EDPS contro EUROPOL: limitare la durata del trattamento

EDPS issues the Supervisory opinion on the draft Europol Management Board Decision laying down rules to determine time limits for the storage of administrative personal data.

...

4. CONCLUSION

As indicated above, in order to ensure compliance of the processing with the EUDPR, the
EDPS deems necessary that Europol:

1. Recommendation 1: include as part of the retention schedule annexed to the draft
Management Board Decision the criteria and elements (including possible legal
obligations) justifying each retention period.

2. Recommendation 2: carry out a review of the respective records of processing
operations in order to verify the Accuracy of the information in the records regarding
the retention periods set.

3. Recommendation 9: amend the Annex of the draft Decision in order to set what is
the starting date or the action/event that determines the starting date at which each
retention period starts to run.

4. Recommendation 10: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to the management of public relations, marketing, press and media and
any other related processing activities. In addition, Europol should explain why they
have decided to keep personal data related to those processing activities for such
period.

5. Recommendation 11: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to handling of data subject’s access requests.

6. Recommendation 12: make a distinction between the different processing activities
related to the monitoring of compliance with Europol data protection legislation, adapt
the respective retention periods and to clarify what is their set starting date or
activity/event determining their starting date.

7. Recommendation 15: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to business continuity management.

8. Recommendation 18: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for data processing
activities related to the organisation and management of Europol events, translation
services and any other related processing activities.

9. Recommendation 19: make an Assessment of the need to retain the files related to
the Internal Audit Capability for seven years and clarify what is the set starting date
or the activity/event determining the starting date of the retention period.

10. Recommendation 20: clarify what is the specific legal instrument that Europol is
referring to in order to keep the files related to the implementation of the budget of
Europol according to legal obligations for such period.

11. Recommendation 21: provide information on when the retention period set up for
data processing activities related to the functioning of the Europol Liaison Bureaux starts
and what criteria have been used to determine it.

12. Recommendation 22: make the relevant distinctions between the different
categories of day-to-day management related processing activities according to the
purpose for which the relevant personal data are processed.

13. Recommendation 23: provide further clarification on when the retention period
starts for data processing activities related to the management of procurement
procedures and contract administration, and what criteria have been used to determine
it, including legal requirements and / or contractual obligations.

14. Recommendation 24: carry out a renewed Assessment on the necessity to keep the
files related the security and safety services for such period, and clarify what is the set
starting date or the activity/event determining the starting date of the retention
period.

15. Recommendation 26: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for the data processing
related to the implementation of the EU Staff Regulation.

16. Recommendation 28: clarify what is the set starting date or the activity/event
determining the starting date of the retention period set up for the data processing
activities related to the IT governance and IT management of Europol.

17. Recommendation 29: provide more details in regards to the scope of the activities
related to the functioning of, and performed by, the Europol Medical Centre to which
this retention period is referring. In addition, to provide further information on when
the proposed retention period starts and what criteria have been used to determine
it.

18. Recommendation 30: clarify since when the retention period set up for data
processing activities related to subsisting rights and obligations of staff members would
apply.

19. Recommendation 31: make the relevant distinction between the different
categories of staff members and adapt the respective retention periods set up for data
processing activities related to subsisting rights and obligations of staff members, taking
into consideration that their subsisting rights and obligations may differ.

20. Recommendation 33: reconsider the specific retention period of one hundred years
set up for data processing activities related to subsisting rights and obligations of staff
members.

Moreover, the EDPS recommends that Europol:

21. Recommendation 3: confirm that information systems are properly updated to
ensure that retention periods are implemented accordingly, in a secure and verifiable
manner.

22. Recommendation 4: amend Article 3.3 of the draft Decision to explicitly mention
that the storage of personal data for longer periods for such purposes is in accordance
with Article 13 of the EUDPR (‘safeguards relating to the processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes’).

23. Recommendation 5: amend Article 3.4 of the draft Decision to indicate that Europol
should document its Assessment on the criteria followed to determine the retention
periods for each category of data processed.

24. Recommendation 6: amend the Article 5.3 of the draft Decision to mention that the
controller’s documentation includes an analysis of the criteria taken into
consideration for the Assessment of the necessity of the continued storage of
administrative personal data.

25. Recommendation 7: amend the Article 5.3 of the draft Decision to specify how
regularly the controller should carry out the review of the need for continued storage
of administrative personal data.

26. Recommendation 8: amend the Article 5.3 of the draft Decision to make clear that
controllers shall be aware of and responsible for the correct management of the
established retention periods.

27. Recommendation 13: specify the categories of personal data processed in the
corresponding records of the processing activities related to the monitoring of
compliance with Europol data protection legislation.

28. Recommendation 14: implement a specific administrative procedure for deleting
special categories of personal data for processing activities related to the monitoring
of compliance with Europol data protection legislation before the end of the standard
retention period of five years.

29. Recommendation 16: assess the specific processing activities related to business
continuity management to understand whether any of them could require a shorter
retention period.

30. Recommendation 17: provide the justification of the Assessment on the necessity
to keep the files related to data processing activities related to the organisation and
management of Europol events, translation services for such period.

31. Recommendation 25: set the retention period for processing activities related to the
implementation of the EU Staff Regulation for seven years.

32. Recommendation 27: carry out a further Assessment of the evidence, including any
legal obligations of the controller, justifying the retention period set up for the data
processing activities related to the IT governance and IT management of Europol and any
other related processing activities.

33. Recommendation 32: put in place technical and organisational measures to, where
necessary and appropriate, extend retention periods related to data processing
activities related to subsisting rights and obligations of staff members in exceptional
circumstances to safeguard the subsisting rights of the staff members. Moreover, to
implement the necessary procedure to assess on a regular basis whether they must
delete the personal data for which Europol decided to extend the retention period, or
whether the circumstances that justified such extended retention periods still exist.
In light of the Accountability principle, the EDPS expects Europol to implement the above
recommendations accordingly and has decided to close the case.
Done in Brussels, October 2024[e-signed]

WOJCIECH RAFAŁ WIEWIÓROWSKI