Skip to main content
European Anti-Fraud Office

Legal framework for data protection

The main legal instrument establishing data protection requirements at OLAF is Regulation (EU) 2018/1725 which aligns the legal regime applicable to EU institutions with the legal regime established by Regulation 2016/679 applicable to EU Member States (GDPR). In addition, As required by the Art. 25 of the Regulation (EU)2018/1725, a Commission decision 2018/1962 has laid down OLAF’s internal rules on possible restriction of certain of data subject rights.  

The entry into force of the GDPR on 25 May 2018 did not modify the regime of free flow of data between the European institutions, national authorities and economic operators. The European Data protection supervisor has issued a specific clarification relating to the interactions in the field of the investigative activities of OLAF and other investigative services.

All relevant EU data protection legislation is presented below.

  • Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
  • Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
  • Commission Decision (EU) 2018/1962 of 11 December 2018 laying down internal rules concerning the processing of personal data by the European Anti-Fraud Office (OLAF) in relation to the provision of information to data subjects and the restriction of certain of their rights in accordance with Article 25 of Regulation (EU) 2018/1725 of the European Parliament and of the Council

Since the introduction of the first legislation on data protection, the EU courts have developed a body of caselaw interpreting various data protection provisions. A summary of the caselaw, elaborated by the European Court describes the main decisions in this area.