We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Protection of personal data processed for the purpose of law enforcement

The specific nature of police and judicial activities requires differentiated rules on the protection of personal data, in order to facilitate the free flow of data and promote co-operation between the member states in these areas. This directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security.

In December 2015, the Council and European Parliament reached an agreement on the draft directive.

On 8 April 2016, the Council adopted its position at first reading. The draft directive was then adopted by European Parliament on 14 April 2016.

In detail

This directive applies to both cross-border and national processing of data by member states' competent authorities for the purpose of law enforcement. This includes the prevention, investigation, detection and prosecution of criminal offences, as well as the safeguarding and prevention of threats to public security. It does not cover activities by EU institutions, bodies, offices and agencies, nor activities falling outside the scope of EU law.

Data subject's rights

It sets out a series of principles including the need to ensure that the personal data is processed lawfully, is collected for specific, explicit and legitimate purposes, and is not excessive in relation to the purpose for which it is processed. 

While it includes the obligation for member states to provide understandable information and ensure the person's rights of access, rectification, erasure and restriction of processing, it also sets limitations, allowing member states to adopt legislative measures restricting these rights.


It describes the responsibility of the controller. This includes the designation of a data protection officer to help the competent authorities ensure compliance with the data protection rules. Another tool to ensure compliance is the requirement to carry out an assessment of potential impact where a type of processing is likely to result in a high risk.

Monitoring and compensation

The supervisory authorities can be the same as those established under the general data protection regulation. It provides rules on mandatory mutual assistance and a general obligation to cooperate.

It lays down that the European Data Protection Advisory Board shall also perform its tasks for the processing activities covered by this directive.

The new directive will also grant data subjects the right to receive compensation if they have suffered damage as a consequence of  processing that has not respected the rules.

Transfers to a third country

Transfers to a third country can only take place if required for law enforcement purposes and if the Commission has adopted an adequacy decision on the level of protection provided by that country. Where no adequacy decision exists, transfers can take place based on appropriate safeguards. In addition to these possibilities, provision is made for specific circumstances.

International agreements

In addition to reforming EU data protection rules, the Council adopted in 2010 a mandate for the Commission to negotiate a data protection agreement with the United States (umbrella agreement). This agreement aims at protecting personal data of European citizens transferred between the EU and the US for law enforcement purposes. It will serve as a complement to existing and future agreements.

Negotiations with the US were finalised in September 2015. The US adopted in February 2016 a new law granting EU citizens the right to judicial redress in the US (the Judicial Redress Act). This was a precondition for the signing and conclusion of the umbrella agreement. The next steps for signing and ratification of the agreement have now started.