European Council
Council of the European Union

The directive on protecting personal data processed for the purpose of criminal law enforcement

Archived content
The content on this page is provided for reference purposes only. This content has not been altered or updated since 27/09/2016

The specific nature of police and judicial activities in criminal matters requires differentiated rules on the protection of personal data, in order to facilitate the free flow of data and promote co-operation between the member states in these areas. This directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security.

The directive on protecting personal data processed for the purpose of criminal law enforcement entered into force on 5 May 2016. Member states have until 6 May 2018 to translate the directive into national law.

In detail

This proposal applies to both cross-border and national processing of data by member states' competent authorities for the purpose of law enforcement. This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law.

Data subject's rights

It sets out a series of principles including the need to ensure that the personal data is processed lawfully, is collected for specific, explicit and legitimate purposes, and is not excessive in relation to the purpose for which it is processed.

While it includes the obligation for member states to provide understandable information and ensure the person's rights of access, rectification, erasure and restriction of processing, it also sets limitations, allowing member states to adopt legislative measures restricting these rights.


It describes the responsibility of the controller. This includes the designation of a data protection officer to help the competent authorities ensure compliance with the data protection rules. Another tool to ensure compliance is the requirement to carry out an assessment of potential impact where a type of processing is likely to result in a high risk.

Monitoring and compensation

The supervisory authorities can be the same as those established under the general data protection regulation. It provides rules on mandatory mutual assistance and a general obligation to cooperate.

It lays down that the European Data Protection Advisory Board shall also perform its tasks for the processing activities covered by this directive.

The new directive would also grant data subjects the right to receive compensation if they have suffered damage as a consequence of  processing that has not respected the rules.

Transfers to a third country

Transfers to a third country can only take place if required for law enforcement purposes and if the Commission has adopted an adequacy decision on the level of protection provided by that country. Where no adequacy decision exists, transfers can take place based on appropriate safeguards. In addition to these possibilities, provision is made for specific circumstances.

Timeline in the Council


6 May

Deadline for member states to translate the directive into national law.


5 May

8 April

Council adopts its position at first reading.


18 December

Council confirms the deal reached with the European Parliament.

9 October

Council agrees on a text and gives the Council presidency a mandate to engage in negotiations with the European Parliament.


25 January

The European Commission presents a proposal for a directive on protecting personal data processed for the purpose of law enforcement.

EU-US umbrella agreement

In addition to reforming EU data protection rules, the Council adopted in 2010 a mandate for the Commission to negotiate a data protection agreement with the United States (umbrella agreement). This agreement aims at protecting personal data of European citizens transferred between the EU and the US for criminal law enforcement purposes but does not allow transfers as such. It will thus serve as a complement to existing and future agreements.

On 2 June 2016, the EU and the US signed the agreement. The European Parliament now needs to give its consent, before the agreement can be finally concluded.