(1)

Transnational criminal activities pose a significant threat to the internal security of the Union and call for a coordinated, targeted and adapted response. While national authorities operating on the ground are on the frontline in the fight against crime and terrorism, action at Union level is paramount to ensuring efficient and effective cooperation as regards the exchange of information. Furthermore, organised crime and terrorism, in particular, are emblematic of the link between internal and external security. Transnational criminal activities spread across borders and manifest themselves in organised crime and terrorist groups that engage in a wide range of increasingly dynamic and complex criminal activities. There is, therefore, a need for an improved legal framework to ensure that competent law enforcement authorities can prevent, detect and investigate criminal offences in a more efficient manner.

(2)

For the development of an area of freedom, security and justice, which is characterised by the absence of internal border controls, it is essential that competent law enforcement authorities in one Member State have, within the framework of the applicable Union and national law, the possibility to obtain equivalent access to the information available to their colleagues in another Member State. In that regard, competent law enforcement authorities should cooperate effectively and across the Union. Therefore, police cooperation on the exchange of relevant information for the purpose of preventing, detecting or investigating criminal offences is an essential component of the measures that underpin public security in an interdependent area without internal border controls. The exchange of information on crime and criminal activities, including terrorism, serves the overall objective of protecting the security of natural persons and safeguarding important interests of legal persons protected by law.

(3)

The majority of organised crime groups are present in more than three countries and are composed of members with multiple nationalities who engage in various criminal activities. The structure of organised crime groups is ever more sophisticated, with strong and efficient communication systems and cooperation between their members across borders.

(4)

To fight cross-border crime effectively, it is of paramount importance that competent law enforcement authorities swiftly exchange information and cooperate operationally with one another. Although cross-border cooperation between the competent law enforcement authorities has improved in recent years, certain practical and legal hurdles continue to exist. In that respect, Council Recommendation (EU) 2022/915 (2) will assist the Member States in further enhancing cross-border operational cooperation.

(5)

Some Member States have developed pilot projects to strengthen cross-border cooperation, focusing, for example, on joint patrols by police officers from neighbouring Member States in border regions. A number of Member States have also concluded bilateral or even multilateral agreements to strengthen cross-border cooperation, including the exchange of information. This Directive does not limit such possibilities, provided that the rules on the exchange of information set out in such agreements are compatible with this Directive where it applies. On the contrary, Member States are encouraged to exchange best practice and lessons learnt from such pilot projects and agreements and to make use of available Union funding in that regard, in particular from the Internal Security Fund, established by Regulation (EU) 2021/1149 of the European Parliament and of the Council (3).

(6)

The exchange of information between Member States for the purpose of preventing and detecting criminal offences is regulated by the Convention implementing the Schengen Agreement of 14 June 1985 (4), adopted on 19 June 1990, in particular Articles 39 and 46 thereof. Council Framework Decision 2006/960/JHA (5) partially replaced those provisions and introduced new rules for the exchange of information and intelligence between competent law enforcement authorities.

(7)

Evaluations, including those carried out under Council Regulation (EU) No 1053/2013 (6), have indicated that Framework Decision 2006/960/JHA is not sufficiently clear and does not ensure the adequate and rapid exchange of relevant information between Member States. Evaluations have also indicated that that Framework Decision is scarcely used in practice, in part due to the lack of clarity encountered in practice between the scope of the Convention implementing the Schengen Agreement and the scope of that Framework Decision.

(8)

Therefore, the existing legal framework should be updated with a view to eliminating discrepancies and to establishing clear and harmonised rules to facilitate and ensure the adequate and rapid exchange of information between the competent law enforcement authorities of different Member States and to allow the competent law enforcement authorities to adapt to the rapidly changing and expanding nature of organised crime, including in the context of the globalisation and digitalisation of society.

(9)

In particular, this Directive should cover the exchange of information for the purpose of preventing, detecting or investigating criminal offences, thereby fully superseding, in so far as such exchanges are concerned, Articles 39 and 46 of the Convention implementing the Schengen Agreement and providing the necessary legal certainty. In addition, the relevant rules should be simplified and clarified in order to facilitate their effective application in practice.

(10)

It is necessary to lay down harmonised rules governing the crosscutting aspects of the exchange of information between Member States under this Directive at different stages of an investigation, from the phase of gathering criminal intelligence to the phase of criminal investigation. Those rules should include the exchange of information through Police and Customs Cooperation Centres set up between two or more Member States on the basis of bilateral or multilateral arrangements for the purpose of preventing, detecting or investigating criminal offences. However, those rules should not include the bilateral exchange of information with third countries. The rules laid down in this Directive should not affect the application of rules of Union law on specific systems or frameworks for such exchanges, such as Regulations (EU) 2016/794 (7), (EU) 2018/1860 (8), (EU) 2018/1861 (9) and (EU) 2018/1862 (10) of the European Parliament and of the Council, Directives (EU) 2016/681 (11) and (EU) 2019/1153 (12) of the European Parliament and of the Council, and Council Decisions 2008/615/JHA (13) and 2008/616/JHA (14).

(11)

‘Criminal offence’ is an autonomous concept of Union law as interpreted by the Court of Justice of the European Union. For the purposes of this Directive, in the interest of effectively combating crime, ‘criminal offence’ should be understood as referring to any conduct punishable under the criminal law of the Member State that receives information, either pursuant to a request or pursuant to an own-initiative provision of information in accordance with this Directive, irrespective of the penalty that can be imposed in that Member State and irrespective of whether the conduct is also punishable under the criminal law of the Member State that provides information, without prejudice to the grounds for refusal of requests for information set out in this Directive.

(12)

This Directive is without prejudice to the Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on mutual assistance and cooperation between customs administrations (15) (Naples II).

(13)

Since this Directive does not apply to the processing of information in the course of an activity which falls outside the scope of Union law, activities concerning national security do not fall within the scope of this Directive.

(14)

This Directive does not govern the provision and use of information as evidence in judicial proceedings. In particular, it should not be understood as establishing a right to use the information provided in accordance with this Directive as evidence and, consequently, it does not affect any requirement provided for in the applicable law to obtain the consent of the Member State providing the information for such use. This Directive does not affect Union legal acts on evidence, such as a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings, Directive 2014/41/EU of the European Parliament and of the Council (16) and a Directive of the European Parliament and of the Council laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings. Consequently, even though they are not required to do so under this Directive, Member States providing information under this Directive should be allowed to consent, at the time of providing the information or thereafter, to the use of that information as evidence in judicial proceedings, including, where necessary under national law, through the use of instruments regarding judicial cooperation in force between the Member States.

(15)

All exchanges of information under this Directive should be subject to five general principles, namely the principles of availability, equivalent access, confidentiality, data ownership and data reliability. While those principles are without prejudice to the more specific provisions of this Directive, they should guide its interpretation and application where relevant. First, the principle of availability should be understood as indicating that relevant information available to the Single Point of Contact or the competent law enforcement authorities of one Member State should also be available, to the largest extent possible, to the Single Point of Contact or the competent law enforcement authorities of other Member States. However, that principle should not affect the application, where justified, of specific provisions of this Directive restricting the availability of information, such as those on the grounds for refusal of requests for information and on judicial authorisations, or of the obligation to obtain the consent of the Member State or third country that initially provided the information prior to sharing it. Second, pursuant to the principle of equivalent access, Member States should ensure that the access that the Single Point of Contact and the competent law enforcement authorities of other Member States have to relevant information is substantially the same as, and thus neither stricter nor less strict than, the access that their own Single Point of Contact and the competent law enforcement authorities have to that information, subject to the more specific provisions of this Directive. Third, the principle of confidentiality requires Member States to respect one another’s national rules on confidentiality when treating information marked as confidential that is provided to their Single Point of Contact or to their competent law enforcement authorities, by ensuring a similar level of confidentiality in accordance with the rules on confidentiality set out in national law. Fourth, pursuant to the principle of data ownership, information initially obtained from another Member State or from a third country should only be provided with the consent of and in accordance with the conditions imposed by that Member State or third country. Fifth, pursuant to the principle of data reliability, personal data that are found to be inaccurate, incomplete or no longer up to date should be erased or rectified or the processing of those data should be restricted, as appropriate, and any recipient of those data should be notified without delay.

(16)

In order to achieve the objective of facilitating and ensuring the adequate and rapid exchange of information between Member States, this Directive should provide the possibility for Member States to obtain information by addressing a request for information to the Single Point of Contact of other Member States, in accordance with certain clear, simplified and harmonised requirements. As regards the content of requests for information, this Directive should specify, in particular, in an exhaustive and sufficiently detailed manner and without prejudice to the need for a case-by-case assessment, the situations in which requests for information are to be considered urgent, the details they are to contain as a minimum and in which language they are to be submitted.

(17)

While the Single Points of Contact of each Member State should, in any event, be able to submit requests for information to the Single Point of Contact of another Member State, in the interest of flexibility, Member States should be allowed, in addition, to designate some of their competent law enforcement authorities, which might be involved in European cooperation, as designated law enforcement authorities for the purpose of submitting such requests to the Single Points of Contact of other Member States. Each Member State should submit to the Commission a list of its designated law enforcement authorities. Member States should inform the Commission where there are any changes to that list. The Commission should publish the lists online. In order for Single Points of Contact to be able to perform their coordinating functions under this Directive, it is, however, necessary that, where a Member State decides to allow some of its competent law enforcement authorities to submit requests for information to the Single Points of Contact of other Member States, that Member State makes its Single Point of Contact aware of all outgoing requests for information and of any communications relating thereto, by always putting its Single Point of Contact in copy. Member States should seek to limit the unjustified duplication of personal data to a strict minimum.

(18)

Time limits are necessary to ensure the rapid processing of requests for information submitted to a Single Point of Contact. Time limits should be clear and proportionate and take into account whether the request for information is to be considered as urgent and whether the request relates to directly accessible information or indirectly accessible information. In order to ensure compliance with the applicable time limits while allowing for a degree of flexibility, where objectively justified, it should only be possible, on an exceptional basis, to deviate from those time limits where, and in so far as, the competent judicial authority of the requested Member State needs additional time to decide on granting the necessary judicial authorisation. Such a need could arise, for example, because of the broad scope or the complexity of the matters raised by the request for information. In order to ensure, as far as possible, that time-critical opportunities to take action in specific cases are not missed, the requested Member State should provide any requested information as soon as it is held by the Single Point of Contact, even where that information is not the only information available that is relevant to the request. The rest of the requested information should be provided thereafter, as soon as it is held by the Single Point of Contact.

(19)

The Single Points of Contact should assess whether the information requested is necessary for and proportionate to achieving the purposes of this Directive and whether the explanation of the objective reasons justifying the request is sufficiently clear and detailed, so as to avoid the unjustified provision of information or the provision of disproportionate amounts of information.

(20)

In exceptional cases, it might be objectively justified for a Member State to refuse a request for information submitted to its Single Point of Contact. In order to ensure the effective functioning of the system created by this Directive in full compliance with the rule of law, those cases should be specified exhaustively and interpreted restrictively. However, the rules set out in this Directive place a strong emphasis on the principles of necessity and proportionality, thereby providing safeguards against any misuse of requests for information, including where it would entail manifest breaches of fundamental rights. The Member States, as an expression of their general due diligence, should therefore always verify the compliance of requests submitted to them under this Directive with the principles of necessity and proportionality and should refuse those requests they find to be non-compliant. Where the reasons for refusing the request relate only to parts of the information requested, the remaining information should be provided within the time limits set out in this Directive. In order to prevent unnecessary refusals of requests for information, the Single Point of Contact or the designated law enforcement authority of the requesting Member State, as applicable, should, on request, provide clarification or specifications that are needed to process the request for information. The applicable time limits should be suspended from the moment that the Single Point of Contact or, where applicable, the designated law enforcement authority of the requesting Member State receives the request for clarification or specifications. However, it should be possible to request clarification or specifications only where clarification or specifications are objectively necessary and proportionate such that without them the request for information would have to be refused for one of the reasons listed in this Directive. In the interest of effective cooperation, it should also remain possible to request necessary clarification or specifications in other situations, without this leading to the suspension of the time limits.

(21)

In order to allow for the necessary flexibility in view of operational needs that might vary in practice, this Directive should provide for two other means of exchanging information, in addition to requests for information submitted to the Single Points of Contact. The first one is the unsolicited provision of information by a Single Point of Contact or by a competent law enforcement authority to the Single Point of Contact or a competent law enforcement authority of another Member State without a prior request, namely the provision of information on its own initiative. The second one is the provision of information upon a request for information submitted either by a Single Point of Contact or by a competent law enforcement authority directly to a competent law enforcement authority of another Member State. In respect of both means of exchange of information, this Directive sets out only a limited number of minimum requirements, in particular on keeping the relevant Single Points of Contact informed and, as regards own-initiative provisions of information, the situations in which information is to be provided and the language to be used. Those requirements should also apply to situations in which a competent law enforcement authority provides information to the Single Point of Contact of its own Member State in order to provide that information to another Member State, such as where it is necessary to comply with the rules set out in this Directive on the language to be used when providing information.

(22)

The requirement of a prior judicial authorisation for the provision of information, where provided in national law, constitutes an important safeguard which should be respected. However, the Member States’ legal systems are different in that respect and this Directive should not be understood as affecting the rules and conditions concerning prior judicial authorisations laid down in national law, other than requiring that domestic exchanges and exchanges between Member States be treated in an equivalent manner, both on substance and procedurally. Furthermore, in order to keep any delays and complications relating to the application of such a requirement to a minimum, the Single Point of Contact or the competent law enforcement authorities, as applicable, of the Member State of the competent judicial authority should take all practical and legal steps, where relevant in cooperation with the Single Point of Contact or the designated law enforcement authority of the requesting Member State, to obtain the judicial authorisation as soon as possible. Although the legal basis of this Directive is limited to law enforcement cooperation under Article 87(2), point (a), of the Treaty on the Functioning of the European Union (TFEU), this Directive might be of relevance to judicial authorities.

(23)

It is particularly important that the protection of personal data, in accordance with Union law, be ensured in connection with all exchanges of information under this Directive. To that end, any personal data processing by a Single Point of Contact or a competent law enforcement authority under this Directive should be carried out in full compliance with Directive (EU) 2016/680 of the European Parliament and of the Council (17). Pursuant to Regulation (EU) 2016/794, the European Union Agency for Law Enforcement Cooperation (Europol) is to process data in accordance with the rules set out therein. That Directive and that Regulation are unaffected by this Directive. In particular, it should be specified that any personal data exchanged by Single Points of Contacts and competent law enforcement authorities remain limited to the categories of data per category of data subject listed in Section B of Annex II to Regulation (EU) 2016/794. Accordingly, a clear distinction should be made between the data concerning suspects and the data concerning witnesses, victims, or persons belonging to other groups, for which stricter limitations apply. Furthermore, as far as possible, any such personal data should be distinguished in accordance with their degree of accuracy and reliability. In order to ensure accuracy and reliability, facts should be distinguished from personal assessments. The Single Points of Contact or, where applicable, competent law enforcement authorities should process requests for information under this Directive as quickly as possible in order to ensure the accuracy and reliability of personal data, to avoid unnecessary duplication of data, and to reduce the risk of data becoming outdated or no longer being available to them. Where it appears that the personal data are incorrect, they should be rectified or erased or their processing should be restricted without delay.

(24)

In order to allow for the adequate and rapid provision of information by Single Points of Contact, either upon request or on their own initiative, it is important that the competent law enforcement authorities understand each other. All exchanges of information, including the provision of requested information, refusals of requests for information, including the reasons for such refusals, and, where applicable, requests for clarification or specifications and clarification or specifications provided which relate to a specific request should be transmitted in the language in which that request was submitted. Therefore, to prevent delays in the provision of requested information caused by language barriers and to limit translation costs, Member States should establish a list of one or more languages in which their Single Point of Contact can be addressed and in which it can communicate. Since English is a language that is broadly understood and used in practice with regard to law enforcement cooperation within the Union, it should be included on that list. Member States should provide that list and any updates thereto to the Commission. The Commission should publish online a compilation of those lists.

(25)

To ensure the safety and security of European citizens, it is essential that Europol hold the necessary information to fulfil its role as the Union’s criminal information hub supporting the competent law enforcement authorities. Therefore, when information is exchanged between Member States, irrespective of whether it is exchanged pursuant to a request for information submitted to a Single Point of Contact or competent law enforcement authority or whether it is provided by a Single Point of Contact or competent law enforcement authority on its own initiative, an assessment should be made, on a case-by-case basis, as to whether a copy of the request for information submitted under this Directive or of the information exchanged under this Directive should be sent to Europol in accordance with Article 7(6) of Regulation (EU) 2016/794 where it concerns a criminal offence falling within the scope of the objectives of Europol. Such assessments should be based on Europol’s objectives as set out in Regulation (EU) 2016/794 in so far as the scope of the criminal offence is concerned. Member States should not be obliged to send a copy of the request for information or of the information exchanged to Europol where it would be contrary to the essential interests of the security of the Member State concerned, where it would jeopardise the success of an ongoing investigation or the safety of an individual or where it would disclose information relating to organisations or specific intelligence activities in the field of national security. Moreover, in accordance with the principle of data ownership and without prejudice to the obligation set out in Regulation (EU) 2016/794 concerning the determination of the purpose of, and restrictions on, the processing of information by Europol, information initially obtained from another Member State or a third country should be provided to Europol only where that Member State or third country has given its consent. Member States should ensure that the staff of their Single Point of Contact and competent law enforcement authorities are adequately supported and trained to quickly and accurately identify which information exchanged under this Directive falls within the mandate of Europol and is necessary for it to fulfil its objectives.

(26)

The problem of the proliferation of communication channels used for the transmission of law enforcement information between Member States should be remedied because it hinders the adequate and rapid exchange of such information and increases the risks concerning the security of personal data. Therefore, the use of the Secure Information Exchange Network Application (SIENA), managed and developed by Europol in accordance with Regulation (EU) 2016/794, should be made mandatory for all transmissions and communications under this Directive, including the sending of requests for information to Single Points of Contact and directly to competent law enforcement authorities, the provision of information pursuant to such requests and the provision of information by Single Points of Contact and competent law enforcement authorities on their own initiative, communications on refusals of requests for information, clarification and specifications, and the sending of copies of requests for information or information to Single Points of Contact and Europol. To that end, all Single Points of Contact, and all competent law enforcement authorities that might be involved in exchanges of information, should be directly connected to SIENA. To allow frontline officers, such as police officers involved in dragnet operations, to use SIENA, it should also be operational on mobile devices, where appropriate. In that regard, a short transition period should be provided for in order to allow for the full roll-out of SIENA because it entails a change of the current arrangements in some Member States and requires those staff be trained. In order to take into account the operational reality and not to hamper good cooperation between competent law enforcement authorities, Member States should be able to allow their Single Point of Contact or their competent law enforcement authorities to use another secure communication channel in a limited number of justified situations. Where Member States permit their Single Point of Contact or their competent law enforcement authorities to use another communication channel due to the urgency of the request for information, they should, where practicable and consistent with operational needs, revert to using SIENA after the situation ceases to be urgent. The use of SIENA should not be mandatory for internal exchanges of information within a Member State.

(27)

In order to simplify, facilitate and better manage information flows, each Member State should establish or designate a Single Point of Contact. Single Points of Contact should be competent for coordinating and facilitating the exchange of information under this Directive. Each Member State should notify the Commission of the establishment or designation of its Single Point of Contact and any changes thereto. The Commission should publish those notifications and any updates thereto. The Single Points of Contact should, in particular, contribute to mitigating the obstacles to information flows resulting from the fragmentation of the way in which competent law enforcement authorities communicate with one another, in response to the growing need to jointly tackle cross-border crime, such as drug trafficking, cybercrime, trafficking in human beings, and terrorism. The Single Points of Contact should be assigned a number of specific, minimum tasks and have certain minimum capabilities so that they are able to effectively fulfil their coordinating functions in respect of the cross-border exchange of information for law enforcement purposes under this Directive.

(28)

The Single Points of Contact should have access to all information available within their Member State, including by having user-friendly access to all relevant Union and international databases and platforms, in accordance with the arrangements specified in the applicable Union and national law. In order to be able to meet the requirements of this Directive, in particular those on time limits, the Single Points of Contact should be provided with adequate resources in terms of budget and staff, including adequate translation capabilities, and they should function around the clock. In that regard, having a front desk that is able to screen, process and channel incoming requests for information could increase their efficiency and effectiveness. Single Points of Contact should also have at their disposition, at all times, judicial authorities competent to grant necessary judicial authorisations. In practice, that can be done, for example, by ensuring the physical presence of such judicial authorities within the premises of the Single Point of Contact or the functional availability of such judicial authorities either within the premises of the Single Point of Contact or directly available on call.

(29)

In order for them to be able to effectively perform their coordinating functions under this Directive, the Single Points of Contact should be composed of staff from those competent law enforcement authorities whose involvement is necessary for the adequate and rapid exchange of information under this Directive. While it is for each Member State to decide on the precise organisation and composition needed to meet that requirement, police, customs and other competent law enforcement authorities responsible for preventing, detecting or investigating criminal offences and possible contact points for regional and bilateral offices, such as liaison officers and attachés seconded or posted in other Member States and relevant Union law enforcement agencies, such as Europol, could be represented in the Single Points of Contact. However, in the interest of effective coordination, at a minimum, the Single Points of Contact should be composed of representatives of the Europol national unit, the SIRENE Bureau and the Interpol National Central Bureau, as established by the relevant Union legal act or international agreement and notwithstanding that this Directive does not apply to the exchange of information specifically regulated by those Union legal acts.

(30)

Given the specific demands of cross-border law enforcement cooperation, including the handling of sensitive information in that context, it is essential for the staff of the Single Points of Contact and the competent law enforcement authorities to have the necessary knowledge and skills to carry out their functions under this Directive in a lawful, efficient and effective manner. In particular, the staff of the Single Points of Contact should be offered, and encouraged to benefit from, adequate and regular training courses, provided both at Union and at national level, which correspond to their professional needs and specific backgrounds and which facilitate their contacts with the Single Points of Contact and competent law enforcement authorities of other Member States needed for the application of the rules set out in this Directive. In that respect, particular attention should be paid to the proper use of data processing tools and IT systems, to imparting knowledge about the relevant Union and national legal frameworks in the area of Justice and Home Affairs, with a particular focus on the protection of personal data, law enforcement cooperation and the handling of confidential information, and to the languages in which the Member State concerned has indicated that its Single Point of Contact is able to exchange information, with a view to helping overcome language barriers. For the purpose of providing the training, Member States should also, where appropriate, make use of the training courses and relevant tools offered by the European Union Agency for Law Enforcement Training (CEPOL), established by Regulation (EU) 2015/2219 of the European Parliament and of the Council (18), consider the possibility for the staff to spend a week at Europol, and make use of relevant offers made under programmes and projects funded by the Union budget, such as the CEPOL exchange programme.

(31)

In addition to technical skills and legal knowledge, mutual trust and common understanding are prerequisites for efficient and effective cross-border law enforcement cooperation under this Directive. Personal contacts acquired through joint operations and the sharing of expertise facilitate the building of trust and the development of a common Union culture of policing. Member States should also consider joint training courses and staff exchanges which focus on the transfer of knowledge about the working methods, investigative approaches and organisational structures of competent law enforcement authorities in other Member States.

(32)

To increase participation in training courses for the staff of the Single Points of Contact and the competent law enforcement authorities, Member States could also consider specific incentives for such staff.

(33)

It is necessary that the Single Points of Contact deploy and operate a single electronic case management system having certain minimum functions and capabilities in order to allow them to carry out each of their tasks under this Directive in an effective and efficient manner, in particular as regards the exchange of information. The case management system is a workflow system allowing Single Points of Contact to manage the exchange of information. It is desirable that the universal message format standard established by Regulation (EU) 2019/818 of the European Parliament and of the Council (19) be used in the development of the case management system.

(34)

The rules set out in Directive (EU) 2016/680 apply to the processing of personal data in the case management system. Processing includes storage. In the interests of clarity and the effective protection of personal data, the rules set out in that Directive should be further specified in this Directive. In particular, as regards the requirement set out in Directive (EU) 2016/680 that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed, this Directive should specify that, where a Single Point of Contact receives information exchanged under this Directive containing personal data, the Single Point of Contact should keep the personal data in the case management system only in so far as it is necessary and proportionate for it to carry out its tasks under this Directive. Where that is no longer the case, the Single Point of Contact should irrevocably delete the personal data from the case management system. In order to ensure that the personal data is kept only for as long as necessary and proportionate, in accordance with rules concerning time limits for storage and review set out in Directive (EU) 2016/680, the Single Point of Contact should regularly review whether those requirements continue to be met. For that purpose, a first review should take place at the latest six months after an exchange of information under this Directive has concluded, that is, the moment at which the last item of information has been provided or the latest communication relating thereto has been exchanged. The requirements of this Directive regarding such review and deletion should, however, not affect the possibility for the national authorities competent for the prevention, detection and investigation of criminal offences to keep the personal data in their national criminal files under national law, in compliance with Union law, in particular Directive (EU) 2016/680.

(35)

In order to assist Single Points of Contact and competent law enforcement authorities in the exchange of information under this Directive and to foster a common European police culture between Member States, the Member States should encourage practical cooperation among their Single Points of Contact and competent law enforcement authorities. In particular, the Council should organise meetings of the Heads of the Single Points of Contact at least on an annual basis to share experience and best practice regarding the exchange of information for the purposes of this Directive. Other forms of cooperation should include the drafting of manuals on law enforcement information exchange, the compilation of national fact sheets on directly and indirectly accessible information, Single Points of Contact, designated law enforcement authorities and language regimes, or other documents on common procedures, the addressing of difficulties regarding workflows, awareness-raising about the specificities of relevant legal frameworks and the organisation, as appropriate, of meetings between relevant Single Points of Contact.

(36)

To enable the necessary monitoring and evaluation of the application of this Directive, Member States should be required to collect and annually provide to the Commission certain data concerning the implementation of this Directive. That requirement is necessary, in particular, to remedy the lack of comparable data quantifying relevant cross-border information exchanges between competent law enforcement authorities and also facilitates the reporting obligation of the Commission regarding the implementation of this Directive. Data required for that purpose should be automatically generated by the case management system and SIENA.

(37)

The cross-border nature of transnational crime and terrorism requires Member States to rely on one another to prevent, detect or investigate such criminal offences. Since the objective of this Directive, namely ensuring adequate and rapid information flows between competent law enforcement authorities and to Europol, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level through the establishment of common rules and a common culture on the exchange of information and through modern tools and communication channels, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

(38)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and the Council (20) and delivered an opinion on 7 March 2022.

(39)

This Directive builds upon the values on which the Union is founded, as set out in Article 2 TEU, including the rule of law, freedom and democracy. It also respects fundamental rights and safeguards and observes the principles recognised by the Charter of Fundamental Rights of the European Union (the ‘Charter’), in particular the right to liberty and security, the respect for private and family life and the right to the protection of personal data as provided for by Articles 6, 7 and 8 of the Charter respectively, as well as by Article 16 TFEU. Any processing of personal data under this Directive should be limited to that which is strictly necessary and proportionate and subject to clear conditions, strict requirements and effective supervision by the national supervisory authorities established by Directive (EU) 2016/680 and the European Data Protection Supervisor, where appropriate in accordance with their respective mandates.

(40)

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application. Given that this Directive builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Directive whether it will implement it in its national law.

(41)

Ireland is taking part in this Directive, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the TEU and to the TFEU, and Article 6(2) of Council Decision 2002/192/EC (21).

(42)

As regards Iceland and Norway, this Directive constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters’ association with the implementation, application and development of the Schengen acquis (22) which fall within the area referred to in Article 1, point H, of Council Decision 1999/437/EC (23).

(43)

As regards Switzerland, this Directive constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (24) which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA (25).

(44)

As regards Liechtenstein, this Directive constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (26) which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU (27),