Europol has been ordered to delete any information related to individuals who have not been found guilty of any crime.
An investigation found that the European Union’s police agency had collected and stored data on innocent citizens.
Europol was told to delete any data that did not comply with safeguards on the length of time that sensitive information can be stored, where data can only be stored for six months if no criminal activity can be proven.
The European Data Protection Supervisor (EDPS) said that Europol was notified of the order on 3 January following a 2019 inquiry.
The EDPS said it reprimanded Europol two years ago “for the continued storage of large volumes” of such data that “poses a risk to individuals’ fundamental rights.”
The watchdog said Europol has since introduced some measures but that it has not complied with requests to set an appropriate data retention period.
“This means that Europol was keeping this data for longer than necessary,” the EDPS said.
The police agency now has 12 months to remove data that has not been destroyed by 3 January.
Europol did not immediately respond to the decision.