Regulation (EU) 2016/794 of the European Parliament and of the CouncilShow full title

Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA

Article 38Responsibility in data protection matters

1.Europol shall store personal data in a way that ensures that their source, as referred to in Article 17, can be established.

2.The responsibility for the quality of personal data as referred to in point (d) of Article 28(1) shall lie with:

(a)the Member State or the Union body which provided the personal data to Europol;

(b)Europol in respect of personal data provided by third countries or international organisations or directly provided by private parties; of personal data retrieved by Europol from publicly available sources or resulting from Europol's own analyses; and of personal data stored by Europol in accordance with Article 31(5).

3.If Europol becomes aware that personal data provided pursuant to points (a) and (b) of Article 17(1) are factually incorrect or have been unlawfully stored, it shall inform the provider of those data accordingly.

4.Europol shall be responsible for compliance with the principles referred to in points (a), (b), (c), (e) and (f) of Article 28(1).

5.The responsibility for the legality of a data transfer shall lie with:

(a)the Member State which provided the personal data to Europol;

(b)Europol in the case of personal data provided by it to Member States, third countries or international organisations.

6.In the case of a transfer between Europol and a Union body, the responsibility for the legality of the transfer shall lie with Europol.

Without prejudice to the first subparagraph, where the data are transferred by Europol following a request from the recipient, both Europol and the recipient shall be responsible for the legality of such a transfer.

7.Europol shall be responsible for all data processing operations carried out by it, with the exception of the bilateral exchange of data using Europol's infrastructure between Member States, Union bodies, third countries and international organisations to which Europol has no access. Such bilateral exchanges shall take place under the responsibility of the entities concerned and in accordance with their law. The security of such exchanges shall be ensured in accordance with Article 32.