Article 69 Rules on the protection of sensitive non-classified and of classified information

1. Europol shall establish rules on the obligations of discretion and confidentiality and on the protection of sensitive non-classified information.
2. Europol shall establish rules on the protection of European Union classified information which shall be consistent with Council Decision 2013/488/EU in order to ensure an equivalent level of protection for such information.

Article 70 Evaluation and review

1. No later than five years after … [date of application of this Regulation], and every five years thereafter, the Commission shall commission an evaluation to assess particularly the impact, effectiveness and efficiency of Europol and its working practices. The evaluation may, in particular, address the possible need to modify the structure, operation, field of action and tasks of Europol, and the financial implications of any such modification.
2. The Commission shall forward the evaluation report to the Management Board, which shall provide its observations on the report within three months from its receipt. The Commission shall forward the final evaluation report with its conclusions, together with the observations of the Management Board in an Annex, to the European Parliament, the Council, the national Parliaments and the Management Board. Where appropriate, the main findings of the evaluation shall be made public.

Article 71 Administrative inquiries

The activities of Europol shall be subject to the inquiries of the European Ombudsman in accordance with Article 228 of the Treaty.

Article 72 Headquarters

1. The necessary arrangements concerning the accommodation to be provided for Europol in the Kingdom of the Netherlands and the facilities to be made available by the Kingdom of the Netherlands together with the specific rules applicable there to the Executive Director, members of the Management Board, Europol’s staff and members of their families shall be laid down in a Headquarters Agreement between Europol and the Kingdom of the Netherlands in line with Protocol N° 6 on the location of the seats of the institutions and of certain bodies, agencies and departments of the European Union, annexed to the Treaties.

Chapter XIII TRANSITIONAL PROVISIONS

Article 73 General legal succession

1. Europol, as established by this Regulation, shall be the general legal successor in respect of all contracts concluded by, liabilities incumbent on, and properties acquired by Europol, as established by Decision 2009/371/JHA.
2. This Regulation shall not affect the legal force of agreements concluded by Europol as established by Decision 2009/371/JHA before … [date of entry into force of this Regulation] or of agreements concluded by Europol as established by the Europol Convention before 1 January 2010.

Article 74 Transitional arrangements concerning the Management Board

2. The term of office of the members of the Management Board of Europol as established on the basis of Article 37 of Decision 2009/371/JHA shall terminate on … [date of application of this Regulation].
3. The Management Board as established on the basis of Article 37 of Decision 2009/371/JHA shall within the period between … [date of entry into force of this Regulation] and … [date of application of this Regulation]:

(a)        exercise the functions of the Management Board as referred to in Article 14 of this Regulation;
(b)        prepare the adoption of the rules for applying Regulation (EC) No 1049/2001 with regard to Europol documents referred to in Article 67 of this Regulation and on the obligations of confidentiality and discretion, and the protection of sensitive and EU classified information referred to in Article 69 of this Regulation;
(c)        prepare any instrument necessary for the application of this Regulation, in particular any measures relating to Chapter V; and
(d)        review the internal rules and measures adopted by the Management Board on the basis of Decision 2009/371/JHA so as to allow the Management Board established pursuant to Article 13 of this Regulation to take a decision pursuant to Article 78(2) thereof.

4. The Commission shall take the measures necessary without delay after … [date of entry into force of this Regulation] to ensure that the Management Board established in accordance with Article 13 starts its work at … [date of application of this Regulation];
5. By … [6 months from the date of entry into force of this Regulation] at the latest the Member States shall notify the Commission of the names of the persons whom they have appointed as member and alternate member of the Management Board, in accordance with Article 13.
6. The Management Board established pursuant to Article 13 of this Regulation shall hold its first meeting on … [date of application of this Regulation]. On that occasion it shall, if necessary, take decisions as referred to in Article 78(2).

Article 75 Transitional arrangements concerning the Executive Director, the Deputy Directors and staff

1. The Director appointed on the basis of Article 38 of Decision 2009/371/JHA shall, for the remaining period of his/her term of office, be assigned to the responsibilities of the Executive Director as provided for in Article 19 of this Regulation. The other conditions of his/her contract remain unchanged. If the term of office ends after … [date of entry into force of this Regulation] but before … [date of application of this Regulation], it shall be extended automatically until one year after … [date of application of this Regulation].
2. Should the Director appointed on the basis of Article 38 of Decision 2009/371/JHA be unwilling or unable to act in accordance with paragraph 1, the Management Board shall designate an interim Executive Director to exercise the duties assigned to the Executive Director for a period not exceeding 18 months, pending the appointments provided for in Article 56.
3. Paragraphs 1 and 2 shall apply to the Deputy Directors appointed on the basis of Article 38 of Decision 2009/371/JHA.
4. In accordance with the Conditions of employment of other servants, the authority referred to in the first paragraph of Article 6 of the Conditions of employment shall offer employment of indefinite duration as a member of temporary or contract staff to any person who at … [the date of application of this Regulation] is employed under a contract of indefinite duration as a local staff member concluded by Europol as established by the Europol Convention. The offer of employment shall be based on the tasks to be performed by the servant as a member of temporary or contract staff. The contract concerned shall take effect at the latest on … [one year after the date of application of this Regulation]. A staff member who does not accept the offer referred to in this paragraph may retain his contractual relationship with Europol in accordance with Article 55(1).

Article 76 Transitional budgetary provisions

2. The discharge procedure in respect of the budgets approved on the basis of Article 42 of Decision 2009/371/JHA shall be carried out in accordance with the rules established by Article 43 of Decision 2009/371/JHA.

Chapter XIV FINAL PROVISIONS

Article 77 Replacement and repeal

1. Decision 2009/371/JHA, Decision 2009/934/JHA, Decision 2009/935/JHA, Decision 2009/936/JHA, and Decision 2009/968/JHA are hereby replaced for the Member States bound by this Regulation with effect from … [date of application of this Regulation].

Therefore, Decision 2009/371/JHA, Decision 2009/934/JHA, Decision 2009/935/JHA, Decision 2009/936/JHA, and Decision 2009/968/JHA are repealed.

2. For the Member States bound by this Regulation, references to the Decisions referred to in paragraph 1 shall be construed as references to this Regulation.

Article 78 Maintenance in force of the internal rules adopted by the Management Board

2. Internal rules and measures adopted by the Management Board on the basis of Decision 2009/371/JHA shall remain in force after … [date of application of this Regulation], unless otherwise decided by the Management Board of Europol in the application of this Regulation.

Article 79 Entry into force and application

1. This Regulation shall enter into force on the 20th day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 1 April 2017.

However, Articles 73, 74 and 75 shall apply from … [date of entry into force of this Regulation].

Done at Brussels,
For the European Parliament      For the Council
The President    The President

ANNEX 1
List of forms of crime referred to in Article 3(1) of this Regulation
– terrorism,
– organised crime,
– drug trafficking,
– money-laundering activities,
– crime connected with nuclear and radioactive substances,
– immigrant smuggling,
– trafficking in human beings,
– motor vehicle crime,
– murder, grievous bodily injury,
– illicit trade in human organs and tissue,
– kidnapping, illegal restraint and hostage taking,
– racism and xenophobia,
– robbery and aggravated theft,
– illicit trafficking in cultural goods, including antiquities and works of art,
– swindling and fraud,
– crime against the financial interests of the Union,
– insider dealing and financial market manipulation,
– racketeering and extortion,
– counterfeiting and product piracy,
– forgery of administrative documents and trafficking therein,
– forgery of money and means of payment,
– computer crime,
– corruption,
– illicit trafficking in arms, ammunition and explosives,
– illicit trafficking in endangered animal species,
– illicit trafficking in endangered plant species and varieties,
– environmental crime, including ship source pollution,
– illicit trafficking in hormonal substances and other growth promoters,
– sexual abuse and sexual exploitation, including child abuse material and solicitation of children for sexual purposes,
– genocide, crimes against humanity and war crimes.

ANNEX 2

Categories of personal data and categories of data subjects whose data may be collected and processed for cross-checking purpose as referred to in Article 24(1a)(a) of this Regulation

1. Personal data collected and processed for cross-checking purposes shall relate to:

(a) persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent or who have been convicted of such an offence;
(b) persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent.

2. Data relating to the persons referred to in paragraph 1 may include only the following categories of personal data:

(a) surname, maiden name, given names and any alias or assumed name;
(b) date and place of birth;
(c) nationality;
(d) sex;
(e) place of residence, profession and whereabouts of the person concerned;
(f) social security numbers, driving licences, identification documents and passport data; and
(g) where necessary, other characteristics likely to assist in identification, including any specific objective physical characteristics not subject to change such as dactyloscopic data and DNA profile (established from the non-coding part of DNA).

3. In addition to the data referred to in paragraph 2, following categories of personal data concerning the persons referred to in paragraph 1 may be collected and processed:

(a) criminal offences, alleged criminal offences and when, where and how they were (allegedly) committed;
(b) means which were or may be used to commit those criminal offences including information concerning legal persons;
(c) departments handling the case and their filing references;
(d) suspected membership of a criminal organisation;
(e) convictions, where they relate to criminal offences in respect of which Europol is competent;
(f) inputting party.
These data may be provided to Europol even when they do not yet contain any references to persons.

4. Additional information held by Europol or National Units concerning the persons referred to in paragraph 1 may be communicated to any national unit or Europol should either so request. National units shall do so in compliance with their national law.
5. If proceedings against the person concerned are definitively dropped or if that person is definitively acquitted, the data relating to the case in respect of which either decision has been taken shall be deleted.

Categories of personal data and categories of data subjects whose data may be collected and processed for the purpose of analyses of strategic or other general nature, for the purpose of operational analyses and for the purpose of facilitating the exchange of information (as referred to in Article 24(1a)(b), (c) and (d)) of this Regulation

1. Personal data collected and processed for the purpose of analyses of a strategic or other general nature, operational analyses and for the purpose of facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations shall relate to:

(a)        persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent or who have been convicted of such an offence;
(b)        persons regarding whom there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit criminal offences in respect of which Europol is competent.
(c)        persons who might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings;
(d)        persons who have been the victims of one of the offences under consideration or with regard to whom certain facts give reason to believe that they could be the victims of such an offence;
(e)        contacts and associates; and
(f)         persons who can provide information on the criminal offences under consideration.

2. The following categories of personal data, including associated administrative data, may be processed on the categories of persons referred to in paragraph 1 point (a) and (b):

(a)        Personal details:
(i)         Present and former surnames;
(ii)        Present and former forenames;
(iii)       Maiden name;
(iv)       Father’s name (where necessary for the purpose of identification);
(v)        Mother’s name (where necessary for the purpose of identification):
(vi)       Sex;
(vii)      Date of birth;
(viii)     Place of birth;
(ix)       Nationality;
(x)        Marital status;
(xi)       Alias;
(xii)      Nickname;
(xiii)     Assumed or false name;
(xiv)     Present and former residence and/or domicile;
(b)        Physical description:
(i)         Physical description;
(ii)        Distinguishing features (marks/scars/tattoos etc.)
(c)        Identification means:
(i)         Identity documents/driving licence;
(ii)        National identity card/passport numbers;
(iii)       National identification number/social security number, if applicable
(iv)       Visual images and other information on appearance
(v)        Forensic identification information such as fingerprints, DNA profile (established from the non-coding part of DNA), voice profile, blood group, dental information
(d)        Occupation and skills:
(i)         Present employment and occupation;
(ii)        Former employment and occupation;
(iii)       Education (school/university/professional);
(iv)       Qualifications;
(v)        Skills and other fields of knowledge (language/other)
(e)        Economic and financial information:
(i)         Financial data (bank accounts and codes, credit cards etc.);
(ii)        Cash assets;
(iii)       Share holdings/other assets;
(iv)       Property data;
(v)        Links with companies;
(vi)       Bank and credit contacts;
(vii)      Tax position;
(viii)     Other information revealing a person’s management of their financial affairs
(f)         Behavioural data:
(i)         Lifestyle (such as living above means) and routine;
(ii)        Movements;
(iii)       Places frequented;
(iv)       Weapons and other dangerous instruments;
(v)        Danger rating;
(vi)       Specific risks such as escape probability, use of double agents, connections with law enforcement personnel;
(vii)      Criminal-related traits and profiles;
(viii)     Drug abuse;
(g)        Contacts and associates, including type and nature of the contact or association;
(h)        Means of communication used, such as telephone (static/mobile), fax, pager, electronic mail, postal addresses, Internet connection(s);
(i)         Means of transport used, such as vehicles, boats, aircraft, including information identifying these means of transport (registration numbers);
(j)         Information relating to criminal conduct:
(i)         Previous convictions;
(ii)        Suspected involvement in criminal activities;
(iii)       Modi operandi;
(iv)       Means which were or may be used to prepare and/or commit crimes;
(v)        Membership of criminal groups/organisations and position in the group/organisation;
(vi)       Role in the criminal organisation;
(vii)      Geographical range of criminal activities;
(viii)     Material gathered in the course of an investigation, such as video and photographic images
(k)        References to other information systems in which information on the person is stored:
(i)         Europol;
(ii)        Police/customs agencies;
(iii)       Other enforcement agencies;
(iv)       International organisations;
(v)        Public entities;
(vi)       Private entities
(l)         Information on legal persons associated with the data referred to in points (e) and (j):
(i)         Designation of the legal person;
(ii)        Location;
(iii)       Date and place of establishment;
(iv)       Administrative registration number;
(v)        Legal form;
(vi)       Capital;
(vii)      Area of activity;
(viii)     National and international subsidiaries;
(ix)       Directors;
(x)        Links with banks.

3. “Contacts and associates”, as referred to in paragraph 1 point (e), are persons through whom there is sufficient reason to believe that information, which relates to the persons referred to in paragraph 1 point (a) and (b) of this Annex and which is relevant for the analysis, can be gained, provided they are not included in one of the categories of persons referred to in paragraphs 1 (a), (b), (c), (d) and (f). “Contacts” are those persons who have sporadic contact with the persons referred to in paragraph 1 point (a) and (b). “Associates” are those persons who have regular contact with the persons referred to in paragraph 1 point (a) and (b).

In relation to contacts and associates, the data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that such data are required for the analysis of the role of such persons as contacts or associates.

In this context, the following shall be observed:

(a)        the relationship of these persons with the persons referred to in paragraph 1 point (a) and (b) shall be clarified as soon as possible;
(b)        if the assumption that a relationship exists between these persons and the persons referred to in paragraph 1 point (a) and (b) turns out to be unfounded, the data shall be deleted without delay;
(c)        if such persons are suspected of committing an offence falling under Europol’s objectives, or have been convicted for such an offence, or if there are factual indications or reasonable grounds under the national law of the Member State concerned to believe that they will commit such an offence, all data pursuant to paragraph 2 may be stored;
(d)        data on contacts and associates of contacts as well as data on contacts and associates of associates shall not be stored, with the exception of data on the type and nature of their contacts or associations with the persons referred to in paragraph 1 point (a) and (b);
(e)        if a clarification pursuant to the previous points is not possible, this shall be taken into account when deciding on the need and the extent of storage for further analysis.

4. With regard to persons who, as referred to in paragraph 1 point (d), have been the victims of one of the offences under consideration or who, certain facts give reason to believe, could be the victims of such an offence, data referred to in paragraph 2 point (a) intent ‘i’ to paragraph 2 (c) intent ‘iii’ of this Annex, as well as the following categories of data, may be stored:

(a)        Victim identification data;
(b)        Reason for victimisation;
(c)        Damage (physical/financial/psychological/other);
(d)        Whether anonymity is to be guaranteed;
(e)        Whether participation in a court hearing is possible;
(f)         Crime-related information provided by or through persons referred to in paragraph 1 point ‘d’, including information on their relationship with other persons, where necessary, to identify the persons referred to in paragraph 1 points ‘a’ and ‘b’
Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of a person’s role as victim or potential victim.
Data not required for any further analysis shall be deleted.

5. With regard to persons who, as referred to in paragraph 1 (c), might be called on to testify in investigations in connection with the offences under consideration or in subsequent criminal proceedings, data referred to in paragraph 2 point (a) indent ‘i’ to paragraph 2 (c) indent ‘iii’ of this Annex as well as categories of data complying with the following criteria, may be stored:

(a)        crime-related information provided by such persons, including information on their relationship with other persons included in the analysis work file;
(b)        whether anonymity is to be guaranteed;
(c)        whether protection is to be guaranteed and by whom;
(d)        new identity;
(e)        whether participation in a court hearing is possible.
Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons’ role as witnesses.
Data not required for any further analysis shall be deleted.

6. With regard to persons who, as referred to in paragraph 1 point (f), can provide information on the criminal offences under consideration, data referred to in paragraph 2 point (a) indent ‘i’ to paragraph 2 (c) indent ‘iii’ of this Annex may be stored, as well as categories of data complying with the following criteria:

(a)        coded personal details;
(b)        type of information supplied;
(c)        whether anonymity is to be guaranteed;
(d)        whether protection is to be guaranteed and by whom;
(e)        new identity;
(f)         whether participation in court hearing is possible;
(g)        negative experiences;
(h)        rewards (financial/favours).
Other data pursuant to paragraph 2 may be stored as necessary, provided there is reason to assume that they are required for the analysis of such persons’ role as informants.
Data not required for any further analysis shall be deleted.

7. If, at any moment during the course of an analysis, it becomes clear on the basis of serious and corroborating indications that a person should be placed under a different category of persons, as defined in this Annex, from the category in which that person was initially placed, Europol may process only the data on that person which is permitted under that new category, and all other data shall be deleted.

If, on the basis of such indications, it becomes clear that a person should be included in two or more different categories as defined in this Annex, all data allowed under such categories may be processed by Europol.

ANNEX II
 
In relation to Article 47, the Council and the European Parliament make the following statement:
“Creating a harmonised, high level of data protection covering police and judicial activities in the Union is crucial as a means of respecting and safeguarding the fundamental rights of Union citizens. Given the shared responsibilities of the Union and Member States in the area of freedom, security and justice, it is essential that there be close and effective cooperation among supervisory authorities at national and Union level.
The European Parliament and the Council consider that, following the adoption of the proposed General Data Protection Regulation and Data Protection Directive for data processing in the police and justice sector, including the new, soon to be created European Data Protection Board, and in light of the announced review of Regulation (EC) No 45/2001, the different mechanisms for cooperation between the European Data Protection Supervisor and the national supervisory authorities in this field, including the Cooperation Board set up in this Regulation, should in the future be reorganised in such a way as to ensure effectiveness and consistency and avoid unnecessary duplication, without prejudice to the Commission’s right of initiative.”

 

The Commission makes the following statements:
 

1. On the Common Approach to the EU Decentralised Agencies

“The Commission recalls that the agreed text is not fully aligned with the principles of the Common Approach on the EU decentralised agencies. Therefore the agreement reached between the EP and the Council on the governance of the agency is without prejudice to any future legislative texts. The Commission remains convinced of the benefits of establishing an Executive Board as part of the governance structure of Europol and other agencies. The Commission will review the situation concerning Europol governance within the next two years, in particular with a view to determining whether further proposals on this point will be warranted.”
 

2. On the Cooperation Board

“The European Commission consider that, following the adoption of the proposed General Data Protection Regulation and Data Protection Directive for data processing in the police and justice sector and in light of the announced review of Regulation (EC) No 45/2001, to ensure effectiveness and consistency and avoid unnecessary duplication, the functions exercised by Cooperation Board set up in this Regulation shall be exercised by the newly created European Data Protection Board.”
 

NOTES

[1]           Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA, 8229/13 – COM(2013) 173 final.
[2]           OJ L 121, 15.05.2009, p. 37.
[3]           OJ C 316, 27.11.1995, p. 1.
[4]           OJ C 115, 4.5.2010, p. 1.
[5]           Regulation (Euratom, ECSC, EEC) No 549/69 of the Council of 25 March 1969 determining the categories of officials and other servants of the European Communities to whom the provisions of Article 12, the second paragraph of Article 13 and Article 14 of the Protocol on the Privileges and Immunities of the Communities apply (OJ L 74, 27.3.1969, p. 1).
[6]           Council Regulation (EC) No 371/2009 of 27 November 2008 amending Regulation (Euratom, ECSC, EEC) No 549/69 determining the categories of officials and other servants of the European Communities to whom the provisions of Article 12, the second paragraph of Article 13 and Article 14 of the Protocol on the Privileges and Immunities of the Communities apply (OJ L 121, 15.5.2009, p. 1).
[7]           To insert reference to the adopted Directive (Proposal: COM (2013) 48 final).
[8]           Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
[9]           It is assumed that the draft Directive (which is part of the data protection package, doc. 5833/12) will be adopted before the Europol Regulation. If not, a more general reference to Union legislation will be inserted at a later stage and the reference to Convention 108 and Council Framework Decision 2008/977/JHA would be re-inserted here instead of the reference to the Directive.
[10]         OJ L 56, 4.3.1968, p. 1.
[11]         OJ L 362, 31.12.2012, p. 1.
[12]         OJ L 141, 27.05.2011, p. 17.
[13]         Council Act 1999/C 26/07 of 3 December 1998 laying down the staff regulations applicable to Europol employees (OJ C 26, 30.1.1999, p. 23).
[14]         Council Decision 1999/C 364/02 of 2 December 1999 amending the Council Act of 3 December 1998 laying down the staff regulations applicable to Europol employees, with regard to the establishment of remuneration, pensions and other financial entitlements in euro (OJ C 364, 17.12.1999, p. 3).
[15]         Council Decision 2009/371/JHA of 6 April 2009establishing the European Police Office (Europol) (OJ L 121, 15.5.2009, p. 37).
[16]         OJ L 185, 16.07.2005, p. 35.
[17]         OJ L 309, 25.11.2005, p. 15.
[18]         It is assumed that the draft Directive (which is part of the data protection package, doc. 5833/12 and 11624/1/13 REV 1) will be adopted before the Europol Regulation. If not, an equivalent provision to Article 34 of that Directive or a more general reference to Union legislation will be inserted at a later stage: “Union legislation on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”.
[19]         Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
[20]         OJ C 95, 1.4.2014, p.1.
[21]         Commission Delegated Regulation (EU) No 1271/2013 of 30.9.2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).
[22]         OJ 17, 6.10.1958, p. 385/58.
[23]         OJ L 145, 31.5.2001, p. 43.
[24]         OJ L 136, 31.5.1999, p. 15.
[25]         OJ L 292, 15.11.1996, p. 2.