Data Protection in Law Enforcement Area Chapter 9a of the draft law EU Twinning Project Expert: Julia Antonova Project Activity: 1.3 Date: April 3, 2018 This project is funded by the European Union

TOPICS Introduction: what is the DPD What are are differences between the DPD and GDPR Draft law on data protection: structure and scope of application to the law eneforcement authorities Definition of the law enforcement authorities Main elementst of te draft Chapter 9a

Data Protection Directive Adopted in April 2016 together with the GDPR Date of implementation: May 6, 2018 Rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

GDPR vs DPD Different scope More possibilities for restrictions under the DPD – special nature of the law enforcement area Especially – possibilities to limit following rights of the data subject: Right to access Right to rectification Right to erasure Also limitations to information abut data breaches

Structure of the draft law (nr 133) Chapters 1 to 9 + 10 – general part (lex generalis) Chapter 9a – special part for law enforcement (lex specialis) General part is applicable to the law enforcement sector, taking into account derogations in Chapter 9a Chapter 9a is applicable only to the activities related to the law enforcement (meaning – administrative activities are subject to general rules)

Scope of Chapter 9a Chapters 1 to 9 + 10 – general part (lex generalis) Chapter 9a – special part for law enforcement (lex specialis) General part is applicable to the law enforcement sector, taking into account derogations in Chapter 9a Chapter 9a is applicable only to the activities related to the law enforcement (meaning – administrative activities are subject to general rules)

How does the law work? Law nr 133 – main law on data protection Important to remember: there are sectoral laws that have to be in line with law 133 law 133 refers to sectoral laws sectoral laws have to „implement“ law 133 in specific area Example: law 133 lays down general data protection rules, law on police say how police act in their work, incliding data processing

Definition of law enforcement authority (Article 3) law enforcement authority – in the meaning of this law is: A) a public authority or a subdivision of such authority, competent for the prevention, investigation, detection of criminal offences with the aim of conducting criminal proceedings, prosecution of criminal offences or execution of criminal penalties, including safeguarding against and the prevention of threats to public security, for example but not limited to police, prosecutor’s office bodies, customs, penitenciary institutions, bodies for preventing and figting corruption, money laundering, terrorism financing, recovery of criminal assets, probation bodies. B) a public authority or a subdivision of such authority acting in the area of national or state security, when carrying out special investigative measures.

When does Chapter 9a apply? (1) WHO? Controller ot processor is a law enforcement authority WHEN? Law enforcement authority processes data for law enforcement purposes, such as: prevention, investigation, detection and/or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public order; using special investigative measures in national or state security area

When does Chapter 9a apply? (2) When does NOT apply? Authority is not a law enforcement authority Law enforcement authority is carrying out other activities, such as: organisational tasks (statistics, journalistic purposes, research etc) administrative tasks (human resources, finance et) participating in administrative, disciplinary etc procedure (administrative fines, disciplinary measures, background checks etc) THEN GENERAL RULES APPLY!

Biggest differences Main differences from the general part – more possibilities for restictions and limitations Reason: need to balance interests of law enforcement with fundamentaal right to privacy Processing in the area of law enforcement is always considered to be „risky“ processing Reason: bigger risks to data subject rights

Basis for processing Law enforcement authority can only process data on the basis of law Article 482 Legal ground for processing has to come from specific law: police law, criminal procedure law, prisons law etc Important: law enforcement authority can not process data on the basis of contract, consent, legitimate interest, vital interests or legal obligation

Principles of processing (Almost) same principles as for other areas Lawfullness and fairness (NB! Transparency does not apply!) Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality

Important: time-limits Personal data shall be stored for limited time Always have to determine the time-limit Mostly: time-limit provided by specific law If the law does not provide: controller establishes the time limit (+ opinion of the Center) NB! After time-limit is over, data to be deleted!

Rights of the data subjects Data subjects have the right to: access data (Art 4811) Request rectification (Art 4813) Request deletion of data (Art 4813) NB! Where allowed by specific legislation, rights can be restricted, wholly or partially Restriction shall be applied only for as lõng as necessary Restriction has to be justifies, proportionate and necessary

Grounds for restrictions Articles Art 4812, Art 4813 (4) avoid obstructing official or legal inquiries, investigations or procedures; avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; protect public security; protect national security; protect state security; protect the rights and freedoms of others.

Data Protection breach Obligation to notify the Center about the personal data breach (Art 4815) Obligation to notify the data subject (Art 4816) – procedure in accordance with Article 332 Possibilities to limit notification of data subject (Art 4816 (2) and (3)

Logging (Art 4817) The law enforcement authority shall keep the logs for the following processing operations: collectin, recording, consultation, alteration, disclosure, printing, transfers, combinations and erasure Logs have to be made available to the Center

Supervision The NCPDP is the competent independent supervisory to supervise data processing by the law enforcement authorities Law enforcement authority has to cooperate with the NCPDP Law enforcement authorities have to provide information to the NCPDP in case the NCPDP is investigating a complaint or carrying out checks Information to data subject – limited

International transfers Articles 4820 -4822 Normally – either on the basis of decision by the Center or on basis of law (International agreements etc) Derogations for specific situations – Article 4821 (1)