European Data Protection Supervisor orders Europol to erase data concerning individuals with no established link to a criminal activity

On 3 January 2022, the European Data Protection Supervisor (EDPS) notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.

In the context of its inquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.  

In light of the above, the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.

Wojciech Wiewiórowski, EDPS, said: “Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation. Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted - a process often lasting years. A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms. Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the Decision for the datasets already in Europol’s possession.”

The EDPS is confident that the order will ensure Europol’s compliance with its obligations under the Europol Regulation while maintaining its operational capabilities.

For more information, read the EDPS Decision and the "Frequently Asked Questions" document on the EDPS website. 

( /


Top Stories

Accidents on board an aircraft: The strict liability of airlines under the Montreal convention extends to inadequate first aid administered on board an aircraft

The length of court proceedings for 7 years and 8 months violated the right to a fair hearing within a reasonable time (ECtHR)

TikTok processing of children’s data: Dispute's settlement by European Data Protection Board

Promotion of judges after evaluation by other judges: Substantive conditions and procedural rules must be such as to dispel any reasonable doubt as to the independence and the impartiality

Timeshare contracts: Applicable law in the absence of a choice made by the parties (ECJ)