- Why do we process your personal data?
Recital 49 of Council Regulation 2017/1939 (the ‘EPPO Regulation’) clarifies that the EPPO may receive or gather information from private parties concerning offences in respect of which it could exercise its competence.
You can submit information of possible investigative interest via the dedicated web page https://www.eppo.europa.eu/report-crime.
Without undue delay, the EPPO will process the reported information in order to assess whether it falls within or outside of its competence. If the information does not fall manifestly outside of the EPPO competence, the EPPO will verify whether the conditions to exercise its competence are met, in particular those provided by Articles 22, 23 and 25 of Council Regulation 2017/1939 (the ‘EPPO Regulation’).
If that is the case, an investigation case will be opened and the data that you provide will be processed for the purposes of conducting an investigation and prosecution, and / or cooperation with other competent authorities.
- What is the applicable legal framework?
The legal basis for this processing operation is Council Regulation 2017/1939 (the ‘EPPO Regulation’). The EPPO processes the ‘operational’ personal data that you provided in accordance with Chapter VIII of the EPPO Regulation, for the performance of its tasks.
- What personal data do we collect?
For the process of submission of the webform, the EPPO only collects the personal data that you voluntarily provide in the form.
You are invited to complete the web form with information that can help the EPPO to assess its competence to open an investigation. This includes your personal data (such as name, document number and contact details) as well as data of other data subjects involved in the reported crime.
- How do we protect your personal data?
In order to protect your personal data, a number of technical and organisational measures have been put in place. Technical measures include appropriate actions to address online security, risk of data breach, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the data being processed.
Organisational measures include restricting access to the data to authorised persons with a legitimate need to know for the purposes of this processing operation.
- Who has access to your personal data?
Only members of the EPPO staff who have been specifically authorised to assess whether the submitted information fall within the competence of the EPPO have access to your personal data at that stage.
In addition, in accordance with the EPPO Regulation, the information that you submit may be used for the investigation, prosecution or cooperation with third parties, in the course of the EPPO’s fulfilment of its tasks. This includes that your data may be transferred to the relevant authorities in Member States or to other EU institutions, bodies offices and agencies, if those facts fall within their respective competence. For example, the EPPO may transfer to a Member State’s competent authority information relating to a criminal offence not affecting the EU's financial interests (Article 24(8) EPPO Regulation). This may however also include the transfers to authorities or parties outside of the Union, under the safeguards and as outlined in the EPPO Regulation.
Lastly, as the EPPO conducts its investigations and prosecutions in the courts of the Member States, as well as subject to the respective criminal procedural codes, your data if it becomes part of a case file may also be processed at national level by a number of authorities, all in the context of the EPPO investigation and / or prosecution – and impossible to all list exhaustively, considering the multitude of different scenarios – just like how your personal data may be processed by a national prosecution office if you report a crime nationally.
- How long do we keep your data?
The EPPO will not store personal data for longer than necessary for the purposes for which it has been collected. The EPPO will, therefore, review periodically the need for the storage of operational personal data, pursuant to Article 50 of the EPPO Regulation.
If the reported facts fall manifestly outside of its competence, the EPPO will cease storing the operational personal data that you provided.
The assessment of the reported information will be conducted without undue delay. In any event, unless your submission leads to the opening of an EPPO investigation, your personal data will not be stored for longer than 6 months after receipt by the EPPO.
Should your submission fall outside of the EPPO competence, for system security, statistical and auditing purposes, the EPPO may keep a log with your name, registration number, the date of your submission, and the record of the action taken by the EPPO. This will be stored for a period of 3 years and Regulation (EU) 2018/1725 applies to this processing operation.
- What are your rights and how can you exercise them, and other questions?
You have the right to request access to, rectification, erasure or restriction of processing of your personal data. Exceptions and restrictions based on the EPPO Regulation may apply.
Any request to exercise one of those rights, requests for assistance or other questions should be directed to the EPPO Data Protection Officer, by email (eppo-dpo@eppo.europa.eu) or by mail.
You may also exercise your rights indirectly through or submit a complaint to the European Data Protection Supervisor (edps@edps.europa.eu) or by mail.