How to request access to your personal data stored by Europol: a guide

This guide is for everyone who wishes to access personal data on them that is processed, or has been processed, by Europol. Access requests help us to understand the extent of the agency's data collection and processing activities, and increase scrutiny.

By EDRi · September 14, 2023

This guide is addressed to activists, lawyers and any other interested individuals who wish to access personal data on them or their clients that is processed, or has been processed, by Europol. It provides a brief overview of the political context, advice and information on the process of requesting one’s personal data, relevant resources and a template request.

This resource was created by Romain Lanneau, Statewatch () and Chloé Berthélémy, EDRi () with input from Chris Jones (Statewatch), Jesper Lund (IT-Pol), Caterina Rodelli (Access Now) and Laure Baudrihaye. We welcome feedback for its continuous improvement. Please contact us if you make use of this guide and submit a request for personal data to Europol. This could greatly help us in improving our advocacy work.

Content

  1. Political context
  2. Why it is important to file access requests
  3. Exercising the right to access at Europol: principles & tips
  4. Important information to know before filing a request
  5. Email template
  6. Potential responses by Europol & what they mean

Why access requests?

Europol’s powers have been constantly bolstered in the last decade which has led to it playing an increasing role in police activities and operations. Surveillance and repression of individuals and organisations have intensified at the European level. Access requests help us to understand the extent of the agency's data collection and processing activities, and increase scrutiny.

Political context

Europol is the European Union Agency for law enforcement cooperation. Its main mission is to receive, share and analyse information and data received from EU Member States’ national police authorities, international organisations such as Interpol, third countries and private companies. It does so to support national law enforcement authorities “in preventing and combating organised crime, terrorism and other forms of serious crime”.

Europol’s powers have been constantly bolstered in the last decade which has led to it playing an increasing role in police activities and operations. This includes the processing of data on political activities, travel passengers, as well as non-EU nationals. This means that surveillance and repression of individuals and organisations have intensified at the European level through the daily, extensive exchange of data among the agency and several European police and migration forces.

The impact of this is considerable and manifold: restriction on the right to free movement, bank account freezes, increased surveillance, more frequent identity checks, and the possibility of arrest and detention. Moreover, affected people are rarely informed that their data was transmitted to Europol and foreign authorities.

Europol is playing an active role in the increasing criminalisation of social movements, protests and community organising in Europe. As it relies on data mainly provided by national authorities, it integrates the policing objectives and strategies of Member States, thereby perpetrating abusive surveillance practices (e.g. targeting of social justice activists) and reproducing discriminatory bias through the use of data processing technologies.

This trend can be seen in agency’s frequent attempts to associate legitimate political activity with terrorism and violent extremism. Europol’s yearly ‘Terrorism Situation and Trend Report’ illustrates how Member States and Europol use an extensive definition of terrorism, particularly when it is applied to left-wing movements. For example, violent demonstrations, confrontations with police forces and direct action protest tactics are framed as terrorist acts instead of a public order issue. In its 2023 report, Europol admits that: ‘Variations in the number of terrorist attacks over the past three years are at least partially attributable to the fluctuating labelling of left-wing incidents by the reporting countries as terrorist attacks or extremist incidents.’

Why it is important to file access requests

  • Understanding the extent of the problem

We don’t know how many people are affected by Europol’s data collection, processing and sharing practices. Access requests can help us understand the circumstances in which national authorities deem it necessary to transfer someone’s personal data to Europol, and the reasons for doing so. If you have filed a request, and received a reply, please get in touch with us.

  • Increasing scrutiny of the agency

Europol as the EU’s police cooperation agency has received relatively little public scrutiny compared to its counterpart for border control, Frontex. This has allowed the agency to operate without much transparency, accountability or oversight. Access requests hold the agency accountable for its processing of people’s personal data, force it to justify the necessity and proportionality of such processing, and demonstrate people’s interest in enforcing their rights and contesting Europol’s surveillance.

  • Contesting unlawful dragnet practices by national investigative authorities and Europol

We fear that, with the new Europol mandate [read Statewatch’s report for further details] adopted in 2022, the agency will increasingly receive massive amounts of data, including from unlawful bulk collection operations which may also include data that does not fall within Europol’s mandate. It is important to know how frequently people’s data is unjustifiably transferred to Europol as part of a dragnet operation.

  • Obtaining disclosure from Europol on what data was collected and how it was processed for being used as evidence in criminal proceedings

Data access requests can help people who face criminal or other proceedings (e.g. migration related) obtain information necessary to prepare their defence (or application or appeal in migration proceedings). This is especially key in proceedings that appear to be based on investigations that involved cross-border European police and/or judicial cooperation or information exchange. Data access requests can help identify whether and how Europol contributed to the investigation, and help towards ensuring that these actions are subject to judicial scrutiny, in the same way that national police authorities’ activities are. These requests also ensure that the information was gathered and analysed within the applicable legal framework and can constitute reliable evidence.

Exercising the right to access at Europol: principles & tips

Article 80 of Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies provides the right to obtain information on whether one’s personal data is processed by Europol (see here the list of information that can be requested). There is no charge for exercising this right and there are no specific requirements on the format of a request (see below an email template).
In case :

  • you believe that Europol stores data relating to you because of your membership in a movement, or your participation in a specific event, we advise you to provide additional information while filing an access request. Relevant information to include could be about the time frame, the circumstances or the event that could have led a police authority to collect information about you and share it with Europol. This will aid the data protection officer at Europol in identifying your data in their systems, and save you time.
  • you or your lawyer believe that Europol participated in a criminal investigation into you, we advise you to include information about the prosecuting or investigating authority in your request, and, where relevant, the nature of the charges and the dates of the events that are being investigated.

Additional information can sometimes be important because if Europol cannot determine with certainty that personal data found in its systems matches you, they will not provide you the data . The European Data Protection Supervisor (EDPS) supports this approach to avoid interference with the rights and freedoms of others. The EDPS is the oversight body responsible for monitoring the Europol’s compliance with data protection law.

However, you must be aware of the potential negative consequences of disclosing this additional information to Europol as it identifies your political activities and could lead the police to further investigate you or link that information with an ongoing investigation (see “Important information to know before filling a request” below). The EDPS has instructed Europol that personal data in an access request can only be used for the purpose of responding to the request, and cannot be used for Europol’s operational analysis.

Furthermore, a second risk of restricting the scope of your request to a specific time frame is that Europol would not inform you about other instances where your data was collected, stored or processed.

You can strategically make parallel requests to national authorities. For example, where information processed by Europol is used in judicial proceedings and in case of no or delayed response from the agency, you may also try to get information about data exchanges between Europol and national authorities, and Europol’s involvement in an investigation, by relying on the right to access to information rights in judicial proceedings via national authorities.

Important information to know before filing a request

  • Be ready for a long process

Due to the consultation process between different authorities and the general reluctance of law enforcement to share information (in particular if it is politically sensitive), the process of filing an access request is slow. A recent case has shown that even when the EDPS takes up an individual’s case, Europol and national authorities are not particularly cooperative.

  • Will you get more attention from the police?

This risk largely depends on your individual situation vis à vis law enforcement authorities and the political situation in your country. It also depends on national police practices in relation to access requests.

  • Obtaining compensation ?

The possibility of getting compensated for unjustified processing of personal data by Europol is currently an open question before the Court of Justice of the European Union (CJEU). Depending on the final ruling in that ongoing case, it may be possible to seek compensation from both Europol and the national authority that provided the data.

Email template

Important: You must attach a copy of your ID or the information page on your passport to allow Europol to verify your identity. Information that is not necessary for confirming the identity of the data subject (e.g. photo and eye colour) can be redacted on the copy of the ID document, according to the EDPB Guidelines 01/2022 on access requests. In case the request is exercised on your behalf by a lawyer, you should also attach a letter of attorney. The request can be addressed by post or by email to the Data Protection Function of Europol [] with the subject line: “Data Subject Access Request”.

Dear Europol,

I would like to exercise my right to access my data.

I hereby request to know if Europol is storing my personal information or if they stored my personal information in the past and itcan still be found via a search in their archive.

If my data is being processed or was processed by Europol, I would like to know:
• the personal data processed;
• the purposes of and legal basis for the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations.
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with the European Data Protection Supervisor and their contact details;
• Any available information as to the origin/source of the personal data;

Kind regards,

[Your Name]

Responses by Europol & remedies

Europol will consult the provider of the data and any other relevant competent authority to decide whether or not to grant your request. If a Member State or the provider of the data objects to Europol’s proposed response, it notifies Europol of the reasons. Europol is required to take the “utmost account of any such objection” and inform the Member State or data provider of its final decision.

According to Europol, the decision is always taken on a case-by-case basis, and blanket restrictions of data subject rights (those are rights afforded to any natural person under EU’s data protection laws, such as the right to access) are not used. This also includes situations where the personal data originates from a Member State where national law (still) permits blanket restrictions.

Our experience shows that Europol is very protective of Member States’ investigative interests and thus is usually reluctant to grant access to data.

You may receive one of the two following responses:

1. No data to which you may have access

“There are no data concerning you at Europol to which you are entitled to have access in accordance with Article 36 of the Europol Regulation/Article 80 of Regulation 2018/1725.”

What does it mean?

It strongly indicates that Europol is indeed processing data related to you.

However, Europol considers that a partial or complete restriction on your right to access is justified by one or more of the following exceptions under Article 81 of Regulation 2018/1725;
• avoid obstructing official or legal inquiries, investigations or procedures;
• avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
• protect the public security of Member States;
• protect the national security of Member States;
• protect the rights and freedoms of others, such as victims and witnesses.

Europol is not obliged to explain to you why they refuse to grant your request if it invokes one of these exceptions (Article 81(2)).

However the use of any of these exceptions must be necessary and proportionate “in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned”.

You can contest the decision by filing a complaint, free of charge, with EDPS, as will be indicated in Europol’s decision. Europol must document the factual or legal reasons on which its decision is based, allowing the EDPS to assess the validity of these reasons.

You can also seek a judicial remedy before the CJEU. However, note that this procedure is costly and lengthy as it can take many years to complete. There are no court fees for proceedings before the CJEU but the Court does not meet the fees and expenses of the lawyer by whom you must be represented. You may apply for legal aid.

“There are no data concerning you which are processed at Europol.”

What does it mean?

It is likely that Europol is not processing data relating to you.

However, this does not exclude the possibility that your data was processed in the past and has since been deleted to comply with data protection rules or following a request from the national authority that shared your data.

Also, it is important to note that even though Europol might not be processing data about you, an authority of the state where you live, have previously lived or have visited might be doing so. Under EU law (Article 14 of the Law Enforcement Directive], you also have the right to access your personal data processed by national law enforcement authorities.

In response to an access request, Europol will only search databases for which they are the data controller. This does not include the large SIS II (Schengen Information System) database, for which an access request must be submitted to national law enforcement authorities.

Chloé Berthélémy

Chloé Berthélémy

Senior Policy Advisor

@ChloBemy