ARTICLE 12: OPENING FILES

  1.  Work files for analysis purposes shall be opened on the initiative of Europol or at the request of the Member States supplying the data, in accordance with the procedure established in Article 12 of the Convention.

  2.  In accordance with Article 12(1) of the Convention, the Joint Supervisory Body may forward its comments in writing to the Management Board. The Management Board must allow the Joint Supervisory Body a period of two months to perform this task. A copy of the written observations shall be forwarded to the Director of Europol.

  The Management Board may invite representatives of the Joint Supervisory Body to take part in its discussions on the orders opening analysis work files.

  3.  In accordance with Article 12(2) of the Convention, the Director of Europol must give reasons in writing for the urgency of opening a file.

  To that end, he must without fail inform the members of the Management Board of the name, subject and purposes of the file as well as any information needed to evaluate its urgency.

  Analysis activities may begin immediately after the procedure laid down in Article 12(1) of the Convention has been initiated, but the results may only be transmitted in so far as the Management Board has given its approval in accordance with the procedure laid down in Article 12(1) of the Convention. In so far as the Management Board refuses to give its approval, the data shall be deleted immediately.

  In exceptional cases, the Director may authorise the transmission of the results prior to the approval of the Management Board, where this is considered to be absolutely necessary to safeguard the essential interests of the Member States concerned within the scope of the objective of Europol, or in the interest of preventing a serious and imminent danger. In such cases, the authorisation by the Director shall be laid down in a document, which will be forwarded to the Management Board and the Joint Supervisory Body.

  4.  If, during the course of an analysis, it becomes necessary to amend the order opening the analysis work file, the procedures outlined in Article 12 of the Convention and this Article shall apply accordingly.

ARTICLE 13: TRANSMISSION OF DATA OR INFORMATION HELD IN ANALYSIS FILES

  Transmission of personal data contained in analysis files to any Member State or third party must be recorded in the file concerned.

  In collaboration with the Member State or third party providing the data, Europol shall check where necessary the latter's accuracy and consistency with the Convention no later than at the time of transmission. As far as possible, in all communications judicial decisions, as well as decisions not to prosecute, should be indicated and data based on opinions or personal assessments checked in co-operation with the Member State or third party who supplied the information before being communicated and their degree of accuracy or reliability indicated.

  The recipient Member State shall inform the Member State transmitting the data, at its request, of the use made of the data transmitted and the results subsequently obtained, where the national legislation of the recipient Member State so allows.

  Should there be any restrictions on the use of data under Article 17 of the Convention, these must be recorded with the data, and the recipients of analysis results must be informed thereof.

 ARTICLE 14: CONTROL PROCEDURES

  It must be ensured that the data security provisions laid down in Article 25 of the Convention are met by drawing up a security plan for data processing by Europol and by constantly updating it in accordance with the assessed security risk to Europol. The security plan has to be approved by the Management Board.

ARTICLE 15: USE AND STORAGE OF ANALYSIS DATA AND ANALYSIS RESULTS

  1. All personal data and analysis results transmitted from an analysis work file may only be used in accordance with the purpose of the file or to combat other serious forms of crime, and in accordance with any restrictions on use as specified by a Member State on the basis of Article 17(2) of the Convention. The data referred to in Article 5(2) may only be transmitted in agreement with the Member State which supplied such data.

  2. After the closure of an analysis work file, all data contained in that file shall be stored by Europol in a separate file, which shall only be accessible for the purposes of internal or external control. Without prejudice to Article 21(5) of the Convention such data shall be kept for no longer than three years after the closure of the file.

  3. The results of an analysis work file may only be stored by Europol in electronic form for a maximum period of three years after the closure of the file concerned, provided they are stored in a separate file, and no new data are added to them. After this period the results may only be stored in the form of a paper document.

  4. In order to check the permissibility of retrievals of personal data from the work files for the purposes of analysis, for at least one in 10 retrievals a report shall be drawn up automatically in accordance with Article 16 of the Convention.

  The report shall contain a unique reference number relating to the user identification, the date and time of the retrieval and the identity of the person concerning whom data were accessed and displayed, as well as to the analysis work file from which the data were retrieved.

  The use and deletion of the reports shall take place in accordance with Article 16, second sentence of the Europol Convention and any regulations based on the third sentence of that Article.

  5. In the order opening an analysis work file it can be determined that more reports than specified in paragraph 4 must be drawn up, or that such reports must contain more data than specified in paragraph 4, taking account of the regulations based on Article 16, third sentence, of the Convention.

ARTICLE 16: COMBINATION OF FILES

  1. Where it becomes apparent that information contained in an analysis work file may also be relevant for different analysis work files, the following procedures shall be followed:

(a) Where a complete combination of the information in two files is proposed, a new file containing all the information in both files shall be established in accordance with Article 12 of the Convention. The decision to combine the two files shall be reached by all the participants in both the original files. The participants in each of the original files shall decide whether or not to close that file.

(b) Where all or some of the information in one file is relevant to another file, the participants in the first file shall decide whether or not this information should be transferred to the second. Where the transfer results in a need to alter the order opening either file, a new order shall be established in accordance with Article 12 of the Convention to govern that file. The participants in each of the original files shall also decide whether or not to close that file.

  2. In the instances mentioned in the first paragraph, the time limits for the review of data transferred from one analysis work file to another shall not be affected by such transfer.

 ARTICLE 17: NEW TECHNICAL MEANS

  New technical means for processing data for analysis purposes may be introduced only if all reasonable measures for ensuring that their use is consistent with the rules on the protection of personal data applicable to Europol have been adopted. The Director of Europol shall consult beforehand with the Joint Supervisory Body in all cases where the introduction of such technical means raises problems for the application of these data protection rules.

ARTICLE 18: ENTRY INTO FORCE

  These rules shall enter into force . . .

  Within three years after the entry into force of these rules, they will be evaluated under the supervision of the Management Board.

ARTICLE 19: REVIEW OF THE RULES

  Any proposals for amendments to these rules shall be considered by the Management Board with a view to their adoption by the Council in accordance with the procedure provided in article 10(1) of the Convention.

CHAPTER 1: DEFINITIONS AND SCOPEARTICLE 1: DEFINITIONS

  For the purposes of these regulations,

(a) "processing of information" ("processing") means any operation or set of operations which is performed on personal or non-personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(b)  "Convention" means the Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office (Europol Convention);

(c)  "third party" means a third State or body as mentioned in Article 10(4) of the Convention;

(d)  "Europol Security Committee" means the Committee consisting of representatives of the Member States and Europol described in Article 3 of these regulations;

(e)  "Europol Security Coordinator" means the Deputy Director of Europol to whom the Director—in pursuance of article 29.2 of the Convention—assigns, alongside his other tasks, the function of coordination and control in matters of security;

(f)  "Europol Security Officer" means the Europol officer appointed by the Director mentioned under (e) of this article and responsible for security issues in accordance with Article 5 of these regulations;

(g)  "Security Manual" means the manual implementing these regulations, to be established in accordance with Article 6 of these regulations.

(h)  "Security level" means a security marking of Europol 1, 2, 3 assigned to a document processed by or through Europol as mentioned in Article 8 of these regulations.

(i)  "Security package" means a specified combination of security measures to be applied to information subject to a Europol security level as mentioned in Article 8 of these regulations.

(j)  "Basic protection level" means the level of protection which will be applied to all information processed by or through Europol, except information which is expressly marked or is clearly recognisable as being public information, as mentioned in Article 8.1. or these regulations.

ARTICLE 2: SCOPE

  1.  This regulation establishes the security measures as to be applied to all information which is processed by or through Europol within its organisation.

  2.  The Member States undertake to ensure that such information shall, within their territory, receive a level of protection which is equivalent to the level of protection offered by these measures.

  3.  Electronic links between Europol and the national units of the Member States shall provide a level of protection which is equivalent to the level offered by these measures. A common standard for these electronic links shall be approved unanimously by the Security Committee after consultation of competent authorities of Member states.

  4.  The annex to this regulation shows an overview of the Europol security levels, as mentioned in article 8, and the equivalent markings currently applied by the Member States to information subject to these security levels. When a Member State informs the other Member States and Europol about any changes of the national provisions on security levels or of the equivalent markings, Europol will elaborate a revised version of the above-mentioned overview. At least once a year the Europol Security Committee shall examine if the overview is to up-to-date.

CHAPTER II: SECURITY RESPONSIBILITIESARTICLE 3: EUROPOL SECURITY COMMITTEE

  1.  There shall be a Europol Security Committee, consisting of representatives of the Member States and of Europol, which shall meet at least once a year.

  2.  The Europol Security Committee shall have as its task to advise the Management Board and Director of Europol on issues relating to security policy and including the application of the security manual.

  3.  The Europol Security Committee shall establish its rules of procedure. The meetings of the Europol Security Committee shall be chaired by the Security Coordinator.

ARTICLE 4: SECURITY COORDINATOR

  1.  The Security Coordinator shall have general responsibility for all issues relating to security, including the security measures laid down in these regulations and the Security Manual. He shall monitor the enforcement of security provisions and inform the Director of all breaches of security, who shall, in serious cases, inform the Management Board. If such a break risks compromising the interests of a Member State, this Member State shall also be informed.

  2.  The Security Coordinator shall be directly answerable to the Director of Europol.

ARTICLE 5: SECURITY OFFICER

  1.  The responsibility for the practical implementation of the security measures laid down in these regulations and in the Security Manual shall lie with the Security Officer of Europol, who will be directly answerable to the Security Coordinator. The specific tasks of the Security Officer shall be:

(a)  the management of the Security Unit of Europol;

(b)  instructing, assisting and advising Europol staff and liaison officers on their duties under these regulations and the Security Manual;

(c)  enforcing security provisions, investigating breaches of such provisions and reporting on them as soon as possible to the Security Coordinator;

(d)  continuous review of the adequacy of security measures on the basis of threat assessments. To this end he shall report to the Security Coordinator as a rule at least once a month and, in exceptional cases, whenever it is deemed necessary and he shall make observations and suggestions;

(e)  tasks assigned to him under these regulations or the Security Manual;

(f)  other tasks assigned to him by the Security Coordinator.

  2.  The Security Officer must be security cleared to the highest level under the regulations applicable in the Member State of which he is a national.

 ARTICLE 6:  SECURITY MANUAL, PROCEDURE AND CONTENTS

  1.  The Security Manual shall be adopted by the Management Board after consultation with the Security Committee.

  2.  The Security Manual shall contain:

(a)  Detailed rules on the security measures providing for a basic protection level as mentioned in Article 8 §1 of this regulation, based on Articles 25 and 32, §2, of the Convention and taking Article 31, §3, of the Convention into account, to be applied within the Europol organisation;

(b)  detailed rules on the security measures associated with the different Europol security levels and the corresponding security packages mentioned in Article 8, §2 and §3.

  3.  Amendments to the Security Manual shall be adopted in accordance with the procedure outlined in paragraph 1.

  4.  For the Europol Computer System and any other computer systems employed at Europol used to process protectively marked information, a System Specific Security Requirement shall be adopted and amended in accordance with the procedure outlined in paragraph 1. This System Specific Security Requirement has to comply with relevant provisions of the Security manual.

ARTICLE 7:  OBSERVANCE

  The security measures laid down in this regulation and in the Security Manual shall be observed by all Europol staff and liaison officers, as well as any other person under a particular obligation of discretion or confidentiality.

ARTICLE 8: BASIC PROTECTION LEVEL, SECURITY LEVELS AND SECURITY PACKAGES

  1.  All information processed by or through Europol, except information which is expressly marked or is clearly recognisable as being public information, shall be subject to a basic protection level within the Europol organisation as well as in the Member States. Information which is only subject to the basic protection level shall not require a specific marking of a Europol security level, but should be designated as Europol information.

  2.  In accordance with Article 2 §2, the Member States shall ensure the application of the basic protection level mentioned in §1, by a variety of measures in accordance with national legislation and regulations, including the obligation of discretion and confidentiality, limiting access to information to authorised personnel data protection requirements as far as personal data is concerned and general technical and procedural measures to safeguard the security of the information, taking Article 25 §2 of the Convention into account.

  3.  Information requiring additional security measures shall be subject to a Europol security level, which shall be indicated by a specific marking. Information shall be assigned and such a security level only where strictly necessary and for the time necessary.

  4.  The Europol security levels will be numbered "Europol level 1 to 3",

(a)  Europol 3: this level is applicable to information the unauthorised circulation would result in extremely serious harm to the essential interests of Europol, or of one or more member States,

(b)  Europol 2: this level is applicable to information the unauthorised circulation would result in very serious harm to the essential interests of Europol, or of one or more member States,

(c)  Europol 1: this level is applicable to information the unauthorised circulation would result in serious harm to the essential interests of Europol, or of one or more member States,

  Each Europol security level shall relate to a specific security package, to be applied within the Europol organisation. The security packages shall offer different levels of protection, depending on the content of the information, and taking account of the detrimental effect unauthorised access, dissemination or use of the information might have on the interests of the Member States or Europol. The Europol levels 1 to 3 will—regarding the security measures to be applied—correspond as far as possible with existing international standards.

  When information protectively marked at different levels is gathered, the security level to be applied shall be at least as high as the one of the information protected at the highest level. Anyway, a group of information may be given a higher protection level than that of each of its parts.

  The translation of protectively marked documents shall be subject to the same protection as the originals.

  5.  The security packages shall consist of various measures of a technical, organisational or administrative nature, as laid down in the Security Manual. They shall include permitted usage of the information subject to Article 17 of the Convention, from unrestricted use to no use without the originator's consent.

ARTICLE 9: CHOICE OF SECURITY LEVEL

  1.  The Member State supplying information to Europol shall be responsible for the choice of any appropriate security level for such information in accordance with Article 8. The Member State shall, where necessary, mark the information with a Europol security level as mentioned in Article 8 (4), when supplying it to Europol.

  2.  In choosing any security level, Member States shall take account of the classification of the information under their national regulations, as well as the need for the operational flexibility required for an adequate functioning of Europol.

  3.  If Europol—on the basis of information already in its possession—comes to the conclusion that the choice of a security level needs amendment, including a possible removal or addition of such a level, including the addition of a security level to a document previously subject to the basic protection level, it will inform the Member State concerned and attempt to agree on an appropriate security level. Europol will not specify, change, add or remove a security level without such agreement.

  4.  Where information generated by Europol is based upon or contains information supplied by a Member State, Europol shall determine in agreement with the Member States concerned whether the basic protection level will be sufficient or whether the application of a Europol security level is required.

  5.  Where information is generated by Europol itself, and such information is not based upon nor contains information supplied by a Member State, Europol shall determine any appropriate security level for such information, using criteria laid down by the Security Committee. Where necessary, Europol shall mark the information accordingly.

  6.  The Member States and Europol shall, where information also concerns the essential interests of another Member State, consult that Member State on whether any security level should be applied to that information and if so which security level should be applied.

ARTICLE 10: AMENDMENT OF SECURITY LEVELS

  1.  A Member State which supplied the information to Europol may at any time require an amendment of any chosen security level, including a possible removal or addition of such a level. Europol shall be obliged to remove, amend or add a security level in accordance with the wishes of the Member State concerned.

  2.  The Member State concerned shall, as soon as circumstances allow this, ask for amendment of any security level to a lower one or its removal.

  3.  A Member State supplying information to Europol may specify the time period for which the choice of any security level will apply, and any possible amendments to the security level after such period.

  4.  Where the choice of the basic protection level or security level has been determined by Europol in accordance with Article 9, paragraph 4, an amendment of the basic protection or security level shall only be affected by Europol in agreement with the Member States concerned.

  5.  Where the choice of the security level has been determined by Europol in accordance with Article 9, paragraph 5, Europol may amend or remove the security level at any time where this is deemed necessary.

  6.  Where information of which the security level is amended in accordance with this Article has already been supplied to other Member States, Europol shall be obliged to inform the recipients of the change of security level.

ARTICLE 11: PROCESSING, ACCESS AND SECURITY CLEARANCE

  1.  Access to and possession of information shall be restricted within the Europol organisation to those persons who, by reason of their duties or obligations need to be acquainted with such information or to handle it. Persons entrusted with the processing of information shall have undergone any necessary security clearance and shall further receive special training.

  2.  All persons that may have access to information subject to a security level processed by Europol will be security cleared in accordance with Article 31(2) of the Convention and the Security Manual. The Security Coordinator shall, acting on a proposal from the Security Officer, subject to the provisions of the Security Manual, grant authorisation to those persons cleared at the appropriate national level, who by reason of their duties, or obligations, need to be acquainted with information subject to a Europol security level. He shall also be responsible for ensuring the implementation of paragraph 3.

  3.  No person shall have access to information subject to a security level without having been security cleared at the appropriate level. Exceptionally however, the Security Coordinator may, after consultation of the Security officer, give a specific and limited authorisation to persons cleared at level 1 or 2 to have access to determined information of a higher level, if, by reason of their duties or obligations, in a specific case, they need to be acquainted with information subject to a higher Europol security level.

  4.  Such authorisation shall not be granted when a Member State, when supplying the information concerned, has specified that the discretion provided to the Security Coordinator by paragraph 3, shall not be exercised in relation to that information.

ARTICLE 12: THIRD PARTIES

  When concluding agreements on confidentiality with third parties in accordance with Article 18(6) of the Convention, or agreements in accordance with Article 42 of the Convention, Europol shall take account of the principles laid down in these regulations and the Security Manual, which should be applied accordingly to information exchanged with such third parties.

ARTICLE 13: ENTRY INTO FORCE

  These rules shall enter into force . . .

ARTICLE 14: REVIEW OF THE RULES

  Any proposals for amendments to these rules shall be considered by the Management Board with a view to their adoption by the Council in accordance with the procedure provided in Article 31(1) of the Convention.

NOTE

  As mentioned in Article 2.4 Europol will elaborate a revised version of this overview if notified of any changes of national provisions. At least once a year the Europol Security Committee shall examine whether the overview is up-to-date. Any difficulties in applying the concept of equivalence in levels of protection will be discussed between Member States and Europol or collectively by the Security Committee. Similarly, the Security Committee will consider the implications for the table of any adjustment to Europol's Security packages, as set out in the Security Manual.