Protection of individuals with regard to the processing of operational personal data by Union bodies, offices and agencies in the fields of judicial cooperation in criminal matters and police cooperation
01020304050607
With the European Parliament, which is preparing its first-reading position.
Last active 23 Jun 2026
Track this billGet an email when the proposal moves: phase change, new document, or terminal outcome.
What this bill does
In plain terms: what it changes and who it affects.
It harmonises EU data-protection rules for operational personal data used in police and criminal-justice cooperation.
Who it affects
It affects people whose personal data is handled by EU law-enforcement and criminal-justice bodies, especially suspects, victims, witnesses, and other data subjects. It also affects Union bodies and agencies processing those data, including Europol, Eurojust, Frontex, and the EPPO.
Core of the proposal
- Extends common data-protection rules to operational data across affected EU bodies and agencies.
- Brings the EPPO under the shared framework, while allowing EPPO-specific rules to remain.
- Clarifies data-protection officer duties, record-keeping, logging, breach notices, and automated decision-making.
- Sets uniform rules for transfers of operational data to third countries and international organisations, under EDPS supervision.
Key provisions
- Takes effect
- It enters into force on the twentieth day after publication in the Official Journal; EPPO application starts on the date of the new EPPO Regulation's application.
- Transitional law
- The EPPO-specific application is deferred until the new EPPO Regulation becomes applicable; other bodies apply the changes on entry into force.
Articles changed · 16 across 1 law
- Regulation (EU) 2018/1725 (32018R1725)
- art. 2: replaces paragraph 2 and deletes paragraph 3, extending scope to operational personal data and EPPO
- art. 45(1): replaces points (d) to (f) on DPO tasks for operational personal data
- art. 66(1): extends EDPS administrative-fine powers to orders under Article 95a(3)
- art. 70: deletes obsolete Article 70
- art. 77(1): clarifies automated decisions on operational personal data
- art. 78(4): clarifies manifestly unfounded access requests and abusive use of access rights
- art. 87a: inserts new record-keeping rules for operational personal data
- art. 88(1): adds that logs may not be modified
- art. 88(3): requires logs to be communicated to national authorities for specific investigations
- art. 92(1): extends breach-notification deadline to 96 hours and raises the notification threshold
- art. 94: replaces general rules on transfers of operational personal data
- art. 94a: inserts transfers based on adequacy decisions
- art. 94b: inserts transfers subject to appropriate safeguards
- art. 94c: inserts derogations for specific transfer situations
- art. 94d: inserts direct transfers to third-country recipients in specific cases
- art. 95a: inserts EDPS supervision powers for operational personal data
Documents
1 recentSourcesOEILEUR-LexEU Law Tracker