LeX-Ray

Europol was set up by Council Decision 2009/371/JHA ( 2 ) as an entity of the Union funded from the general budget of the Union to support and strengthen action by competent authorities of the Member States and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime affecting two or more Member States. Decision 2009/371/JHA replaced the Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office (Europol Convention) ( 3 ) .

Article 88 of the Treaty on the Functioning of the European Union (TFEU) provides for Europol to be governed by a regulation to be adopted in accordance with the ordinary legislative procedure. It also requires the establishment of procedures for the scrutiny of Europol's activities by the European Parliament, together with national parliaments, subject to point (c) of Article 12 of the Treaty on European Union (TEU) and Article 9 of Protocol No 1 on the role of National Parliaments in the European Union, annexed to the TEU and to the TFEU (‘Protocol No 1’), in order to enhance the democratic legitimacy and accountability of Europol to the Union's citizens. Therefore, Decision 2009/371/JHA should be replaced by a regulation laying down, inter alia, rules on parliamentary scrutiny.

The ‘Stockholm programme — An open and secure Europe serving and protecting citizens’ ( 4 ) calls for Europol to evolve and become a hub for information exchange between the law enforcement authorities of the Member States, a service provider and a platform for law enforcement services. On the basis of an assessment of Europol's functioning, further enhancement of its operational effectiveness is needed to meet that objective.

Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to the safety and livelihood of its citizens. Available threat assessments show that criminal groups are becoming increasingly poly-criminal and cross-border in their activities. National law enforcement authorities therefore need to cooperate more closely with their counterparts in other Member States. In this context, it is necessary to equip Europol to better support Member States in Union-wide crime prevention, analyses and investigations. This was also confirmed in the evaluation of Decision 2009/371/JHA.

This Regulation aims to amend and expand the provisions of Decision 2009/371/JHA and of Council Decisions 2009/934/JHA ( 5 ) , 2009/935/JHA ( 6 ) , 2009/936/JHA ( 7 ) and 2009/968/JHA ( 8 ) implementing Decision 2009/371/JHA. Since the amendments to be made are of a substantial number and nature, those Decisions should, in the interests of clarity, be replaced in their entirety in relation to the Member States bound by this Regulation. Europol as established by this Regulation should replace and assume the functions of Europol as established by Decision 2009/371/JHA, which, as a consequence, should be repealed.

As serious crime often occurs across internal borders, Europol should support and strengthen Member States' actions and their cooperation in preventing and combating serious crime affecting two or more Member States. Given that terrorism is one of the most significant threats to the security of the Union, Europol should assist Member States in facing common challenges in this regard. As the Union law enforcement agency, Europol should also support and strengthen actions and cooperation in tackling forms of crime that affect the interests of the Union. Among the forms of crime with which Europol is competent to deal, organised crime will continue to fall within the scope of Europol's main objectives, as, given its scale, significance and consequences, it also calls for a common approach by the Member States. Europol should also offer support in preventing and combating related criminal offences which are committed in order to procure the means of perpetrating acts in respect of which Europol is competent or to facilitate or perpetrate such acts or to ensure the impunity of committing them.

Europol should provide strategic analyses and threat assessments to assist the Council and the Commission in laying down strategic and operational priorities of the Union for fighting crime and in the operational implementation of those priorities. Where the Commission so requests in accordance with Article 8 of Regulation 2013/1053 ( 9 ) , Europol should also carry out risk analyses, including in respect of organised crime, insofar as the risks concerned may undermine the application of the Schengen acquis by the Member States. Moreover, at the request of the Council or the Commission where appropriate, Europol should provide strategic analyses and threat assessments to contribute to the evaluation of states that are candidates for accession to the Union.

Attacks against information systems affecting Union bodies or two or more Member States are a growing menace in the Union, in particular in view of their speed and impact and the difficulty in identifying their sources. When considering requests by Europol to initiate an investigation into a serious attack of suspected criminal origin against information systems affecting Union bodies or two or more Member States, Member States should respond to Europol without delay, taking into account the fact that the rapidity of the response is a key factor in successfully tackling computer crime.

Given the importance of the inter-agency cooperation, Europol and Eurojust should ensure that necessary arrangements are established to optimise their operational cooperation, taking due account of their respective missions and mandates and of the interests of Member States. In particular, Europol and Eurojust should keep each other informed of any activity involving the financing of joint investigation teams.

When a joint investigation team is set up, the relevant agreement should determine the conditions relating to the participation of the Europol staff in the team. Europol should keep a record of its participation in such joint investigation teams targeting criminal activities falling within the scope of its objectives.

Europol should be able to request Member States to initiate, conduct or coordinate criminal investigations in specific cases where cross-border cooperation would add value. Europol should inform Eurojust of such requests.

Europol should be a hub for information exchange in the Union. Information collected, stored, processed, analysed and exchanged by Europol includes criminal intelligence which relates to information about crime or criminal activities falling within the scope of Europol's objectives, obtained with a view to establishing whether concrete criminal acts have been committed or may be committed in the future.

In order to ensure Europol's effectiveness as a hub for information exchange, clear obligations should be laid down requiring Member States to provide Europol with the data necessary for it to fulfil its objectives. While implementing such obligations, Member States should pay particular attention to providing data relevant to the fight against crimes considered to be strategic and operational priorities within relevant policy instruments of the Union, in particular the priorities set by the Council in the framework of the EU Policy Cycle for organised and serious international crime. Member States should also endeavour to provide Europol with a copy of bilateral and multilateral exchanges of information with other Member States on crime falling within Europol's objectives. When supplying Europol with the necessary information, Member States should also include information about any alleged cyber attacks affecting Union bodies located in their territory. At the same time, Europol should increase the level of its support to Member States, so as to enhance mutual cooperation and the sharing of information. Europol should submit an annual report to the European Parliament, to the Council, to the Commission and to national parliaments on the information provided by the individual Member States.

To ensure effective cooperation between Europol and Member States, a national unit should be set up in each Member State (the ‘national unit’). The national unit should be the liaison link between national competent authorities and Europol, thereby having a coordinating role in respect of Member States' cooperation with Europol, and thus helping to ensure that each Member State responds to Europol requests in a uniform way. To ensure a continuous and effective exchange of information between Europol and the national units, and to facilitate their cooperation, each national unit should designate at least one liaison officer to be attached to Europol.

Taking into account the decentralised structure of some Member States and the need to ensure rapid exchanges of information, Europol should be allowed to cooperate directly with competent authorities in Member States, subject to the conditions defined by Member States, while keeping the national units informed at the latter's request.

The establishment of joint investigation teams should be encouraged and Europol staff should be able to participate in them. To ensure that such participation is possible in every Member State, Council Regulation (Euratom, ECSC, EEC) No 549/69 ( 10 ) provides that Europol staff do not benefit from immunities while they are participating in joint investigation teams.

It is also necessary to improve the governance of Europol, by seeking efficiency gains and streamlining procedures.

The Commission and the Member States should be represented on the Management Board of Europol (the ‘Management Board’) to effectively supervise its work. The members and the alternate members of the Management Board should be appointed taking into account their relevant managerial, administrative and budgetary skills and knowledge of law enforcement cooperation. Alternate members should act as members in the absence of the member.

All parties represented on the Management Board should make efforts to limit the turnover of their representatives, with a view to ensuring the continuity of the Management Board's work. All parties should aim to achieve a balanced representation between men and women on the Management Board.

The Management Board should be able to invite non-voting observers whose opinion may be relevant for the discussion, including a representative designated by the Joint Parliamentary Scrutiny Group (JPSG).

The Management Board should be given the necessary powers, in particular to set the budget, verify its execution, and adopt the appropriate financial rules and planning documents, as well as adopt rules for the prevention and management of conflicts of interest in respect of its members, establish transparent working procedures for decision-making by the Executive Director of Europol, and adopt the annual activity report. It should exercise the powers of appointing authority vis-à-vis staff of the agency, including the Executive Director.

To ensure the efficient day-to-day functioning of Europol, the Executive Director should be its legal representative and manager, acting independently in the performance of his or her duties and ensuring that Europol carries out the tasks provided for by this Regulation. In particular, the Executive Director should be responsible for preparing budgetary and planning documents submitted for the decision of the Management Board and for implementing the multiannual programming and annual work programmes of Europol and other planning documents.

For the purposes of preventing and combating crime falling within the scope of its objectives, it is necessary for Europol to have the fullest and most up-to-date information possible. Therefore, Europol should be able to process data provided to it by Member States, Union bodies, third countries, international organisations and, under stringent conditions laid down by this Regulation, private parties, as well as data coming from publicly available sources, in order to develop an understanding of criminal phenomena and trends, to gather information about criminal networks, and to detect links between different criminal offences.

To improve Europol's effectiveness in providing accurate crime analyses to the competent authorities of the Member States, it should use new technologies to process data. Europol should be able to swiftly detect links between investigations and common modi operandi across different criminal groups, to check cross-matches of data and to have a clear overview of trends, while guaranteeing a high level of protection of personal data for individuals. Therefore, Europol databases should be structured in such a way as to allow Europol to choose the most efficient IT structure. Europol should also be able to act as a service provider, in particular by providing a secure network for the exchange of data, such as the secure information exchange network application (SIENA), aimed at facilitating the exchange of information between Member States, Europol, other Union bodies, third countries and international organisations. In order to ensure a high level of data protection, the purpose of processing operations and access rights as well as specific additional safeguards should be laid down. In particular, the principles of necessity and proportionality should be observed with regard to the processing of personal data.

Europol should ensure that all personal data processed for operational analyses are allocated a specific purpose. Nonetheless, in order for Europol to fulfil its mission, it should be allowed to process all personal data received to identify links between multiple crime areas and investigations, and should not be limited to identifying connections only within one crime area.

To respect the ownership of data and the protection of personal data, Member States, Union bodies, third countries and international organisations should be able to determine the purpose or purposes for which Europol may process the data they provide and to restrict access rights. Purpose limitation is a fundamental principle of personal data processing; in particular, it contributes to transparency, legal certainty and predictability and is particularly of high importance in the area of law enforcement cooperation, where data subjects are usually unaware when their personal data are being collected and processed and where the use of personal data may have a very significant impact on the lives and freedoms of individuals.

To ensure that data are accessed only by those needing access in order to perform their tasks, this Regulation should lay down detailed rules on different degrees of right of access to data processed by Europol. Such rules should be without prejudice to restrictions on access imposed by data providers, as the principle of ownership of data should be respected. In order to increase efficiency in the prevention and combating of crimes falling within the scope of Europol's objectives, Europol should notify Member States of information which concerns them.

To enhance operational cooperation between the agencies, and particularly to establish links between data already in the possession of the different agencies, Europol should enable Eurojust and the European Anti-Fraud Office (OLAF) to have access, on the basis of a hit/no hit system, to data available at Europol. Europol and Eurojust should be able to conclude a working arrangement ensuring, in a reciprocal manner within their respective mandates, access to, and the possibility of searching, all information that has been provided for the purpose of cross-checking in accordance with specific safeguards and data protection guarantees provided for in this Regulation. Any access to data available at Europol should, by technical means, be limited to information falling within the respective mandates of those Union bodies.

Europol should maintain cooperative relations with other Union bodies, authorities of third countries, international organisations and private parties, to the extent required for the accomplishment of its tasks.

To ensure operational effectiveness, Europol should be able to exchange all relevant information, with the exception of personal data, with other Union bodies, authorities of third countries and international organisations, to the extent necessary for the performance of its tasks. Since companies, firms, business associations, non-governmental organisations and other private parties hold expertise and information of direct relevance to the prevention and combating of serious crime and terrorism, Europol should also be able to exchange such information with private parties. To prevent and combat cybercrime, as related to network and information security incidents, Europol should, pursuant to the applicable legislative act of the Union laying down measures to ensure a high common level of network and information security across the Union, cooperate and exchange information, with the exception of personal data, with national authorities competent for the security of network and information systems.

Europol should be able to exchange relevant personal data with other Union bodies to the extent necessary for the accomplishment of its or their tasks.

Serious crime and terrorism often have links beyond the territory of the Union. Europol should therefore be able to exchange personal data with authorities of third countries and with international organisations such as the International Criminal Police Organisation — Interpol to the extent necessary for the accomplishment of its tasks.

All Member States are affiliated to Interpol. To fulfil its mission, Interpol receives, stores and circulates data to assist competent law enforcement authorities to prevent and combat international crime. Therefore, it is appropriate to strengthen cooperation between Europol and Interpol by promoting an efficient exchange of personal data whilst ensuring respect for fundamental rights and freedoms regarding the automatic processing of personal data. When personal data is transferred from Europol to Interpol, this Regulation, in particular the provisions on international transfers, should apply.

To guarantee purpose limitation, it is important to ensure that personal data can be transferred by Europol to Union bodies, third countries and international organisations only if necessary for preventing and combating crime that falls within Europol's objectives. To this end, it is necessary to ensure that, when personal data are transferred, the recipient gives an undertaking that the data will be used by the recipient or transferred onward to a competent authority of a third country solely for the purpose for which they were originally transferred. Further onward transfer of the data should take place in compliance with this Regulation.

Europol should be able to transfer personal data to an authority of a third country or an international organisation on the basis of a Commission decision finding that the country or international organisation in question ensures an adequate level of data protection (‘adequacy decision’), or, in the absence of an adequacy decision, an international agreement concluded by the Union pursuant to Article 218 TFEU, or a cooperation agreement allowing for the exchange of personal data concluded between Europol and the third country prior to the entry into force of this Regulation. In light of Article 9 of Protocol No 36 on transitional provisions, annexed to the TEU and to the TFEU, the legal effects of such agreements are to be preserved until those agreements are repealed, annulled or amended in the implementation of the Treaties. Where appropriate and in accordance with Regulation 2001/45 ( 11 ) , the Commission should be able to consult the European Data Protection Supervisor (EDPS) before and during the negotiation of an international agreement. Where the Management Board identifies an operational need for cooperation with a third country or an international organisation, it should be able to suggest to the Council that the latter draw the attention of the Commission to the need for an adequacy decision or for a recommendation for the opening of negotiations on an international agreement as referred to above.

Where a transfer of personal data cannot be based on an adequacy decision, an international agreement concluded by the Union or an existing cooperation agreement, the Management Board, in agreement with the EDPS, should be allowed to authorise a set of transfers, where specific conditions so require and provided that adequate safeguards are ensured. The Executive Director should be allowed to authorise the transfer of data in exceptional cases on a case-by-case basis, where such transfer is required, under specific strict conditions.

Europol should be able to process personal data originating from private parties and private persons only if those data are transferred to Europol by one of the following: a national unit in accordance with its national law; a contact point in a third country or an international organisation with which there is established cooperation through a cooperation agreement allowing for the exchange of personal data concluded in accordance with Article 23 of Decision 2009/371/JHA prior to the entry into force of this Regulation; an authority of a third country or an international organisation which is subject to an adequacy decision or with which the Union has concluded an international agreement pursuant to Article 218 TFEU. However, in cases where Europol receives personal data directly from private parties and the national unit, contact point or authority concerned cannot be identified, Europol should be able to process those personal data solely for the purpose of identifying those entities, and such data should be deleted unless those entities resubmit those personal data within four months after the transfer takes place. Europol should ensure by technical means that, during that period, such data would not be accessible for processing for any other purpose.

Taking into account the exceptional and specific threat posed to the internal security of the Union by terrorism and other forms of serious crime, especially when facilitated, promoted or committed using the internet, the activities that Europol should undertake on the basis of this Regulation, stemming from its implementation of the Council Conclusions of 12 March 2015 and the call by the European Council of 23 April 2015 in relation especially to those priority areas, in particular the corresponding practice of direct exchanges of personal data with private parties, should be evaluated by the Commission by 1 May 2019.

Any information which has clearly been obtained in obvious violation of human rights should not be processed.

Data protection rules at Europol should be strengthened and should draw on the principles underpinning Regulation 2001/45 to ensure a high level of protection of individuals with regard to the processing of personal data. As Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, attached to the TEU and the TFEU, recognises the specificity of personal data processing in the law enforcement context, the data protection rules of Europol should be autonomous while at the same time consistent with other relevant data protection instruments applicable in the area of police cooperation in the Union. Those instruments include, in particular, Directive 2016/680 ( 12 ) , as well as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe and its Recommendation No R(87) 15 ( 13 ) .

Any processing of personal data by Europol should be lawful and fair in relation to the data subjects concerned. The principle of fair processing requires transparency of processing allowing data subjects concerned to exercise their rights under this Regulation. It should be possible nevertheless to refuse or restrict access to their personal data if, with due regard to the interests of the data subjects concerned, such refusal or restriction constitutes a necessary measure to enable Europol to fulfil its tasks properly, to protect security and public order or to prevent crime, to guarantee that a national investigation will not be jeopardised or to protect the rights and freedoms of third parties. To enhance transparency, Europol should make publicly available a document setting out in an intelligible form the applicable provisions regarding the processing of personal data and the means available to data subjects to exercise their rights. Europol should also publish on its website a list of adequacy decisions, agreements and administrative arrangements relating to the transfer of personal data to third countries and international organisations. Moreover, in order to increase Europol's transparency vis-à-vis Union citizens and its accountability, Europol should publish on its website a list of its Management Board members and, where appropriate, the summaries of the outcome of the meetings of the Management Board, while respecting data protection requirements.

As far as possible, personal data should be distinguished according to their degree of accuracy and reliability. Facts should be distinguished from personal assessments, in order to ensure both the protection of individuals and the quality and reliability of the information processed by Europol. In the case of information obtained from publicly available sources, particularly sources on the internet, Europol should as far as possible assess the accuracy of such information and the reliability of its source with particular diligence in order to address the risks associated with the internet as regards the protection of personal data and privacy.

Personal data relating to different categories of data subjects are processed in the area of law enforcement cooperation. Europol should make distinctions between personal data in respect of different categories of data subjects as clear as possible. Personal data concerning persons such as victims, witnesses and persons possessing relevant information, as well as personal data concerning minors, should in particular be protected. Europol should only process sensitive data if those data supplement other personal data already processed by Europol.

In the light of the fundamental right to the protection of personal data, Europol should not store personal data for longer than is necessary for the performance of its tasks. The need for continued storage of such data should be reviewed no later than three years after the start of its initial processing.

To guarantee the security of personal data, Europol and Member States should implement necessary technical and organisational measures.

Any data subject should have a right of access to personal data concerning him or her, a right to rectification if those data are inaccurate, and a right to erasure or restriction if those data are no longer required. The costs related to exercising the right of access to personal data should not represent a barrier to effectively exercising that right. The rights of the data subject and the exercise thereof should not affect the obligations incumbent upon Europol and should be subject to the restrictions laid down in this Regulation.

The protection of the rights and freedoms of data subjects requires a clear attribution of the responsibilities under this Regulation. In particular, Member States should be responsible for the accuracy of data, for keeping up to date the data they have transferred to Europol and for the legality of such data transfers. Europol should be responsible for the accuracy of data and for keeping up to date the data provided by other data suppliers or resulting from Europol's own analyses. Europol should ensure that data are processed fairly and lawfully, and are collected and processed for a specific purpose. Europol should also ensure that the data are adequate, relevant, not excessive in relation to the purpose for which they are processed, stored no longer than is necessary for that purpose, and processed in a manner that ensures appropriate security of personal data and confidentiality of data processing.

Europol should keep records of collection, alteration, access, disclosure, combination or erasure of personal data for the purposes of verifying the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security. Europol should be obliged to co-operate with the EDPS and to make logs or documentation available upon request, so that they can be used for monitoring processing operations.

Europol should designate a Data Protection Officer to assist it in monitoring compliance with this Regulation. The Data Protection Officer should be in a position to perform his or her duties and tasks independently and effectively, and should be provided with the necessary resources to do so.

Independent, transparent, accountable and effective structures for supervision are essential for the protection of individuals with regard to the processing of personal data as required by Article 8(3) of the Charter of Fundamental Rights of the European Union. National authorities competent for the supervision of the processing of personal data should monitor the lawfulness of personal data provided by Member States to Europol. The EDPS should monitor the lawfulness of data processing carried out by Europol, exercising his or her functions with complete independence. In this regard, the prior consultation mechanism is an important safeguard for new types of processing operations. This should not apply to specific individual operational activities, such as operational analysis projects, but to the use of new IT systems for the processing of personal data and any substantial changes thereto.

It is important to ensure strengthened and effective supervision of Europol and to guarantee that the EDPS can make use of appropriate law enforcement data protection expertise when he or she assumes responsibility for data protection supervision of Europol. The EDPS and national supervisory authorities should closely cooperate with each other on specific issues requiring national involvement and should ensure the consistent application of this Regulation throughout the Union.

In order to facilitate the cooperation between the EDPS and the national supervisory authorities, but without prejudice to the independence of the EDPS and his or her responsibility for data protection supervision of Europol, they should regularly meet within the Cooperation Board, which, as an advisory body, should deliver opinions, guidelines, recommendations and best practices on various issues requiring national involvement.

As Europol also processes non-operational personal data, unrelated to criminal investigations, such as personal data concerning staff of Europol, service providers or visitors, the processing of such data should be subject to Regulation 2001/45.

The EDPS should hear and investigate complaints lodged by data subjects. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The national supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.

Any individual should have the right to a judicial remedy against a decision of the EDPS concerning him or her.

Europol should be subject to the general rules on contractual and non-contractual liability applicable to Union institutions, agencies and bodies, save as regards the rules on liability for unlawful data processing.

It may be unclear for the individual concerned whether damage suffered as a result of unlawful data processing is a consequence of action by Europol or by a Member State. Europol and the Member State in which the event that gave rise to the damage occurred should therefore be jointly and severally liable.

While respecting the role of the European Parliament together with national parliaments in the scrutiny of Europol's activities, it is necessary that Europol be a fully accountable and transparent internal organisation. To that end, in light of Article 88 TFEU, procedures should be established for the scrutiny of Europol's activities by the European Parliament together with national parliaments. Such procedures should be subject to point (c) of Article 12 TEU and to Article 9 of Protocol No 1, providing that the European Parliament and national parliaments are together to determine the organisation and promotion of effective and regular interparliamentary cooperation within the Union. The procedures to be established for the scrutiny of Europol's activities should take due account of the need to ensure that the European Parliament and the national parliaments stand on an equal footing, as well as the need to safeguard the confidentiality of operational information. However, the way in which national parliaments scrutinise their governments in relation to the activities of the Union is a matter for the particular constitutional organisation and practice of each Member State.

The Staff Regulations of Officials of the European Union (the ‘Staff Regulations’) and the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’) laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 ( 14 ) should apply to Europol staff. Europol should be able to employ staff from the competent authorities of the Member States as temporary agents whose period of service should be limited in order to maintain the principle of rotation, as the subsequent reintegration of such staff members into the service of their competent authority facilitates close cooperation between Europol and the competent authorities of the Member States. Member States should take any measure necessary to ensure that staff engaged at Europol as temporary agents may, at the end of their term of service at Europol, return to the national civil service to which they belong.

Given the nature of the duties of Europol and the role of the Executive Director, the competent committee of the European Parliament should be able to invite the Executive Director to appear before it prior to his or her appointment, as well as prior to any extension of his or her term of office. The Executive Director should also present the annual report to the European Parliament and to the Council. Furthermore, the European Parliament and the Council should be able to invite the Executive Director to report on the performance of his or her duties.

To guarantee the full autonomy and independence of Europol, it should be granted an autonomous budget, with revenue coming essentially from a contribution from the general budget of the Union. The Union budgetary procedure should be applicable as far as the Union contribution and any other subsidies chargeable to the general budget of the Union are concerned. The auditing of accounts should be undertaken by the Court of Auditors.

Commission Delegated Regulation 2013/1271 ( 15 ) should apply to Europol.

Given their specific legal and administrative powers and their technical competences in conducting cross-border information-exchange activities, operations and investigations, including in joint investigation teams, and in providing facilities for training, the competent authorities of the Member States should be able to receive grants from Europol without a call for proposals in accordance with point (d) of Article 190(1) of Commission Delegated Regulation 2012/1268 ( 16 ) .

Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council ( 17 ) should apply to Europol.

Europol processes data that require particular protection as they include sensitive non-classified and EU classified information. Europol should therefore draw up rules on the confidentiality and processing of such information. The rules on the protection of EU classified information should be consistent with Council Decision 2013/488/EU ( 18 ) .

It is appropriate to evaluate the application of this Regulation regularly.

The necessary provisions regarding accommodation for Europol in The Hague, where it has its headquarters, and the specific rules applicable to all Europol's staff and members of their families should be laid down in a headquarters agreement. Furthermore, the host Member State should provide the necessary conditions for the smooth operation of Europol, including multilingual, European-oriented schooling and appropriate transport connections, so as to attract high-quality human resources from as wide a geographical area as possible.

Europol as established by this Regulation replaces and succeeds Europol as established by Decision 2009/371/JHA. It should therefore be the legal successor of all its contracts, including employment contracts, liabilities and properties acquired. International agreements concluded by Europol as established by Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention before 1 January 2010 should remain in force.

To enable Europol to continue to fulfil the tasks of Europol as established by Decision 2009/371/JHA to the best of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, the Executive Director and staff employed under a contract of indefinite duration as a local staff member concluded by Europol as established by the Europol Convention, who should be offered the possibility of employment as a member of the temporary or contract staff under the Conditions of Employment of Other Servants.

The Council Act of 3 December 1998 ( 19 ) on Europol staff regulations has been repealed by Article 63 of Decision 2009/371/JHA. However, it should continue to apply to staff employed by Europol before the entry into force of Decision 2009/371/JHA. Therefore, transitional provisions should provide that contracts concluded in accordance with those staff regulations are to remain governed by them.

Since the objective of this Regulation, namely the establishment of an entity responsible for law enforcement cooperation at Union level, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

In accordance with Article 3 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, Ireland has notified its wish to take part in the adoption and application of this Regulation.

In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, and without prejudice to Article 4 of that Protocol, the United Kingdom is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

The EDPS has been consulted and issued an opinion on 31 May 2013.

This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data and the right to privacy as protected by Articles 8 and 7 of the Charter, as well as by Article 16 TFEU,