Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.

Europol receives order from EDPS to erase data concerning individuals with no established link to a criminal activity

​published on 27 January 2022 | reading time approx. 3 minutes

On 3 January 2022, the European Data Protection Supervisor (EDPS) notified the European Union Agency for Law Enforcement Cooperation (Europol) of an order to erase data concerning individuals with no established link to a criminal activity (referred to as data without Data Subject Categorization).

On April 2019, the EDPS decided to launch an own-initiative investigation on the processing of large datasets by Europol for purposes of strategic and operational analysis. The evolution of Europol’s personal data processing activities of large datasets raised concerns about compliance with Europol’s data protection rules outlined in Regulation (EU) 2016/794 (hereinafter the Europol Regulation). 

The EDPS ceased the investigation on September 2020 issuing an admonishment to Europol, for the continued storage of large volumes of data with no Data Subject Categorization, which poses a risk to individuals’ fundamental rights. The EDPS has encouraged Europol to take all necessary and suitable measures to reduce the risks to individuals as a result of such personal data activities.

While Europol has taken some measures into consideration since, it has yet to comply with the EDPS’ request to determine an appropriate data retention period to filter and extract the personal data. This means the Agency was keeping the data for a longer time than necessary, contrary to the principles of data minimization and storage limitation.

Given the violation of these principles, the EDPS has decided to impose a 6-month retention period, which forces Europol to erase datasets older than 6 months that are lacking Data Subject Categorization. The EDPS aims to ensure that individuals’ data with no clear link to any criminal activities is not processed in Europol’s databases for an undefined amount of time, therefore minimizing the risks that this involves.

Regarding the datasets already received before this decision, the EDPS has given Europol a 12-month period to comply with the decision. Datasets that have not undergone a Data Subject Categorization by then must be erased.


Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 


Contact Person Picture

Jorge González Fernández

Associate Lawyer Data Protection Department Spain

+91 535 99 77

Invia richiesta


​​Discover more about our offices in Spain. Read more »
Deutschland Weltweit Search Menu