Council Regulation (EU) 2017/1939Show full title

CHAPTER VIIIU.K. DATA PROTECTION

Article 47U.K.Principles relating to processing of personal data

1.Personal data shall be:

(a)processed lawfully and fairly (‘lawfulness and fairness’);

(b)collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes provided that the EPPO provides appropriate safeguards for the rights and freedoms of data subjects (‘purpose limitation’);

(c)adequate, relevant, and not excessive in relation to the purposes for which they are processed (‘data minimisation’);

(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided that the EPPO provides appropriate safeguards for the rights and freedoms of data subjects, in particular by the implementation of the appropriate technical and organisational measures required by this Regulation (‘storage limitation’);

(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.The EPPO shall be responsible for, and be able to demonstrate compliance with paragraph 1 (‘accountability’) when processing personal data wholly or partly by automated means and when processing other than by automated means personal data which form part of a filing system or are intended to form part of a filing system.

3.Processing by the EPPO for any of the purposes set out in Article 49 other than that for which the operational personal data are collected shall be permitted in so far as:

(a)the EPPO is authorised to process such operational personal data for such a purpose in accordance with this Regulation; and

(b)processing is necessary and proportionate to that other purpose in accordance with Union law; and

(c)where relevant, the use of operational personal data is not prohibited by the applicable national procedural law on the investigative measures taken in accordance with Article 30. The applicable national procedural law is the law of the Member State where the data was obtained.

Article 48U.K.Administrative personal data

1.Regulation (EC) No 45/2001 applies to all administrative personal data processed by the EPPO.

2.The EPPO shall determine the time limits for the storage of administrative personal data in the data protection provisions of its internal rules of procedure.

Article 49U.K.Processing of operational personal data

1.The EPPO shall process operational personal data by automated means or in structured manual files in accordance with this Regulation, and only for the following purposes:

(a)criminal investigations and prosecutions undertaken in accordance with this Regulation; or

(b)information exchange with the competent authorities of Member States of the European Union and other institutions, bodies, offices and agencies of the Union in accordance with this Regulation; or

(c)cooperation with third countries and international organisations in accordance with this Regulation.

2.Categories of operational personal data, and the categories of data subjects whose operational personal data may be processed in the index as referred to in point (b) of Article 44(4) by the EPPO for each purpose referred to in paragraph 1 of this Article shall be listed in an Annex in accordance with paragraph 3.

3.The Commission shall be empowered to adopt delegated acts in accordance with Article 115 to list the categories of operational personal data and the categories of data subjects referred to in paragraph 2 of this Article and to update such a list in order to take account of developments in information technology and in the light of the state of progress in the information society.

Where imperative grounds of urgency so require, the procedure provided for in Article 116 shall apply to delegated acts adopted pursuant to this paragraph.

4.The EPPO may temporarily process operational personal data for the purpose of determining whether such data are relevant to its tasks and for the purposes referred to in paragraph 1. The College, acting on a proposal from the European Chief Prosecutor and after consulting the European Data Protection Supervisor, shall further specify the conditions relating to the processing of such operational personal data, in particular with respect to access to and the use of the data, as well as time limits for the storage and deletion of the data.

5.The EPPO shall process operational personal data in such a way that it can be established which authority provided the data or where the data has been retrieved from.

6.When applying Articles 57 to 62, the EPPO shall, where relevant, act in compliance with national procedural law on the obligation to provide information to the data subject and the possibilities to omit, restrict or delay such information. Where appropriate, the handling European Delegated Prosecutor shall consult other European Delegated Prosecutors concerned by the case before taking a decision in respect of Articles 57 to 62.

Article 50U.K.Time limits for the storage of operational personal data

1.The EPPO shall review periodically the need for the storage of the operational personal data processed. At the latest, such a review shall be carried out not later than 3 years after the operational personal data were first processed and then every 3 years. If operational personal data are stored for a period exceeding 5 years, the European Data Protection Supervisor shall be informed of that fact.

2.Operational personal data processed by the EPPO shall not be stored beyond 5 years after an acquitting decision in respect of the case has become final; in case the accused was found guilty the time limits shall be extended until the penalty that has been imposed, is enforced or can no longer be enforced under the law of the sentencing Member State.

3.Before one of the deadlines referred to in paragraph 2 expires, the EPPO shall review the need for the continued storage of the operational personal data where and as long this is necessary to perform its tasks. The reasons for the continued storage shall be justified and recorded. If no decision is taken on the continued storage of operational personal data, those data shall be deleted automatically.

Article 51U.K.Distinction between different categories of data subject

The EPPO shall, where applicable and as far as possible, make a clear distinction between operational personal data of different categories of data subjects, such as:

Article 52U.K.Distinction between operational personal data and verification of quality of personal data

1.The EPPO shall distinguish, as far as possible, operational personal data based on facts from operational personal data based on personal assessments.

2.The EPPO shall take all reasonable steps to ensure that operational personal data which are inaccurate, incomplete or no longer up to date are not transmitted or made available. To that end, the EPPO shall, as far as practicable, verify the quality of operational personal data before they are transmitted or made available. As far as possible, in all transmissions of operational personal data, the EPPO shall add necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of operational personal data, and the extent to which they are up to date.

3.If it emerges that incorrect operational personal data have been transmitted or operational personal data have been unlawfully transmitted, the recipient shall be notified without delay. In such a case, the operational personal data shall be rectified or erased or processing shall be restricted in accordance with Article 61.

Article 53U.K.Specific processing conditions

1.When required by this Regulation, the EPPO shall provide for specific conditions for processing and shall inform the recipient of such operational personal data of those conditions and the requirement to comply with them.

2.The EPPO shall comply with specific processing conditions for processing provided by a national authority in accordance with Article 9(3) and (4) of Directive (EU) 2016/680.

Article 54U.K.Transmission of operational personal data to institutions, bodies, offices and agencies of the Union

1.Subject to any further restrictions pursuant to this Regulation, in particular Article 53, the EPPO shall only transmit operational personal data to another institution, body, office or agency of the Union if the data are necessary for the legitimate performance of tasks covered by the competence of the other institution, body, office or agency of the Union.

2.Where the operational personal data are transmitted following a request from the other institution, body, office or agency of the Union, both the controller and the recipient shall bear the responsibility for the legitimacy of this transfer.

The EPPO shall be required to verify the competence of the other institution, body, office or agency of the Union and to make a provisional evaluation of the necessity for the transmission of the operational personal data. If doubts arise as to this necessity, the EPPO shall seek further information from the recipient.

The other institution, body, office or agency of the Union shall ensure that the necessity for the transmission of the operational personal data can be subsequently verified.

3.The other institution, body, office or agency of the Union shall process the operational personal data only for the purposes for which they were transmitted.

Article 55U.K.Processing of special categories of operational personal data

1.Processing of operational personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, operational personal data concerning health or operational personal data concerning a natural person’s sex life or sexual orientation shall be allowed only where strictly necessary for the EPPO’s investigations, subject to appropriate safeguards for the rights and freedoms of the data subject and only if they supplement other operational personal data already processed by the EPPO.

2.The Data Protection Officer shall be informed immediately of recourse to this Article.

Article 56U.K.Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision of the EPPO based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

Article 57U.K.Communication and modalities for exercising the rights of the data subject

1.The EPPO shall take reasonable steps to provide any information referred to in Article 58. It shall make any communication with regard to Articles 56, 59 to 62 and 75 relating to processing to the data subject in a concise, intelligible and easily accessible form, using clear and plain language. The information shall be provided by any appropriate means, including by electronical means. As a general rule, the controller shall provide the information in the same form as the request.

2.The EPPO shall facilitate the exercise of the rights of the data subject under Articles 58 to 62.

3.The EPPO shall inform the data subject in writing about the follow up to his/her request without undue delay, and in any case at the latest after 3 months after receipt of the request by the data subject.

4.The EPPO shall provide for the information provided under Article 58 and any communication made or action taken pursuant to Articles 56, 59 to 62 and 75 to be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the EPPO may either:

(a)charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or taking the action requested; or

(b)refuse to act on the request.

The EPPO shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

5.Where the EPPO has reasonable doubts concerning the identity of the natural person making a request referred to in Article 59 or 61, the EPPO may request the provision of additional information necessary to confirm the identity of the data subject.

Article 58U.K.Information to be made available or given to the data subject

1.The EPPO shall make available to the data subject at least the following information:

(a)the identity and the contact details of the EPPO;

(b)the contact details of the data protection officer;

(c)the purposes of the processing for which the operational personal data are intended;

(d)the right to lodge a complaint with the European Data Protection Supervisor and its contact details;

(e)the existence of the right to request from the EPPO access to and rectification or erasure of operational personal data and restriction of processing of the operational personal data concerning the data subject.

2.In addition to the information referred to in paragraph 1, the EPPO shall give to the data subject, in specific cases, the following further information to enable the exercise of his/her rights:

(a)the legal basis for the processing;

(b)the period for which the operational personal data will be stored, or, where that is not possible, the criteria used to determine that period;

(c)where applicable, the categories of recipients of the operational personal data, including in third countries or international organisations;

(d)where necessary, further information, in particular where the operational personal data are collected without the knowledge of the data subject.

3.The EPPO may delay, restrict or omit the provision of the information to the data subject pursuant to paragraph 2 to the extent that, and for as long as, such a measure constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to:

(a)avoid obstructing official or legal inquiries, investigations or procedures;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security of the Member States of the European Union;

(d)protect national security of the Member States of the European Union;

(e)protect the rights and freedoms of others.

Article 59U.K.Right of access by the data subject

The data subject shall have the right to obtain from the EPPO confirmation as to whether or not operational personal data concerning him/her are being processed, and, where that is the case, access to the operational personal data and the following information:

Article 60U.K.Limitations to the right of access

1.The EPPO may restrict, wholly or partly, the data subject’s right of access to the extent that, and for as long as, such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to:

(a)avoid obstructing official or legal inquiries, investigations or procedures;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security of the Member States of the European Union;

(d)protect national security of the Member States of the European Union;

(e)protect the rights and freedoms of others.

2.Where the provision of such information would undermine the purpose of paragraph 1, the EPPO shall only notify the data subject concerned that it has carried out the checks, without giving any information which might reveal to him/her whether or not operational personal data concerning him/her are processed by the EPPO.

The EPPO shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or seeking a judicial remedy in the Court of Justice against the EPPO’s decision.

3.The EPPO shall document the factual or legal reasons on which the decision is based. That information shall be made available to the European Data Protection Supervisor on request.

Article 61U.K.Right to rectification or erasure of operational personal data and restriction of processing

1.The data subject shall have the right to obtain from the EPPO without undue delay the rectification of inaccurate operational personal data relating to him/her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete operational personal data completed, including by means of providing a supplementary statement.

2.The EPPO shall erase operational personal data without undue delay and the data subject shall have the right to obtain from the EPPO the erasure of operational personal data concerning him/her without undue delay where processing infringes Article 47, 49 or 55, or where operational personal data must be erased in order to comply with a legal obligation to which the EPPO is subject.

3.Instead of erasure, the EPPO shall restrict processing where:

(a)the accuracy of the operational personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or

(b)the operational personal data must be maintained for the purposes of evidence.

Where processing is restricted pursuant to point (a) of the first subparagraph, the EPPO shall inform the data subject before lifting the restriction of processing.

4.Where processing has been restricted under paragraph 3, such operational personal data shall, with the exception of storage, only be processed for the protection of the rights of the data subject or another natural or legal person who is a party of the proceedings of the EPPO, or for the purposes laid down in point (b) of paragraph 3.

5.The EPPO shall inform the data subject in writing of any refusal of rectification or erasure of operational personal data or restriction of processing and of the reasons for the refusal. The EPPO may restrict, wholly or partly, the obligation to provide such information to the extent that such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to:

(a)avoid obstructing official or legal inquiries, investigations or procedures;

(b)avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)protect public security of the Member States of the European Union;

(d)protect national security of the Member States of the European Union;

(e)protect the rights and freedoms of others.

The EPPO shall inform the data subject of the possibility of lodging a complaint with the European Data Protection Supervisor or of seeking a judicial remedy from the Court of Justice against the EPPO’s decision.

6.The EPPO shall communicate the rectification of inaccurate operational personal data to the competent authority from which the inaccurate operational personal data originate.

7.The EPPO shall, where operational personal data has been rectified or erased or processing has been restricted pursuant to paragraphs 1, 2 and 3, notify the recipients and inform them that they have to rectify or erase the operational personal data or restrict processing of the operational personal data under their responsibility.

Article 62U.K.Exercise of rights by the data subject and verification by the European Data Protection Supervisor

1.In the cases referred to in Articles 58(3), 60(2) and 61(5), the rights of the data subject may also be exercised through the European Data Protection Supervisor.

2.The EPPO shall inform the data subject of the possibility of exercising his/her rights through the European Data Protection Supervisor pursuant to paragraph 1.

3.Where the right referred to in paragraph 1 is exercised, the European Data Protection Supervisor shall inform the data subject at least that all necessary verifications or a review by it have taken place. The European Data Protection Supervisor shall also inform the data subject of his/her right to seek a judicial remedy in the Court of Justice against the European Data Protection Supervisor’s decision.

Article 63U.K.Obligations of the EPPO

1.Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the EPPO shall implement appropriate technical and organisational measures to ensure, and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2.Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the EPPO.

Article 64U.K.Joint controllers

1.Where the EPPO together with one or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall, in a transparent manner, determine their respective responsibilities for compliance with their data protection obligations, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union law or the law of a Member State of the European Union to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2.The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3.Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his/her rights under this Regulation in respect, and against each, of the controllers.

Article 65U.K.Processor

1.Where processing is to be carried out on behalf of the EPPO, the EPPO shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2.The processor shall not engage another processor without prior specific or general written authorisation of the EPPO. In the case of general written authorisation, the processor shall inform the EPPO of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3.Processing by a processor shall be governed by a contract or other legal act under Union law, or the law of a Member State of the European Union, that is binding on the processor with regard to the EPPO and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of operational personal data and categories of data subjects and the obligations and rights of the EPPO. That contract or other legal act shall stipulate, in particular, that the processor:

(a)acts only on instructions from the controller;

(b)ensures that persons authorised to process the operational personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)assists the controller by any appropriate means to ensure compliance with the provisions on the data subject’s rights;

(d)at the choice of the EPPO, deletes or returns all the operational personal data to the EPPO after the end of the provision of services relating to processing, and deletes existing copies unless Union law or the law of a Member State of the European Union requires storage of the operational personal data;

(e)makes available to the EPPO all information necessary to demonstrate compliance with the obligations laid down in this Article;

(f)complies with the conditions referred to in paragraphs 2 and 3 for engaging another processor.

4.The contract or the other legal act referred to in paragraphs 3 shall be in writing, including in electronic form.

5.If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Article 66U.K.Processing under the authority of the controller or processor

The processor and any person acting under the authority of the EPPO or of the processor, who has access to operational personal data, shall not process those data except on instructions from the EPPO, unless required to do so by Union law or the law of a Member State of the European Union.

Article 67U.K.Data protection by design and by default

1.The EPPO shall, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing, in order to meet the requirements of this Regulation and protect the rights of the data subjects.

2.The EPPO shall implement appropriate technical and organisational measures ensuring that, by default, only operational personal data which are adequate, relevant and not excessive in relation to the purpose of the processing are processed. That obligation applies to the amount of operational personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default operational personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

Article 68U.K.Records of categories of processing activities

1.The EPPO shall maintain a record of all categories of processing activities under its responsibility. That record shall contain all of the following information:

(a)its contact details and the name and the contact details of the data protection officer;

(b)the purposes of the processing;

(c)a description of the categories of data subjects and of the categories of operational personal data;

(d)the categories of recipients to whom the operational personal data have been or will be disclosed including recipients in third countries or international organisations;

(e)where applicable, transfers of operational personal data to a third country or an international organisation, including the identification of that third country or international organisation;

(f)where possible, the envisaged time limits for erasure of the different categories of data;

(g)where possible, a general description of the technical and organisational security measures referred to in Article 73.

2.The records referred to in paragraph 1 shall be in writing, including in electronic form.

3.The EPPO shall make the record available to the European Data Protection Supervisor on request.

Article 69U.K.Logging in respect of automated processing

1.The EPPO shall keep logs of any of the following processing operations in automated processing systems: collection, alteration, consultation, disclosure including transfers, combination and erasure of operational personal data used for operational purposes. The logs of consultation and disclosure shall make it possible to establish the justification for, and the date and time of, such operations, the identification of the person who consulted or disclosed operational personal data, and, as far as possible, the identity of the recipients of such operational personal data.

2.The logs shall be used solely for verification of the lawfulness of processing, self-monitoring, ensuring the integrity and security of the operational personal data, and for criminal proceedings. Such logs shall be deleted after 3 years, unless they are required for on-going control.

3.The EPPO shall make the logs available to the European Data Protection Supervisor on request.

Article 70U.K.Cooperation with the European Data Protection Supervisor

The EPPO shall, on request, cooperate with the European Data Protection Supervisor in the performance of its tasks.

Article 71U.K.Data protection impact assessment

1.Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons, the EPPO shall carry out, prior to the processing, an assessment of the impact of the envisaged processing operations on the protection of operational personal data.

2.The assessment referred to in paragraph 1 shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of operational personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

Article 72U.K.Prior consultation of the European Data Protection Supervisor

1.The EPPO shall consult the European Data Protection Supervisor prior to processing which will form part of a new filing system to be created, where:

(a)a data protection impact assessment as provided for in Article 71 indicates that the processing would result in a high risk in the absence of measures taken by the EPPO to mitigate the risk; or

(b)the type of processing, in particular, where using new technologies, mechanisms or procedures, involves a high risk to the rights and freedoms of data subjects.

2.The European Data Protection Supervisor may establish a list of the processing operations which are subject to prior consultation pursuant to paragraph 1.

3.The EPPO shall provide the European Data Protection Supervisor with the data protection impact assessment pursuant to Article 71 and, on request, with any other information to allow the European Data Protection Supervisor to make an assessment of the compliance of the processing and in particular of the risks for the protection of operational personal data of the data subject and of the related safeguards.

4.Where the European Data Protection Supervisor is of the opinion that the intended processing referred to in paragraph 1 of this Article would infringe this Regulation, in particular where the EPPO has insufficiently identified or mitigated the risk, the European Data Protection Supervisor shall provide, within a period of up to 6 weeks of receipt of the request for consultation, written advice to the EPPO according to its powers in accordance with Article 85. That period may be extended by a month, taking into account the complexity of the intended processing. The European Data Protection Supervisor shall inform the EPPO of any such extension within 1 month of receipt of the request for consultation, together with the reasons for the delay.

Article 73U.K.Security of processing of operational personal data

1.The EPPO shall, taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of the processing as well as risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular as regards the processing of special categories of operational personal data referred to in Article 55.

2.In respect of automated processing, the EPPO shall, following an evaluation of the risks, implement measures designed to:

(a)deny unauthorised persons access to data processing equipment used for processing (equipment access control);

(b)prevent the unauthorised reading, copying, modification or removal of data media (data media control);

(c)prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored operational personal data (storage control);

(d)prevent the use of automated processing systems by unauthorised persons using data communication equipment (user control);

(e)ensure that persons authorised to use an automated processing system have access only to the operational personal data covered by their access authorisation (data access control);

(f)ensure that it is possible to verify and establish the bodies to which operational personal data have been or may be transmitted or made available using data communication (communication control);

(g)ensure that it is subsequently possible to verify and establish which operational personal data have been input into automated data processing systems, and when and by whom the data were input (input control);

(h)prevent unauthorised reading, copying, modification or deletion of operational personal data during transfers of operational personal data or during transportation of data media (transport control);

(i)ensure that installed systems may, in the case of interruption, be restored (recovery);

(j)ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored operational personal data cannot be corrupted by means of a malfunctioning of the system (integrity).

Article 74U.K.Notification of a personal data breach to the European Data Protection Supervisor

1.In the case of a personal data breach, the EPPO shall notify without undue delay and, where feasible, not later than 72 hours after having become aware of it, the personal data breach to the European Data Protection Supervisor, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the European Data Protection Supervisor is not made within 72 hours, it shall be accompanied by reasons for the delay.

2.The notification referred to in paragraph 1 shall at least:

(a)describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)communicate the name and contact details of the data protection officer;

(c)describe the likely consequences of the personal data breach;

(d)describe the measures taken or proposed to be taken by the EPPO to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

3.Where, and in so far as, it is not possible to provide the information referred to in paragraph 2 at the same time, the information may be provided in phases without undue further delay.

4.The EPPO shall document any personal data breaches referred to in paragraph 1, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the European Data Protection Supervisor to verify compliance with this Article.

5.Where the personal data breach involves personal data that have been transmitted by or to another controller, the EPPO shall communicate the information referred to in paragraph 3 to that controller without undue delay.

Article 75U.K.Communication of a personal data breach to the data subject

1.Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the EPPO shall communicate the personal data breach to the data subject without undue delay.

2.The communication to the data subject referred to in paragraph 1 of this Article shall describe, in clear and plain language the nature of the personal data breach and shall contain at least the information and the recommendations provided for in points (b), (c) and (d) of Article 74(2).

3.The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a)the EPPO has implemented appropriate technological and organisational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b)the EPPO has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c)it would involve a disproportionate effort. In such a case, there shall instead be a public communication or a similar measure whereby the data subjects are informed in an equally effective manner.

4.If the EPPO has not already communicated the personal data breach to the data subject, the European Data Protection Supervisor, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so, or may decide that any of the conditions referred to in paragraph 3 are met.

5.The communication to the data subject referred to in paragraph 1 of this Article may be delayed, restricted or omitted subject to the conditions and on the grounds referred to in Article 60(3).

Article 76U.K.Authorised access to operational personal data within the EPPO

Only the European Chief Prosecutor, the European Prosecutors, the European Delegated Prosecutors and authorised staff assisting them may, for the purpose of achieving their tasks and within the limits provided for in this Regulation, have access to operational personal data processed by the EPPO.

Article 77U.K.Designation of the Data Protection Officer

1.The College shall designate a Data Protection Officer, on the basis of a proposal from the European Chief Prosecutor. The Data Protection Officer shall be a member of staff specifically appointed for this purpose. In the performance of his/her duties, the Data Protection Officer shall act independently and may not receive any instructions.

2.The Data Protection Officer shall be selected on the basis of the Officer’s professional qualities and, in particular, expert knowledge of data protection law and practice, and the ability to fulfil the tasks referred to in this Regulation, in particular those referred to in Article 79.

3.The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between the Officer’s duty as Data Protection Officer and any other official duties, in particular in relation to the application of this Regulation.

4.The Data Protection Officer shall be appointed for a term of 4 years and shall be eligible for reappointment up to a maximum total term of 8 years. The Officer may be dismissed from the post of Data Protection Officer by the College only with the agreement of the European Data Protection Supervisor, if the Officer no longer fulfils the conditions required for the performance of his/her duties.

5.The EPPO shall publish the contact details of the data protection officer and communicate them to the European Data Protection Supervisor.

Article 78U.K.Position of the Data Protection Officer

1.The EPPO shall ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

2.The EPPO shall support the data protection officer in performing the tasks referred to in Article 79 by providing resources necessary to carry out those tasks and by providing access to personal data and processing operations, and to maintain his or her expert knowledge.

3.The EPPO shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The Officer shall not be dismissed or penalised by the College for performing his/her tasks. The data protection officer shall directly report to the European Chief Prosecutor.

4.Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation and under Regulation (EC) No 45/2001.

5.The College shall adopt implementing rules concerning the Data Protection Officer. Those implementing rules shall in particular concern the selection procedure for the position of the Data Protection Officer and the Officer’s dismissal, tasks, duties and powers and safeguards for independence of the Data Protection Officer.

6.The EPPO shall provide the Data Protection Officer with the staff and resources necessary for him/her to carry out his/her duties.

7.The Data Protection Officer and his/her staff shall be bound by the obligation of confidentiality in accordance with Article 108.

Article 79U.K.Tasks of the data protection officer

1.The Data Protection Officer shall in particular have the following tasks, regarding the processing of personal data:

(a)ensuring, in an independent manner the EPPO’s compliance with the data protection provisions of this Regulation, of Regulation (EC) No 45/2001 and of the relevant data protection provisions in the internal rules of procedure of the EPPO; this includes monitoring compliance with this Regulation, with other Union or national data protection provisions and with the policies of the EPPO in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(b)informing and advising the EPPO and the staff who carry out processing of their obligations pursuant to this Regulation and to other Union or national data protection provisions;

(c)providing advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 71;

(d)ensuring that a record of the transfer and receipt of personal data is kept in accordance with the provisions to be laid down in the internal rules of procedure of the EPPO;

(e)cooperating with the staff of the EPPO responsible for procedures, training and advice on data processing;

(f)cooperating with the European Data Protection Supervisor;

(g)ensuring that data subjects are informed of their rights under this Regulation;

(h)acting as the contact point for the European Data Protection Supervisor; on issues relating to processing, including the prior consultation referred to in Article 72, and consulting, where appropriate, with regard to any other matter;

(i)preparing an annual report and communicate that report to the European Chief Prosecutor and to the European Data Protection Supervisor.

2.The Data Protection Officer shall carry out the functions provided for in Regulation (EC) No 45/2001 with regard to administrative personal data.

3.The Data Protection Officer and the staff members of the EPPO assisting the Data Protection Officer in the performance of duties shall have access to the personal data processed by the EPPO and to its premises to the extent necessary for the performance of their tasks.

4.If the Data Protection Officer considers that the provisions of Regulation (EC) No 45/2001 related to the processing of administrative personal data or the provisions of this Regulation related to the processing of operational personal data have not been complied with, the Officer shall inform the European Chief Prosecutor, requesting him/her to resolve the non-compliance within a specified time. If the European Chief Prosecutor does not resolve the non-compliance of the processing within the specified time, the Data Protection Officer shall refer the matter to the European Data Protection Supervisor.

Article 80U.K.General principles for transfers of operational personal data

1.The EPPO may transfer operational personal data to a third country or international organisation, subject to compliance with the other provisions of this Regulation, in particular Article 53, only where the conditions laid down in the Articles 80 to 83 are met, namely:

(a)the transfer is necessary for the performance of the tasks of the EPPO;

(b)the operational personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purpose of Article 104;

(c)where the operational personal data to be transferred in accordance with this Article have been transmitted or made available by a Member State of the European Union to the EPPO, the latter shall obtain prior authorisation for the transfer by the relevant competent authority of that Member State of the European Union in compliance with its national law, unless that Member State of the European Union has granted this authorisation to such transfer in general terms or subject to specific conditions;

(d)the Commission has decided pursuant to Article 81 that the third country or international organisation in question ensures an adequate level of protection, or in the absence of such an adequacy decision, where appropriate safeguards are adduced or exist pursuant to Article 82, or both in absence of an adequacy decision and of such appropriate safeguards, derogation for specific situations apply pursuant to Article 83; and

(e)in the case of an onward transfer to another third country or international organisation by a third country or international organisation, the EPPO shall require the third country or international organisation to seek its prior authorisation for that onward transfer, which the EPPO may provide only after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the operational personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which operational personal data are onward transferred.

2.The EPPO may transfer operational personal data without prior authorisation by a Member State of the European Union in accordance with point (c) of paragraph 1 only if the transfer of the operational personal data is necessary for the prevention of an immediate and serious threat to public security of a Member State of the European Union or a third country or to essential interests of a Member State of the European Union and the prior authorisation cannot be obtained in good time. The authority responsible for giving prior authorisation shall be informed without delay.

3.The transfer of operational personal data received from the EPPO to a third country or an international organisation by a Member State of the European Union, or institution, body, office or agency of the Union shall be prohibited. This shall not apply in cases where the EPPO has authorised such transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the operational personal data was originally transmitted and the level of personal data protection in the third country or an international organisation to which operational personal data are transferred. That obligation to obtain prior authorisation from the EPPO shall not apply to cases that have been referred to competent national authorities in accordance with Article 34.

4.Articles 80 to 83 shall be applied in order to ensure that the level of protection of natural persons ensured by this Regulation and by Union law is not undermined.

Article 81U.K.Transfers on the basis of an adequacy decision

The EPPO may transfer operational personal data to a third country or an international organisation where the Commission has decided in accordance with Article 36 of Directive (EU) 2016/680 that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.

Article 82U.K.Transfers subject to appropriate safeguards

1.In the absence of an adequacy decision, the EPPO may transfer operational personal data to a third country or an international organisation where:

(a)appropriate safeguards with regard to the protection of operational personal data are provided for in a legally binding instrument; or

(b)the EPPO has assessed all the circumstances surrounding the transfer of operational personal data and concludes that appropriate safeguards exist with regard to the protection of operational personal data.

2.The EPPO shall inform the European Data Protection Supervisor about categories of transfers under point (b) of paragraph 1.

3.When a transfer is based on point (b) of paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, and information about the receiving competent authority, about the justification for the transfer and about the operational personal data transferred.

Article 83U.K.Derogations for specific situations

1.In the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 82, the EPPO may transfer operational personal data to a third country or an international organisation only on the condition that the transfer is necessary:

(a)in order to protect the vital interests of the data subject or another person;

(b)to safeguard legitimate interests of the data subject;

(c)for the prevention of an immediate and serious threat to public security of a Member State of the European Union or a third country; or

(d)in individual cases for the performance of the tasks of the EPPO, unless the EPPO determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer.

2.Where a transfer is based on paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, and information about the receiving competent authority, about the justification for the transfer and about the operational personal data transferred.

Article 84U.K.Transfers of operational personal data to recipients established in third countries

1.By way of derogation from point (b) of Article 80(1) and without prejudice to any international agreement referred to in paragraph 2 of this Article, the EPPO, in individual and specific cases, may transfer operational personal data directly to recipients established in third countries only if the other provisions of this Chapter are complied with and all of the following conditions are fulfilled:

(a)the transfer is strictly necessary for the performance of its tasks as provided for by this Regulation for the purposes set out in Article 49(1);

(b)the EPPO determines that no fundamental rights and freedoms of the data subject concerned override the public interest necessitating the transfer in the case at hand;

(c)the EPPO considers that the transfer to an authority that is competent for the purposes referred to in Article 49(1) in the third country is ineffective or inappropriate, in particular because the transfer cannot be achieved in good time;

(d)the authority that is competent for the purposes referred to in Article 49(1) in the third country is informed without undue delay, unless this is ineffective or inappropriate;

(e)the EPPO informs the recipient of the specified purpose or purposes for which the operational personal data are only to be processed by the latter provided that such processing is necessary.

2.An international agreement referred to in paragraph 1 shall be any bilateral or multilateral international agreement in force between the Union and third countries in the field of judicial cooperation in criminal matters and police cooperation.

3.Where a transfer is based on paragraph 1, such a transfer shall be documented and the documentation shall be made available to the European Data Protection Supervisor on request, including the date and time of the transfer, and information about the receiving competent authority, about the justification for the transfer and about the operational personal data transferred.

Article 85U.K.Supervision by the European Data Protection Supervisor

1.The European Data Protection Supervisor shall be responsible for monitoring and ensuring the application of the provisions of this Regulation relating to the protection of fundamental rights and freedoms of natural persons with regard to processing of operational personal data by the EPPO, and for advising the EPPO and data subjects on all matters concerning the processing of operational personal data. To this end, the European Data Protection Supervisor shall fulfil the duties set out in paragraph 2 of this Article, shall exercise the powers granted in paragraph 3 of this Article and shall cooperate with the national supervisory authorities in accordance with Article 87.

2.The European Data Protection Supervisor shall have the following duties under this Regulation:

(a)hear and investigate complaints, and inform the data subject of the outcome within a reasonable period;

(b)conduct inquiries either on his/her own initiative or on the basis of a complaint, and inform the data subjects of the outcome within a reasonable period;

(c)monitor and ensure the application of the provisions of this Regulation relating to the protection of natural persons with regard to the processing of operational personal data by the EPPO;

(d)advise the EPPO, either on his/her own initiative or in response to a consultation, on all matters concerning the processing of operational personal data, in particular before it draws up internal rules relating to the protection of fundamental rights and freedoms with regard to the processing of operational personal data.

3.The European Data Protection Supervisor may under this Regulation:

(a)give advice to data subjects in the exercise of their rights;

(b)refer the matter to the EPPO in the event of an alleged breach of the provisions governing the processing of operational personal data, and, where appropriate, make proposals for remedying that breach and for improving the protection of the data subjects;

(c)consult the EPPO when requests to exercise certain rights in relation to operational personal data have been refused in breach of Articles 56 to 62;

(d)refer the matter to the EPPO;

(e)order the EPPO to carry out the rectification, restriction or erasure of operational personal data which have been processed by the EPPO in breach of the provisions governing the processing of operational personal data and the notification of such actions to third parties to whom such data have been disclosed, provided that this does not interfere with investigations and prosecutions led by the EPPO;

(f)refer the matter to the Court of Justice under the conditions set out in the Treaties;

(g)intervene in actions brought before the Court of Justice.

4.The European Data Protection Supervisor shall have access to the operational personal data processed by the EPPO and to its premises to the extent necessary for the performance of its tasks.

5.The European Data Protection Supervisor shall draw up an annual report on the supervisory activities on the EPPO.

Article 86U.K.Professional secrecy of the European Data Protection Supervisor

The European Data Protection Supervisor and staff shall, both during and after their term of office, be subject to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of official duties.

Article 87U.K.Cooperation between the European Data Protection Supervisor and national supervisory authorities

1.The European Data Protection Supervisor shall act in close cooperation with national supervisory authorities with respect to specific issues requiring national involvement, in particular if the European Data Protection Supervisor or a national supervisory authority finds major discrepancies between practices of Member States of the European Union or finds potentially unlawful transfers using the communication channels of the EPPO, or in the context of questions raised by one or more national supervisory authorities on the implementation and interpretation of this Regulation.

2.In the cases referred to in paragraph 1, the European Data Protection Supervisor and the national supervisory authorities competent for data protection supervision may, each acting within the scope of their respective competences, exchange relevant information, and assist each other in carrying out audits and inspections, examine difficulties of interpretation or application of this Regulation, study problems related to the exercise of independent supervision or to the exercise of the rights of data subjects, draw up harmonised proposals for joint solutions to any problems, and promote awareness of data protection rights, as necessary.

3.The European Data Protection Board established by Regulation (EU) 2016/679 shall also carry out the tasks laid down in Article 51 of Directive (EU) 2016/680 with regard to matters covered by this Regulation, in particular those referred to in paragraphs 1 and 2 of this Article.

Article 88U.K.Right to lodge a complaint with the European Data Protection Supervisor

1.Every data subject shall have the right to lodge a complaint with the European Data Protection Supervisor, if the data subject considers that the processing by the EPPO of operational personal data relating to the data subject infringes this Regulation.

2.The European Data Protection Supervisor shall inform the data subject of the progress and the outcome of the complaint, including of the possibility of a judicial remedy pursuant to Article 89.

Article 89U.K.Right to judicial review against the European Data Protection Supervisor

Actions against decisions of the European Data Protection Supervisor shall be brought before the Court of Justice.