Protecting personal data when being used by police and criminal justice authorities (from 2018)

Directive (EU) 2016/680 — protecting individuals with regard to the processing of their personal data by police and criminal justice authorities, and on the free movement of such data

It aims to better protect individuals’ personal data when their data is being processed by police and criminal justice authorities.
It also aims to improve cooperation in the fight against terrorism and cross-border crime in the EU by enabling police and criminal justice authorities in EU countries to exchange information necessary for investigations more efficiently and effectively.
The Data Protection Directive for Police and Criminal Justice Authorities is part of the EU data protection reform package along with the General Data Protection Regulation (Regulation (EU) 2016/679).

Key Points

The directive requires that the data collected by law enforcement authorities are:

processed lawfully and fairly;
collected for specified, explicit and legitimate purposes and processed only in line with these purposes;
adequate, relevant and not excessive in relation to the purpose in which they are processed;
accurate and updated where necessary;
kept in a form which allows identification of the individual for no longer than is necessary for the purpose of the processing;
appropriately secured, including protection against unauthorised or unlawful processing.

Time limits

EU countries must establish time limits for erasing the personal data or for a regular review of the need to store such data.

Individuals concerned (‘data subjects’)

The directive requires that the law enforcement authorities make a clear distinction between the data of different categories of persons including:

those for whom there are serious grounds to believe they have committed or are about to commit a criminal offence;
those who have been convicted of a criminal offence;
victims of criminal offences or persons whom it is reasonably believed could be victims of criminal offences;
those who are parties to a criminal offence, including potential witnesses.

Information available or provided to data subject

Individuals have the right to have certain information made available to them by the law enforcement (i.e. data protection) authorities including:

the name and contact details of the competent authority which decides the purpose and means of the data processing;
why their data is being processed;
the right to launch a complaint with a supervisory authority and the contact details of the authority;
the existence of the right to request access to and correction or deletion of their personal data as well as the right to restrict processing of their personal data.


National authorities must take technical and organisational measures to ensure a level of security for personal data that is appropriate to the risk. Where data processing is automated, a number of measures must be put in place, including:

denying unauthorised persons access to equipment used for processing;
preventing the unauthorised reading, copying, changing or removal of data media;
preventing the unauthorised input of personal data and the unauthorised viewing, changing or deleting of stored personal data.

Application & Background

The directive replaces Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with effect from 6 May 2018.

It has applied since 5 May 2016. EU countries have to incorporate it into their national law by 6 May 2018.

European Commission press release;
‘Protection of personal data’ on the European Commission’s website.


Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89–131)


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1–88)


Important Notice! This website is provided for informational purposes only! It is a fundamental condition of the use of this website that no liability is accepted for any loss or damage caused by reason of any error, omission, or misstatement in its contents. 

Draft Articles; The articles on this website are in draft form and are subject to further review for typographical errors and, in some cases, updating and correction. It is intended to include references to the sources of materials and acknowledgements in the final version. The content of articles with [EU] in the title and some of the articles in the section on Agriculture are a reproduction of or are based on European or Irish public sector information.

Leave a Reply

Your email address will not be published. Required fields are marked *