Skip to content

Data Protection

EFCA operates under a strictly audited, GDPR-compliant framework that prioritizes victim privacy through cryptographic hashing and DLT-based audit trails.

Institutional Framework

The European Financial Crime Agency (EFCA) operates under the EFCA Data Protection Framework, a comprehensive set of regulations fully aligned with the General Data Protection Regulation (GDPR) and EU Directive 2016/680 (Law Enforcement Directive).

Our Commitment

EFCA is committed to protecting the privacy of victims and whistleblowers while exercising our executive mandate to freeze assets and prosecute financial crime. We believe that financial transparency and personal privacy are not mutually exclusive—they are both enabled by superior technology.

Technical Safeguards

🔐

Identity Hashing

Victim identities are hashed at the point of entry. EFCA systems do not store plaintext names or national ID numbers in investigation databases. This ensures that even EFCA staff cannot link a name to a case without a specific, auditable decryption trigger.

⛓️

DLT-Audited Access

Every action taken by an EFCA investigator—every query, every freeze order, and every data access—is logged to a Distributed Ledger Technology (DLT). This creates a tamper-proof, immutable audit trail that prevents unauthorized surveillance or corruption.

🛡️

Zero-Knowledge Proofs

We use ZKPs to verify compliance facts without exposing underlying private data. This allows EFCA to confirm a transaction is "clean" or a user is "verified" without ever seeing the sensitive data behind those claims.

⚛️

Quantum Resistance

All data is encrypted using NIST post-quantum cryptographic standards. This ensures that sensitive investigation intelligence remains secure even as quantum computing advances and classical encryption becomes vulnerable.

Your Rights Under GDPR

As a data subject, you hold specific rights regarding your personal data. EFCA ensures these rights are protected, subject to necessary and proportionate limitations required for criminal investigations and asset recovery.

  • Right of Access

    You may request a copy of the personal data we hold about you. For ongoing cases, access may be deferred if it would prejudice an active investigation.

  • Right to Rectification

    You have the right to correct inaccurate or incomplete data. In the context of evidence logging, rectification is handled through supplementary DLT entries to maintain audit integrity.

  • Right to Erasure

    Commonly known as the "right to be forgotten," you may request the deletion of your data when it is no longer necessary for the purposes it was collected, provided it is not required for prosecution or asset recovery.

  • Data Portability

    You have the right to receive your data in a structured, commonly used, and machine-readable format.

Data Retention Policy

EFCA does not store data indefinitely. Retention periods are strictly governed by the stage of the case journey:

  • Unopened Reports: Deleted after 90 days if no investigation is initiated.
  • Active Investigations: Retained for the duration of the investigation and subsequent prosecution.
  • Closed Cases: Data is archived for 10 years following the recovery of assets, as mandated by EU anti-money laundering (AML) regulations.

Contact Our DPO

If you have questions about how your data is handled, you can contact the EFCA Data Protection Officer (DPO) via the secure channel below:

EFCA Data Protection Office

Secure Message Portal: efca-dpo-secure-01

Brussels, Belgium