Dies ist eine HTML Version eines Anhanges der Informationsfreiheitsanfrage 'Documents on the "Check the Web" initiative'.

EN 
17.12.2009 Official 
Journal 
of 
the 
European 
Union  L 
332/17 
III 
(Acts adopted under the EU Treaty) 
ACTS ADOPTED UNDER TITLE VI OF THE EU TREATY 
COUNCIL DECISION 2009/968/JHA 
of 30 November 2009 
adopting the rules on the confidentiality of Europol information 
THE COUNCIL OF THE EUROPEAN UNION, 
(d) ‘Security Coordinator’ means the Deputy Director to whom 
the Director — in pursuance of Article 38(2) of the Europol 
Having regard to Council Decision 2009/371/JHA of 6 April 
Decision — assigns, alongside his other tasks, the function 
2009 establishing the European Police Office (Europol) (
of coordination and control in matters of security; 
 1 ) (the 
Europol Decision) and in particular Article 40 thereof, 
(e) ‘Security Officers’ means the Europol staff, appointed by the 
Having regard to the draft rules submitted by the Management 
Director, responsible for security issues in accordance with 
Board, 
Article 6; 
Having regard to the Opinion of the European Parliament, 
(f) ‘Security Manual’ means the manual implementing these 
rules, to be established in accordance with Article 7; 
Whereas in accordance with the Europol Decision, it is for the 
Council, acting by qualified majority after consulting the 
European Parliament, to adopt implementing rules on the confi­
(g) ‘classification level’ means a security marking assigned to a 
dentiality of information which is obtained by, or exchanged 
document processed by or through Europol, as referred to 
with, Europol (hereinafter the rules), 
in Article 10; 
HAS DECIDED AS FOLLOWS: 
(h) ‘security package’ means a specified combination of security 
measures to be applied to information subject to a Europol 
CHAPTER I 
classification level as referred to in Article 10; 
DEFINITIONS AND SCOPE 
Article 1 
(i)  ‘basic protection level’ means the level of protection which 
shall be applied to all information processed by or through 
Definitions 
Europol, except information which is expressly marked or is 
For the purposes of these rules, 
clearly recognisable as being public information, as referred 
to in Article 10(1); 
(a) ‘processing of information’ or ‘processing’ means any 
operation or set of operations which is performed on 
(j)  ‘staff’ means temporary staff and contract staff as defined in 
personal or non-personal data, whether or not by 
Article 39(4) of the Europol Decision; 
automatic means, such as collection, recording, organi­
sation, storage, adaptation or alteration, retrieval, consult­
ation, use, disclosure by transmission, dissemination or 
(k) ‘Europol classified information’ means any information and 
otherwise making available, alignment or combination, 
material in any form, an unauthorised disclosure of which 
blocking, erasure or destruction; 
could cause varying degrees of prejudice to the essential 
interests of Europol or of one or more Member States, 
(b) ‘third party’ means an entity referred to in Articles 22(1) 
and that requires the application of appropriate security 
and 23(1) of the Europol Decision; 
measures as defined in Article 7(2)(b). 
(c) ‘Security Committee’ means the Committee consisting of 
Article 2 
representatives of the Member States and Europol, as 
described in Article 4; 
Scope 
1. These 
rules 
establish 
the 
security 
measures 
to 
be 
applied 
( 1 ) OJ L 121, 15.5.2009, p. 37.
to all information which is processed by or through Europol.

L 332/18 
EN 
Official Journal of the European Union 
17.12.2009
2. Communication 
channels 
between 
Europol 
and 
the  Security Coordinator shall monitor the enforcement of 
national units of the Member States, referred to in Article 8 
security provisions and inform the Director of all breaches of 
of the Europol Decision, shall provide a level of protection 
security. In serious cases, the Director shall inform the 
which is equivalent to the level offered by these measures. A 
Management Board. If such breaches risk compromising the 
common standard for these communication channels shall be 
interests of a Member State, that Member State shall also be 
approved by the Security Committee. 
informed. 
3.  The Annex sets out an overview of the Europol classifi­
2. The 
Security 
Coordinator 
shall 
be 
directly 
answerable 
to 
cation levels, as referred to in Article 10, and the equivalent 
the Director of Europol. 
markings currently applied by the Member States to 
information subject to those classification levels. When a 
Member State informs the other Member States and Europol 
3. The 
Security 
Coordinator 
shall 
be 
security 
cleared 
to 
the 
of any changes in its national provisions on classification 
highest level in accordance with the laws and regulations 
levels or in the equivalent markings, Europol shall elaborate a 
applicable in the Member State of which the Security Coor­
revised version of the overview reproduced in the Annex. At 
dinator is a national. 
least once a year the Security Committee shall ascertain whether 
the overview is up to date. 
Article 6 
Security Officers 
CHAPTER II 
1.  Security Officers shall support the Director in the imple­
SECURITY RESPONSIBILITIES 
mentation of the security measures laid down in these rules and 
Article 3 
in the Security Manual. Security Officers shall be directly 
answerable to the Security Coordinator. The specific tasks of 
Member States' Responsibilities 
the Security Officers shall be: 
1. Member 
States 
shall 
undertake 
to 
ensure 
that, 
within 
their 
territory, Europol information receive a level of protection 
(a) to instruct, assist and advise all persons at Europol — as 
which is equivalent to the level of protection offered by the 
well as any other person involved in Europol-related 
security measures established under these rules. 
activities who is under a particular obligation of discretion 
or confidentiality — as to their duties under these rules and 
under the Security Manual; 
2. Member 
States 
shall 
undertake 
to 
inform 
the 
Security 
Coordinator of all security breaches that may compromise the 
interests of Europol or of a Member State. In the latter case, the 
(b) to enforce security provisions, investigate breaches thereof 
Member State concerned shall also be informed directly through 
and report on them immediately to the Security Coor­
the national unit. 
dinator; 
Article 4 
(c) to regularly review the adequacy of security measures on the 
basis of risk assessments; to that end, they shall report to 
Security Committee 
the Security Coordinator as a rule at least once a month 
1. A 
Security 
Committee 
shall 
be 
set 
up, 
consisting 
of 
repre­
and, in exceptional cases, whenever it is deemed necessary 
sentatives of the Member States and of Europol, which shall 
and shall provide appropriate recommendations and advice; 
meet at least twice a year. 
(d)  to perform the tasks assigned to them under these rules or 
under the Security Manual; and 
2. The 
Security 
Committee 
shall 
have 
as 
its 
task 
to 
advise 
the 
Management Board and Director of Europol on issues relating 
to security policy, including the application of the Security 
(e)  to perform any other tasks assigned to them by the Security 
Manual. 
Coordinator. 
3. The 
Security 
Committee 
shall 
establish 
its 
rules 
of  2. Security 
Officers 
shall 
be 
security 
cleared 
to 
the 
appro­
procedure. The meetings of the Security Committee shall be 
priate level required by their duties and in accordance with 
chaired by the Security Coordinator. 
the laws and regulations applicable in the Member States of 
which they are a national. 
Article 5 
Article 7 
Security Coordinator 
Security Manual, procedure and content 
1. The 
Security 
Coordinator 
shall 
have 
general 
responsibility 
for all issues relating to security, including the security measures 
1. The 
Security 
Manual 
shall 
be 
adopted 
by 
the 
Management 
laid down in these rules and in the Security Manual. The 
Board after having consulted the Security Committee.

EN 
17.12.2009 Official 
Journal 
of 
the 
European 
Union  L 
332/19
2. The 
Security 
Manual 
shall 
provide 
management 
direction  rules and of the Security Manual in accordance with 
and support for security in accordance with business 
paragraph 1. 
requirements and shall set out Europol’s approach to 
managing security. The Security Manual shall contain: 
CHAPTER III 
(a) detailed rules on the security measures to be applied within 
GENERAL PRINCIPLES 
Europol in order to provide for the basic protection level 
Article 10 
referred to in Article 10(1) of these rules, such measures 
being based on Articles 35 and 41(2) of the Europol 
Basic protection level, classification levels and security 
Decision and taking account of Article 40(3) thereof; and 
packages 
1. All 
information 
processed 
by 
or 
through 
Europol, 
with 
the exception of information which is expressly marked or is 
(b) detailed rules on the security measures associated with the 
clearly recognisable as being public information, shall be subject 
different Europol classification levels and the corresponding 
to a basic protection level within Europol and in Member States. 
security packages referred to in Article 10(2) and 10(3); the 
Security Manual shall also take account of Article 46 of the 
Europol Decision. 
2. In 
accordance 
with 
Article 
3, 
Member 
States 
shall 
ensure 
the application of the basic protection level referred to in 
paragraph 1, by a variety of measures in accordance with 
3. The 
Security 
Manual 
shall 
be 
reviewed 
at 
regular 
intervals,  national legislation and regulations, including the obligation of 
or when significant changes occur, in order to ensure its 
discretion and confidentiality, limiting access to information to 
continuing suitability, adequacy, and effectiveness. 
authorised personnel, data protection requirements as far as 
personal data are concerned and general technical and 
procedural measures to safeguard the security of the 
information, taking into account Article 41(2) of the Europol 
4. Amendments 
to 
the 
Security 
Manual 
shall 
be 
adopted 
in  Decision. 
accordance with the procedure set out in paragraph 1. 
3. Information 
requiring 
additional 
security 
measures 
shall 
be 
Article 8 
subject to a Europol classification level, which shall be indicated 
by a specific marking. Information shall be subject to a security 
Security accreditation of systems 
level only where strictly necessary and only for the time 
1. All 
Europol 
systems 
used 
to 
process 
Europol 
classified  necessary. 
information shall be accredited by the Management Board 
after having consulted the Security Committee and after 
having obtained assurance of the effective implementation of 
4. The 
following 
Europol 
classification 
levels 
shall 
be 
used: 
the required security measures deriving from the system 
specific security requirements (SSSR), Information Risk 
Register and any other relevant documentation. Subsystems 
and remote terminals or workstations shall be accredited as 
(a) ‘RESTREINT UE/EU RESTRICTED’: this classification shall be 
part of all the systems to which they are connected. 
applied to information and material the unauthorised 
disclosure of which could be disadvantageous to the 
interests of Europol, the EU or one or more Member States; 
2. The 
SSSR 
shall 
be 
adopted 
and 
amended 
by 
the 
Management Board after having consulted the Security 
(b) ‘CONFIDENTIEL UE/EU CONFIDENTIAL’: this classification 
Committee. This SSSR shall comply with the relevant provisions 
shall be applied to information and material the un­
of the Security Manual. 
authorised disclosure of which could harm the essential 
interests of Europol, the EU or one or more Member States; 
Article 9 
Observance 
(c) ‘SECRET UE/EU SECRET’: this classification shall be applied 
to information and material the unauthorised disclosure of 
1. The 
security 
measures 
laid 
down 
in 
these 
rules 
and 
in 
the 
which could seriously harm the essential interests of 
Security Manual shall be observed by all persons at Europol, as 
Europol, the EU or one or more Member States; 
well as by any other person involved in Europol-related 
activities who is under a particular obligation of discretion or 
confidentiality. 
(d) ‘TRÈS SECRET UE/EU TOP SECRET’: this classification shall 
be applied to information and material the unauthorised 
disclosure of which could cause exceptionally grave 
2. The 
Director, 
the 
liaison 
bureaus 
and 
Europol 
national 
prejudice to the essential interests of Europol, the EU or 
units shall be responsible for ensuring observance of these 
one or more Member States.

L 332/20 
EN 
Official Journal of the European Union 
17.12.2009
Such classified information and material shall bear an additional 
on an appropriate classification level. Europol shall not 
marking (‘EUROPOL’) under the classification marking to 
specify, change, add or remove a classification level without 
indicate that it originates in Europol. 
such agreement. 
Each Europol classification level shall relate to a specific security 
4. Where 
information 
generated 
by 
Europol 
is 
based 
upon, 
package, to be applied within Europol. The security packages 
or contains, information supplied by a Member State, Europol 
shall offer different levels of protection, depending on the 
shall determine, in agreement with the Member State concerned, 
content of the information, and taking account of the detri­
whether the basic protection level is sufficient or whether the 
mental effect which unauthorised access, dissemination or use 
application of a Europol classification level is required. 
of the information might have on the interests of Europol or 
the Member States. 
5. Where 
information 
is 
generated 
by 
Europol 
itself, 
and 
such information is not based upon, nor contains, information 
When information classified at different levels is gathered, the 
supplied by a Member State, Europol shall determine any appro­
classification level to be applied shall be at least as high as that 
priate classification level for such information, using criteria laid 
applicable to the information protected at the highest level. In 
down by the Security Committee. Where necessary, Europol 
any event, a group of information may be given a higher 
shall mark the information accordingly. 
protection level than that of each of its parts. 
6. Member 
States 
and 
Europol 
shall, 
where 
information 
also 
The translation of a classified document shall be given the same 
concerns the essential interests of another Member State, 
classification level, and shall be subject to the same protection, 
consult that Member State on whether any classification level 
as the original document. 
should be applied to that information and, if so, which classifi­
cation level should be applied. 
5. A 
caveat 
marking 
may 
be 
used 
for 
specifying 
additional 
Article 12 
conditions such as distribution of the information is limited to 
specific information exchange channels, embargo and a 
Changing the classification level 
particular distribution on a need-to-know basis. Such caveat 
markings shall be defined in the Security Manual. 
1. A 
Member 
State 
which 
has 
supplied 
information 
to 
Europol may, at any time, require that the selected classification 
level be changed, including by removing or adding a classifi­
cation level. Europol shall be obliged to remove, amend or add 
6. The 
security 
packages 
shall 
consist 
of 
various 
measures 
of  a classification level in accordance with the wishes of the 
a physical, technical, organisational or administrative nature, as 
Member State concerned. 
laid down in the Security Manual. 
2.  The Member State concerned shall, as soon as circum­
Article 11 
stances allow, request that the classification level in question 
Choice of classification level 
be downgraded or removed altogether. 
1. The 
Member 
State 
supplying 
information 
to 
Europol 
shall 
be responsible for the choice of any appropriate classification 
3. A 
Member 
State 
supplying 
information 
to 
Europol 
may 
level for such information in accordance with Article 10. Where 
specify the time period for which the choice of classification 
applicable, when supplying information to Europol, the Member 
level will apply, and any possible amendments to the classifi­
State shall mark it with a Europol classification level as referred 
cation level thereafter. 
to in Article 10(4). 
4.  Where the basic protection level or classification level has 
2. In 
choosing 

classification 
level, 
Member 
States 
shall 
take  been determined by Europol in accordance with Article 11(4), 
account of the classification of the information under their 
Europol shall only change the basic protection or classification 
national regulations, the need for the operational flexibility 
level in agreement with the Member States concerned. 
required for Europol to function adequately and the requirement 
that classification of law enforcement information should be the 
exception and that, if such information has to be classified, the 
5. Where 
the 
classification 
level 
has 
been 
determined 
by 
lowest possible level should be assigned. 
Europol in accordance with Article 11(5), Europol may 
change or remove the classification level at any time it is 
deemed necessary. 
3. If 
Europol, 
on 
the 
basis 
of 
information 
already 
in 
its 
possession, comes to the conclusion that the choice of a clas­
sification level needs changing (for instance removing or adding 
6. Where 
information, 
the 
classification 
level 
of 
which 
is 
a classification level, or adding a classification level to a 
changed in accordance with this Article, has already been 
document previously subject to the basic protection level), it 
supplied to other Member States, Europol shall inform the 
shall inform the Member State concerned and seek to agree 
recipients of the change to the classification level.

EN 
17.12.2009 Official 
Journal 
of 
the 
European 
Union  L 
332/21
Article 13 
national competent authorities concerned of the granting 
of such temporary authorisation. The granting of this 
Processing, access and security clearance 
temporary authorisation shall not give access to information 
1. Access 
to, 
and 
possession 
of, 
information 
shall 
be 
classified as ‘SECRET UE/EU SECRET’ and above. 
restricted within the Europol organisation to those persons 
who, by reason of their duties or obligations, need to be 
4. Such 
authorisation 
shall 
not 
be 
granted 
where 

Member 
acquainted with such information or need to handle it. 
State, when supplying the information concerned, has specified 
Persons entrusted with the processing of information shall 
that the discretion afforded to the Security Coordinator under 
have obtained an appropriate security clearance and shall 
paragraph 3 shall not be exercised in relation to that 
further receive special training. 
information. 
2. All 
persons 
who 
may 
have 
access 
to 
information 
subject 
Article 14 
to a classification level processed by Europol shall undergo 
security clearance in accordance with Article 40(2) of the 
Third parties 
Europol Decision and the Security Manual. The Security Co­
ordinator shall, on the basis of the result of the security 
When concluding confidentiality agreements with third parties, 
clearance procedure, subject to the provisions of the Security 
or when concluding agreements in accordance with Articles 
Manual, grant authorisation to those persons cleared at the 
22(4) and 23(7) of the Europol Decision, Europol shall take 
appropriate national level, who by reason of their duties or 
account of the principles laid down in these rules and in the 
obligations, need to be acquainted with information subject to 
Security Manual, which should be applied accordingly to 
a Europol classification level. The authorisation is subject to 
information exchanged with such third parties. 
regular review by the Security Coordinator. Authorisation may 
be withdrawn immediately by the Security Coordinator on 
CHAPTER IV 
justifiable grounds. The Security Coordinator shall also be 
FINAL PROVISIONS 
responsible for ensuring the implementation of paragraph 3. 
Article 15 
3. No 
person 
shall 
have 
access 
to 
information 
subject 
to 

classification level without having been granted security 
Review of the rules 
clearance at the appropriate level. Exceptionally, however, the 
Any proposals for amendments to these rules shall be 
Security Coordinator may, after consultation of a Security 
considered by the Management Board with a view to their 
Officer, 
adoption by the Council in accordance with the procedure 
provided for in Article 40(1) of the Europol Decision. 
(a) give a specific and limited authorisation to persons cleared 
at ‘CONFIDENTIEL UE/EU CONFIDENTIAL’ level to have 
Article 16 
access to specific information classified up to ‘SECRET 
UE/EU SECRET’ level, if, by reason of their duties or obli­
Entry into force 
gations in a specific case, they need to be acquainted with 
information subject to a higher Europol classification level; 
These rules shall enter into force on 1 January 2010. 
or 
(b) grant  temporary  authorisation  to  access  classified 
Done at Brussels, 30 November 2009. 
information for a period not exceeding six months, 
pending the outcome of the security clearance referred to 
in paragraph 2, if it is in the interest of Europol, and after 
For the Council 
giving the national competent authorities notification and 
provided there is no reaction from them within three 
The President 
months; the Security Coordinator shall inform the 
B. ASK

L 332/22 
EN 
Official Journal of the European Union 
17.12.2009
ANNEX 
TABLE OF EQUIVALENCE OF CLASSIFICATION LEVELS 
Equivalence of classification levels 
Europol (
RESTREINT UE/EU 
 1 ) 
TRÈS SECRET UE/EU 
TOP SECRET 
SECRET UE/EU SECRET 
CONFIDENTIEL UE/EU 
CONFIDENTIAL 
RESTRICTED 
Belgium Très 
Secret 
Secret 
Confidentiel 
Diffusion restreinte 
Zeer Geheim 
Geheim 
Vertrouwelijk 
Beperkte verspreiding 
Bulgaria 
СТРОГО  СЕКРЕТНО 
СЕКРЕТНО 
ПОВЕРИТЕЛНО 
ЗА  СЛУЖЕБНО 
ПОЛЗВАНЕ 
Czech Republic 
Přísně tajné Tajné 
Důvěrné Vyhrazené 
Denmark Yderst 
hemmeligt Hemmeligt Fortroligt Til 
tjenestebrug 
Germany Streng 
geheim Geheim VS 
— 
Vertraulich VS 
— 
Nur 
für 
den 
Dienstgebrauch 
Estonia Täiesti 
Salajane Salajane Konfidentsiaalne Piiratud 
Ireland Top 
Secret Secret Confidential Confidential 
Greece 
Άκρως  Απόρρητο 
Απόρρητο 
Εμπιστευτικό 
Περιορισμένης  Χρήσης 
Spain Secreto Reservado Confidencial Difusión 
Limitada 
France Très 
Secret 
Défense Secret 
Défense Confidentiel 
Défense 
Italy Segretissimo Segreto Riservatissimo Riservato 
Cyprus 
Άκρως  Απόρρητο 
Απόρρητο 
Εμπιστευτικό 
Περιορισμένης  Χρήσης 
Latvia Sevišķi slepeni Slepeni Konfidenciāli Dienesta 
vajadzībām 
Lithuania Visiškai 
slaptai Slaptai Konfidencialiai Riboto 
naudojimo 
Luxembourg Très 
secret Secret Confidentiel Diffusion 
restreinte 
Hungary Szigorúan 
titkos! Titkos! Bizalmas! Korlátozott 
terjesztésű! 
Malta L-Ghola 
Segretezza Sigriet Kunfidenzjali Ristrett 
Netherlands BE 
Zeer 
geheim STG 
Zeer 
geheim STG 
Confidentieel Vertrouwelijk 
Austria Streng 
geheim Geheim Vertraulich Eingeschränkt 
Poland 
Ściśle Tajne Tajne Poufne Zastrzeżone 
Portugal Muito 
Secreto Secreto Confidencial Reservado 
Romania Strict 
secret 
de 
Strict secret Secret Secret 
de 
serviciu 
importanță deosebită 
Slovenia Strogo 
tajno Tajno Zaupno Interno 
Slovakia Prísne 
tajné Tajné Dôverné Vyhradené 
Finland Erittäin 
salainen Salainen Luottamuksellinen Viranomaiskäyttö 
Sweden Kvalificerat 
hemlig Hemlig Hemlig Hemlig 
United Kingdom Top 
Secret Secret Confidential Restricted 
( 1 ) The marking ‘Europol’ shall be inserted under the classification marking.