Regulation (EU) 2016/794 of the European Parliament and of the CouncilDangos y teitl llawn

Article 18Purposes of information processing activities

1.In so far as is necessary for the achievement of its objectives as laid down in Article 3, Europol may process information, including personal data.

2.Personal data may be processed only for the purposes of:

(a)cross-checking aimed at identifying connections or other relevant links between information related to:

(b)analyses of a strategic or thematic nature;

(c)operational analyses;

(d)facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations.

3.Processing for the purpose of operational analyses as referred to in point (c) of paragraph 2 shall be performed by means of operational analysis projects, in respect of which the following specific safeguards shall apply:

(a)for every operational analysis project, the Executive Director shall define the specific purpose, categories of personal data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of the data concerned, and shall inform the Management Board and the EDPS thereof;

(b)personal data may only be collected and processed for the purpose of the specified operational analysis project. Where it becomes apparent that personal data may be relevant for another operational analysis project, further processing of that personal data shall only be permitted insofar as such further processing is necessary and proportionate and the personal data are compatible with the provisions set out in point (a) that apply to the other analysis project;

(c)only authorised staff may access and process the data of the relevant project.

4.The processing referred to in paragraphs 2 and 3 shall be carried out in compliance with the data protection safeguards provided for in this Regulation. Europol shall duly document those processing operations. The documentation shall be made available, upon request, to the Data Protection Officer and to the EDPS for the purpose of verifying the lawfulness of the processing operations.

5.Categories of personal data and categories of data subjects whose data may be collected and processed for each purpose referred to in paragraph 2 are listed in Annex II.

6.Europol may temporarily process data for the purpose of determining whether such data are relevant to its tasks and, if so, for which of the purposes referred to in paragraph 2. The Management Board, acting on a proposal from the Executive Director and after consulting the EDPS, shall further specify the conditions relating to the processing of such data, in particular with respect to access to and use of the data, as well as time limits for the storage and deletion of the data, which may not exceed six months, having due regard to the principles referred to in Article 28.

7.The Management Board, after consulting the EDPS, shall, as appropriate, adopt guidelines further specifying procedures for the processing of information for the purposes listed in paragraph 2 in accordance with point (q) of Article 11(1).