Author: Yael Wuhl
Committee: Cybersecurity Strategic Committee
Date: 12/05/2025
Privacy is currently a right enshrined in the Charter of Fundamental Rights of the European Union, particularly in Articles 7 and 81 . Regulation (EU) 2016/6792, commonly known as the General Data Protection Regulation (GDPR), constitutes the principal legal framework for the protection of personal data within the European Union.
The GDPR grants individuals specific rights, imposes obligations on organizations, and provides for sanctions in the event of violations.
In the course of its investigative and prosecutorial activities, the European Public Prosecutor’s Office (EPPO) processes personal data to identify and prosecute crimes affecting the Union’s financial interests. This data processing must fully comply with the GDPR.
Chapter VIII of Regulation (EU) 2017/19393, which established the EPPO, devotes considerable attention to the protection of personal data.
Throughout investigations, the EPPO must uphold the fundamental principles set out in the GDPR, including lawfulness, fairness, transparency, purpose and storage limitation, data minimization, accuracy, integrity, and confidentiality.
The EPPO may not process personal data for purposes incompatible with those for which they were originally collected, except under specific circumstances, such as processing for archival purposes in the public interest or for scientific research.
It processes personal data not only for investigative and prosecutorial (i.e., operational) purposes, but also for additional administrative purposes, including human resources, budgeting, and security. As such, two distinct legal frameworks apply.
The processing of operational personal data is governed by the EPPO Regulation, which allows for automated procedures4.
This enables secure access to information on investigations and prosecutions by the central office and delegated European prosecutors.
The EPPO shall process operational personal data in such a way that it can be established which authority provided the data or where the data has been retrieved from5.
It periodically reviews the necessity of retaining the operational personal data it has processed, conducting these reviews every three years, and in any case no later than five years after a final judgment—whether of acquittal or conviction6.
The EPPO make a clear distinction between operational personal data of different categories of data subjects, such as: convicted persons, victims, etc7.
It takes all reasonable measures to ensure that inaccurate, incomplete, or outdated operational personal data are neither transmitted nor made accessible.
If such data have been transmitted, or if data have been processed unlawfully, the recipient must be informed as soon as possible.
The data must then be rectified or deleted, or their processing must be restricted8. Particularly sensitive operational personal data—such as information revealing racial or ethnic origin, political opinions, or religious beliefs—receive heightened protection.
Their processing is permitted only when strictly necessary for investigative purposes and only if such data supplement other operational personal data already processed by the EPPO9.
Protecting personal data means safeguarding the rights and freedoms of individuals, even in the
context of investigations carried out under the direction of the European Public Prosecutor’s Office.
In order to increase its IT security capacities, and consequently the protection of the data processed, in 2024 EPPO has improved its security capacities, in line with the new regulation (EU) 2023/284110.
The development of its own cybersecurity systems and the assets protected by them makes EPPO a leading authority in the protection of personal data.
In conclusion, this is also stated by the fact that during 2024, the EPPO received a total of seven access requests or requests to exercise other data subject rights, in relation to operational but also to administrative personal data.
At the end of the year, the EDPS closed an open complaint from 2021, concluding that there were no infringements by the EPPO11.
1 Charter of Fundamental Rights of the European Union, Articles 7 (‘Respect for private and family life’) and 8 (‘Protection of personal data’).
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data (GDPR).
3 Article 47, Regulation (EU) 2017/1939
4 Article 44, Regulation (EU) 2017/1939
5 Article 49, Regulation (EU) 2017/1939
6 Article 50, Regulation (EU) 2017/1939
7 Article 51, Regulation (EU) 2017/1939
8 Article 52, Regulation (EU) 2017/1939
9 Article 55, Regulation (EU) 2017/1939
10EPPO Annual Report 2024 (p. 91)
11EPPO Annual Report 2024 (p. 104)