European Anti-Fraud Office

Legal framework for data protection

Legal framework for data protection

The main legal basis establishing data protection requirements at OLAF is Regulation (EU) 2018/1725, the Data Protection Regulation for European institutions, bodies and agencies.
A list of all relevant EU data protection legislation is available, with links to the legislation.

In accordance with Regulation 45/2001 (in force until 11 December 2018), Article 28(2) of the Data Protection Regulation required the Commission to consult the EDPS before adopting a legislative proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data. The EDPS has issued several opinions under this provision with regard to OLAF legislation, which may be accessed through the list providing links to the opinions.

Under the period of application of Regulation 45/2001 a body of caselaw of the EU courts has developed interpreting various data protection provisions. A summary of the caselaw describes the main decisions of the courts in this area. The decisions themselves may be accessed through the lists for each of the EU courts: 

Legislative acts

Legal basis for data protection

The main legal instrument establishing data protection requirements at OLAF is Regulation (EU) 2018/1725 which aligns the legal regime applicable to EU institutions with the legal regime established by Regulation 2016/679 applicable to EU Member states (GDPR).
The entry into force of the GDPR on 25 May 2018 did not modify the regime of free flow of data between the European institutions, national authorities and economic operators. The European Data protection supervisor has issued a specific clarification relating to the interactions in the field of the investigative activities of OLAF and other investigative services.

All relevant EU data protection legislation is presented below.

  • Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/ECText with EEA relevance.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General DataProtection Regulation) (Text with EEA relevance)
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
  • Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA

EDPS opinions on OLAF legislative proposals

The Commission has to consult the EDPS before adopting a legislative proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data. The EDPS has issued several opinions with regard to OLAF legislation.

Legislative proposal

 EDPS case number

EDPS opinon(s)

Proposal to amend Regulation 1073/99

C-2006/233

I - 27.10.2006
II – 21.1.2011
III – 1.6.2011

Proposal to amend Regulation 515/97

 C-2006/294

I – 22.2.2007

Proposal for Regulation on mutual administrative assistance

C-2006/293

I- 22.10.2004
II – 13.11.2006

Caselaw

Court of Justice decisions

Date

Case

Case number

21.12.2016

Tele2 Sverige AB

C-203/15

19.10.2014

Patrick Breyer v. Germany

C-582/14

06.10.2015

Schrems

C-362/14

01.10.2015

Weltimmo

C-230/14

16.07.2015

ClientEarth

C-165/13P

11.12.2014

Rynes v. Urad pro ochranu osobnich udaju

C-212/13

17.10.2014

Schwarz v. Bochum

C-291/12

17.7.2014

Minister voor Immigratie v. M,

C-141/12 and C-372/12

13.5.2014

Google Spain SL v. AEPD (the DPA) &  Maria Costeja Gonzalez

C-131/12

8.4.2014

Commission v. Hungary

C-288/12

8.4.2014

Digital Rights Ireland Ltd. v. Ireland

C-293/12

12.12.2013

X

C-486/12

30.5.2013

Worten-Equipamentos para o Lar SA v. ACT

C-342/12

22.11.2012

Probst v. mr.nexnet GmbH

C-119/12

16.10.2012

Commission v. Austria

C-614/10

19.4.2012

Bonnier Audio AB et al. v. Perfect Communication Sweden

C-461/10

24.11.2011

Asociacion Nacional de Establecimientos Financieros de Credito (ASNEF) and Federacion de Comercio Electronico y Marketing Directo (FECEMD) v. Administracion del Estado

C-468/10 and C-469/10

24.11.2011

Scarlet Extended SA v. Societe Belge des Auteurs, Compositeurs et Editeurs SCRL (SABAM)

C-70/10

9.11.2010

Volker und Markus Schecke GbR v. Land Hessen and Eifert v. Land Hessen and Bundesanstalt fur Landwirtschaft und Ernahrung

C-92/09 and C-93/09

29.6.2010

Commission v. Bavarian Lager Co

C-28/08P

9.3.2010

Commission v. Germany

C-518/07

7.5.2009

College van burgemeester en wethouders van Rotterdam v. Rijkeboer

C-553/07

19.2.2009

LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH

C-557/07

10.2.2009

Ireland v. Parliament and Council (data retention directive)

C-301/06

16.12.2008

Huber v. Germany

C-524/06

16.12.2008

Tietosuojavaltuutettu [Finnish DP ombudsman] v. Satakunnan Markkinaporssi Oy and Satamedia Oy

C-73/07

29.1.2008

Promusicae

C-275/06

30.5.2006

Parliament v. Council (PNR)

C-317/04 and 318/04

6.11.2003

Lindquist

C-101/01

20.5.2003

Rechnungshof v. Osterreichischer Rundfunk

C-465/00 and C-138/01

4.10.2001

Commission v. Luxembourg

C-450/00

General Court decisions

Date

Case

Case number

20.07.2016

Oikonomopoulos V. EC

T-483/13

28.3.2012

Egan & Hackett v. European Parliament

T-190/10

23.11.2011

Dennekamp v. European Parliament

T-82/09

7.7.2011

Jordana v. Commission

T-161/04

12.9.2007 

Nikolaou v. Commission

T-259/03

30.5.2006

Bank Austria Creditanstalt AG v Commission of the European Communities

T-198/03

18.2.2004

Esch-Leonhardt and Others v European Central Bank

T-320/02

Civil Service Tribunal decisions

Date

Case

Case number

5.7.2011

V v. European Parliament

F-46/09

11.5.2010

Nanopoulos v. Commission

F-30/08