European Data Protection Supervisor, the EU personal data watchdog, said the police agency has continually stored "large volumes" of data regardless of whether it was related to a crime or not.
Europol has been ordered to delete any information related to individuals who have not been found guilty of any crime.
An investigation found that the European Union's police agency had collected and stored data on innocent citizens.
Europol was told to delete any data that did not comply with safeguards on the length of time that sensitive information can be stored, where data can only be stored for six months if no criminal activity can be proven.
The European Data Protection Supervisor (EDPS) said that Europol was notified of the order on 3 January following a 2019 inquiry.
The EDPS said it reprimanded Europol two years ago “for the continued storage of large volumes” of such data that "poses a risk to individuals’ fundamental rights.”
The watchdog said Europol has since introduced some measures but that it has not complied with requests to set an appropriate data retention period.
“This means that Europol was keeping this data for longer than necessary,” the EDPS said.
The police agency now has 12 months to remove data that has not been destroyed by 3 January.
In a statement on Monday, Europol said the EDPS decision "will have an impact on our ability to analyse large and complex datasets at the request of law enforcement."
The agency added that data sets for major cases of cybercrime, terrorism, or international drug trafficking are "frequently" longer than six months.