The European Data Protection Supervisor (EDPS) has instructed Europol to delete a large amount of information from its files. According to the watchdog, it did not meet the conditions regarding the period in which sensitive material may be stored.
This concerns explicitly data exchanged by the EU Member States on persons suspected of criminal activities, according to the EDPS. If no connection to criminal activity could be demonstrated within six months of receipt of the data, the data should not be retained. However, Europol is allowed to keep data that turns out to be related to criminal activities.
Following an investigation opened in 2019, the EDPS accuses Europol of violating its own regulations by retaining certain data for longer than necessary. The service issued a warning to Europol at the end of 2020 because it was storing large amounts of data without categorizing it. An appropriate retention period was also not set, which the EDPS is now doing himself.
The agency has now ordered the police to delete the data of these persons. Europol has twelve months to do this. The European Commission is satisfied with this period provided ‘by way of derogation’ by the EDPS and believes that it will give Europol ‘sufficient time’ to comply with the decision.