We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Protection of personal data processed for the purpose of law enforcement

The specific nature of police and judicial activities requires differentiated rules on the protection of personal data, in order to facilitate the free flow of data and promote co-operation between the member states in these areas. This directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security.

In December 2015, the Council and European Parliament reached an agreement on the draft directive.

On 8 April 2016, the Council adopted its position at first reading. The draft directive was then adopted by European Parliament on 14 April 2016.

In detail

This directive applies to both cross-border and national processing of data by member states' competent authorities for the purpose of law enforcement. This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law.

Data subject's rights

It sets out a series of principles including the need to ensure that the personal data is processed lawfully, is collected for specific, explicit and legitimate purposes, and is not excessive in relation to the purpose for which it is processed. 

While it includes the obligation for member states to provide understandable information and ensure the person's rights of access, rectification, erasure and restriction of processing, it also sets limitations, allowing member states to adopt legislative measures restricting these rights.

Compliance

It describes the responsibility of the controller. This includes the designation of a data protection officer to help the competent authorities ensure compliance with the data protection rules. Another tool to ensure compliance is the requirement to carry out an assessment of potential impact where a type of processing is likely to result in a high risk.

Monitoring and compensation

The supervisory authorities can be the same as those established under the general data protection regulation. It provides rules on mandatory mutual assistance and a general obligation to cooperate.

It lays down that the European Data Protection Advisory Board shall also perform its tasks for the processing activities covered by this directive.

The new directive will also grant data subjects the right to receive compensation if they have suffered damage as a consequence of  processing that has not respected the rules.

Transfers to a third country

Transfers to a third country can only take place if required for law enforcement purposes and if the Commission has adopted an adequacy decision on the level of protection provided by that country. Where no adequacy decision exists, transfers can take place based on appropriate safeguards. In addition to these possibilities, provision is made for specific circumstances.