The European Public Prosecutor’s Office (EPPO) is the independent prosecution office of the European Union (EU) with the competence to investigate, prosecute and bring to judgment crimes against the financial interests of the EU. This involves crimes such as fraud, corruption or serious cross-border VAT fraud. It does this in front of the national courts of the participating Member States, and in line with their national procedural laws. In order to do this, as well as for its own functioning, the EPPO processes personal data, both centrally, as well as at decentralised level, within the national infrastructures.
The EPPO processes personal data in the context of its investigations and prosecutions, but equally requires personal data for other purposes, such as human resources, budget or security related purposes. Two different legal frameworks apply depending on the purpose for which the processing occurs. The EPPO’s legal framework refers to these two main purposes of processing personal data as operational and administrative.
The legal provisions applicable to the processing of personal data for operational purposes are found in the EPPO Regulation (Regulation (EU) 2017/1939). The processing of administrative personal data (defined as processing for everything other than operational purposes) falls under Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
Operational and administrative personal data:
The EPPO processes personal data as operational personal data if it is processed for operational purposes, namely for:
- the EPPO’s criminal investigations and prosecutions, or
- information exchange with the competent authorities of Member States of the European Union and other institutions, bodies, offices and agencies of the Union, or
- cooperation with third countries and international organisations, or
- determining whether the personal data is relevant to the EPPO’s tasks
Where the purpose is anything else, the EPPO processes personal data as administrative personal data (such as human resources, budget or security related purposes).
Whether the personal data is operational or administrative has consequences on a number of aspects. This includes how and where the personal data is processed, for how long, whom it may be shared with, but also as regards the rights of data subjects and possible limitations thereto. In any event, the EPPO cannot further process personal data in a manner incompatible with the purpose for which the personal data were originally collected. Further processing is only allowed in accordance with the EPPO Regulation, such as when personal data are further processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
As a general principle, personal data is processed for no longer than is necessary for the purposes for which the personal data are processed.
The continued necessity of operational personal data is reviewed no later than every three years and specific periods of retention exist in relation to finalised cases in line with Article 50 of the EPPO Regulation.
As regards administrative personal data, you may find the respective retention periods in the data protection notices relating to the processing activity at issue. In general, the retention period for administrative personal data depends on the EPPO’s legal obligations as regards auditability and compliance. Where there is no absolute or shorter retention period applicable to the specific processing operation, a continuous review obligation exists no later than every three years.
As regards operational personal data, you have a number of rights under the EPPO Regulation. These rights include the right to request access, rectification, erasure or restriction of the processing of the operational personal data, which you may exercise at any time. Your rights under the EPPO Regulation may be limited and restricted in accordance with the EPPO Regulation itself and the Rules Concerning the Processing of Personal Data by the EPPO (College Decision 009/2020). You have the right at any time to lodge a complaint with the European Data Protection Supervisor (e-mail to edps (at) edps.europa.eu or by post to European Data Protection Supervisor, Rue Wiertz 60, 1047 Brussels, Belgium.) In specific circumstances, you may also have the ability to exercise some of your rights under the EPPO Regulation through the European Data Protection Supervisor.
As regards administrative personal data, you have a number of rights under Regulation (EU) 2018/1725. These include the right to request access to your personal data and to have them rectified in case they are inaccurate or incomplete, to object to or request restriction of processing of your personal data, to erase your personal data, to data portability, and the right to withdraw consent (where applicable). Your rights under Regulation (EU) 2018/1725 may be restricted in accordance with Regulation (EU) 2018/1725 itself, its implementation by the designated College Decision (College Decision 006/2020), and the Rules Concerning the Processing of Personal Data by the EPPO (College Decision 009/2020). You have the right at any time to lodge a complaint with the European Data Protection Supervisor (e-mail to edps (at) edps.europa.eu or by post to European Data Protection Supervisor, Rue Wiertz 60, 1047 Brussels, Belgium.).
In light of two different legal frameworks being applicable to any request to exercise a given set of data subject rights, data subjects are asked to indicate in their request if it relates to operational personal data, or if it is also to include (or limited to) administrative personal data. Please note that the EPPO processes your personal data for the purposes of fulfilling your rights under the two legal frameworks in accordance with the dedicated data protection notice.
Contact details and assistance:
The entity that determines how and why operational personal data are processed and which is legally responsible for complying with data protection obligations under the EPPO Regulation is the EPPO. You may contact the EPPO via the designated contact page or by mail marked for the attention of the Head of Operations and College Support, EPPO, 11 Avenue John F. Kennedy, 1855 Luxembourg.
The Data Protection Officer of the EPPO can be reached by email to DPO (at) eppo.europa.eu, or by mail marked for the attention of the Data Protection Officer, EPPO, 11, Avenue John F. Kennedy, 1855 Luxembourg, for assistance and with regard to any issues in relation to the processing of operational personal data and the exercise of your rights under the EPPO Regulation.
If your query, assistance request, or exercise of data protection rights relates to administrative personal data and / or the exercise of your rights under Regulation (EU) 2018/1725, please refer to the dedicated data protection notice, if available. Should you no longer have access thereto, or are unsure about the purpose of processing, please reach out to the EPPO or directly to the Data Protection Officer. You may contact the EPPO via the designated contact page or by mail marked for the attention of the Administrative Director, EPPO, 11 Avenue John F. Kennedy, 1855 Luxembourg. The Data Protection Officer of the EPPO can be reached by email to DPO (at) eppo.europa.eu, or by mail marked for the attention of the Data Protection Officer, EPPO, 11, Avenue John F. Kennedy, 1855 Luxembourg.
The Data Protection Officer cannot discuss any aspect in relation to ongoing investigations or prosecutions by the EPPO, nor is the exercise of your rights as a data subject under the EPPO Regulation the same as requesting access to your case file in the context of procedural rights. For this, follow the procedure foreseen in relation to the procedural laws applicable to your case.
Last updated: 24 January 2024