Article 37Right to rectification, erasure and restriction
1.Any data subject having accessed personal data concerning him or her processed by Europol in accordance with Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the Member State of his or her choice, to rectify personal data concerning him or her held by Europol if they are incorrect or to complete or update them. That authority shall refer the request to Europol without delay and in any case within one month of receipt.
2.Any data subject having accessed personal data concerning him or her processed by Europol in accordance with Article 36 shall have the right to request Europol, through the authority appointed for that purpose in the Member State of his or her choice, to erase personal data relating to him or her held by Europol if they are no longer required for the purposes for which they are collected or are further processed. That authority shall refer the request to Europol without delay and in any case within one month of receipt.
3.Europol shall restrict rather than erase personal data as referred to in paragraph 2 if there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. Restricted data shall be processed only for the purpose that prevented their erasure.
4.If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to it by third countries, international organisations or Union bodies, have been directly provided by private parties or have been retrieved by Europol from publicly available sources or result from Europol's own analyses, Europol shall rectify, erase or restrict such data and, where appropriate, inform the providers of the data.
5.If personal data as referred to in paragraphs 1, 2 and 3 held by Europol have been provided to Europol by Member States, the Member States concerned shall rectify, erase or restrict such data in collaboration with Europol, within their respective competences.
6.If incorrect personal data have been transferred by another appropriate means or if the errors in the data provided by Member States are due to faulty transfer or transfer in breach of this Regulation or if they result from data being input, taken over or stored in an incorrect manner or in breach of this Regulation by Europol, Europol shall rectify or erase such data in collaboration with the provider of the data concerned.
7.In the cases referred to in paragraphs 4, 5 and 6, all addressees of the data concerned shall be notified forthwith. In accordance with the rules applicable to them, the addressees shall then rectify, erase or restrict those data in their systems.
8.Europol shall inform the data subject in writing without undue delay, and in any case within three months of receipt of a request in accordance with paragraph 1 or 2, that data concerning him or her have been rectified, erased or restricted.
9.Within three months of receipt of a request in accordance with paragraph 1 or 2, Europol shall inform the data subject in writing of any refusal of rectification, erasure or restricting, of the reasons for such a refusal and of the possibility of lodging a complaint with the EDPS and of seeking a judicial remedy.