Richtlijn 2016/680 - Bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens door bevoegde autoriteiten met het oog op de voorkoming, het onderzoek, de opsporing en de vervolging van strafbare feiten of de tenuitvoerlegging van straffen, en betreffende het vrije verkeer van die gegevens

1.

Samenvatting van Wetgeving

2.

Protecting personal data that is used by police and criminal justice authorities (from 2018)

SUMMARY OF:

Directive (EU) 2016/680 – Protecting individuals with regard to the processing of their personal data by police and criminal justice authorities and on the free movement of such data

WHAT IS THE AIM OF THE DIRECTIVE?

  • Directive (EU) 2016/680, the data protection law enforcement directive (LED), ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects.
  • It establishes a comprehensive framework to ensure a high level of data protection, while taking into account the specific nature of the police and criminal justice field.
  • It contributes to increased trust and facilitates cooperation in the fight against crime in Europe, by harmonising the protection of personal data by law enforcement authorities in European Union (EU) Member States and Schengen countries.
  • The directive is part of the EU data protection reform , along with the general data protection regulation (GDPR) (see summary) and Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies (see summary).

KEY POINTS

The directive requires that the data collected by law enforcement authorities are:

  • processed lawfully and fairly;
  • collected for specified, explicit and legitimate purposes and processed only in a manner compatible with these purposes;
  • adequate, relevant and not excessive in relation to the purpose for which they are processed;
  • accurate and updated where necessary;
  • kept in a form which allows identification of the individual for no longer than is necessary for the purpose of the processing;
  • appropriately secured, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures.

Time limits

Member States must establish time limits for erasing the personal data or for a regular review of the need to store such data.

Individuals concerned (‘data subjects’)

The directive requires that law enforcement authorities make a clear distinction between the data of different categories of persons, including:

  • those for whom there are serious grounds to believe they have committed or are about to commit a criminal offence;
  • those who have been convicted of a criminal offence;
  • victims of criminal offences or those whom it is reasonably believed could be victims of criminal offences;
  • those who are parties to a criminal offence, including potential witnesses.

Information to data subjects and access to data

Individuals have the right to have certain information made available – and in some cases provided – to them by the competent law enforcement authorities, including:

  • the name and contact details of the competent authority which decides the purpose and means of the data processing;
  • the purposes for processing their data;
  • the right to launch a complaint with a supervisory authority and the contact details of the authority;
  • the existence of the right to request access to and correction or deletion of their personal data, as well as the right to restrict processing of their personal data.

Individuals have the right to obtain confirmation from competent authorities as to whether their personal data are being processed, and to access such data and information relating to their processing.

Security and logging

National authorities must take technical and organisational measures to ensure a level of security for personal data that is appropriate to the risk. Where data processing is automated, a number of measures must be put in place, including:

  • denying unauthorised persons access to equipment used for processing;
  • preventing the unauthorised reading, copying, changing or removal of data media*;
  • preventing the unauthorised input of personal data and the unauthorised viewing, changing or deleting of stored personal data.

National authorities must keep logs with information such as the date and time of access to personal data and the names of those who have consulted the data or to whom the data have been disclosed. The logs shall mainly be used for verifying the lawfulness of the processing, ensuring the security and integrity of the processing and for criminal proceedings.

Repeal

The directive replaced Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with effect from 6 May 2018.

Review

The European Commission has issued a communication entitled ‘Way forward on aligning the former third pillar acquis with data protection rules’ in June 2020.

The first report on the evaluation and review of the directive is due by 5 May 2022.

FROM WHEN DOES THE DIRECTIVE APPLY?

It has applied since 5 May 2016. Member States had to transpose the directive (incorporate it into their national law) by 6 May 2018.

BACKGROUND

For further information, see:

KEY TERMS

Data media. Disks or other devices to store data.

MAIN DOCUMENT

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131).

Successive amendments to Regulation (EU) 2016/680 have been incorporated into the original text. This consolidated version is of documentary value only.

RELATED DOCUMENTS

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88).

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, pp. 39–98).

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37–47).

See consolidated version.

last update 23.01.2017

Deze samenvatting is overgenomen van EUR-Lex.

3.

Wettekst

Richtlijn (EU) 2016/680 van het Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens door bevoegde autoriteiten met het oog op de voorkoming, het onderzoek, de opsporing en de vervolging van strafbare feiten of de tenuitvoerlegging van straffen, en betreffende het vrije verkeer van die gegevens en tot intrekking van Kaderbesluit 2008/977/JBZ van de Raad