As data flows digitally across borders, there is a need to consider data protection in a global context. Moreover, the EDPS has a special responsibility to do so.
When appointed Supervisor in 2014, Giovanni Buttarelli, was entrusted by the EU with the task of developing and maintaining effective relationships with stakeholders in the EU Institutions, Member States, non-EU countries and other international organisations.
To this end, we work with European data protection authorities and we also cooperate with international partners to develop cross-border, coordinated approaches to ensure the rights of individuals.
For instance, the EU manages a number of European large-scale IT systems for managing visa applications, asylum seekers among other things. As these systems process vast amounts of data from a large number of people from all over the world, a coordinated approach is necessary in order to ensure a high level of data protection.
Supervision of these systems is therefore shared between national data protection authorities and the EDPS. Regardless of the partner or policy areas, our cooperation work includes:
Furthermore, the EDPS supports international organisations in their efforts to develop a data protection framework and to interact with each other; we also interact with international data protection authorities and regulators to develop a consistent approach to cross-border data protection.
Here we outline some areas of our cooperation work including the Article 29 Working Party, the European Data protection Board, Europol, Data Protection Secretariat, European IT systems, International Conferences and Workshops, the Council of Europe, OECD, other Regional and International Networks and the Berlin Group.
The Article 29 Working Party
European Data Protection Board (EDPB)
Data Protection Secretariat
European IT Systems
Schengen Information System (SIS)
Visa Information System (VIS)
Internal Market Information System (IMI)
Customs Information System (CIS) and the Customs Files Identification Database (FIDE)
International conferences and workshops
Council of Europe
Other Regional and International Networks
The Berlin Group
The Article 29 Working Party is composed of representatives of the national data protection authorities (DPAs) in the Member States of the EU, the EDPS and the European Commission. It is a very important platform for cooperation and its main tasks are to:
At least five plenary meetings are organised in Brussels every year.
However, the Working Party also deals with relevant issues through work in its subgroup meetings.
Examples include the Technology subgroup, which addresses the challenges of the internet and similar technological issues and the key provisions subgroup, which works on interpretation of the key principles of the Directive, such as the notions of consent or purpose limitation.
A webpage with access limited to the authorities to share relevant information helps to facilitate the work of the Working Party.
As a member of the Working Party, the EDPS participates in its policy making role by actively contributing to common positions and joint opinions.
The EDPS also exercises his advisory role on new EU legislation through his own Opinions.
The Article 29 Working Party and the EDPS aim to complement and support each other’s work wherever it might be relevant to do so, as was demonstrated on the highly controversial data retention directive, where the EDPS issued his own opinion and also contributed to the development of the Working Party Opinion.
The European Commission provides the secretariat for the Working Party and hosts a website where adopted documents and other relevant information, such as those on standard contractual clauses, can be found.
On 25 May 2018, when the General Data Protection Regulation (GDPR) becomes fully applicable throughout the EU, the European Data Protection Board (EDPB) will succeed the Article 29 Working Party.
The GDPR provides that the EDPB will be in charge of ensuring the consistency of its application throughout the Union.
To achieve this, the EDPB will be empowered to issue opinions or authorisations regarding a variety of matters such as Binding Corporate Rules, Certification criteria and codes of conduct used by companies; to adopt binding decisions especially in order to ensure consistency between supervisory authorities; and to issue opinions and guidance on relevant issues concerning the interpretation and application of the GDPR, as the Article 29 Working Party has done.
Bilateral and international cooperation with data protection authorities is already an important element of EDPS activities and will be even more important due to the GDPR, particularly within the EDPB.
The GDPR outlines that the EDPS will also provide the secretariat for the EDPB. The secretariat will offer administrative and logistic support for the EDPB as well as perform analytical work to contribute to the EDPB’s tasks.
1 May 2017 is the date of entry into force of the new Europol Regulation.
Our responsibilities will include:
National data protection authorities will continue to play an important role as part of a Europol Cooperation Board, of which the EDPS will also be a member.
The Board will have an advisory function and may issue opinions, guidelines, recommendations and best practices.
The EDPS provides the secretariat for several coordination groups, including the coordinated supervision of the large scale databases VIS, SIS, CIS, IMI and Eurodac. As of 1 May 2017, it will also provide the secretariat for the Europol Cooperation Board.
On 25 May 2018, when the General Data Protection Regulation (GDPR) becomes fully applicable throughout the EU, the EDPS will provide the secretariat for the European Data Protection Board.
The secretariat will offer administrative and logistics support for the EDPB as well as perform analytical work to contribute to the EDPB’s tasks.
The EDPS will dedicate a specific team to work under the instruction of the Chair of the EDPB. Preparation has been underway since 2016 to make sure that the EDPB will be operational on day one. Factsheets have been shared with stakeholders including members of the Article 29 Working Party, explaining how the EDPS is organising this secretariat support.
The Schengen Convention of 1990 aimed to create a Europe without internal borders, specifically to allow the free movement of persons within the European Union.
Currently, 25 Member States, as well as Norway and Iceland, are part of this free travel area. The Schengen Convention applies, among other things, to the areas of visa policy, asylum policy, police co-operation, policy on drugs, and the free movement of persons.
One of the duties of the EDPS as laid down in law, is the supervision of the central units of a number of large-scale IT databases or information systems to facilitate the exchange of data between Member States in these areas.
As the data is personal, supervision of the databases is required to be sure that they comply with data protection rules.
The responsibilities of this supervision are shared by data protection authorities. The use national authorities, such as the police, make of these databases and any national copies are supervised by the respective national data protection authorities; the central unit is subject to the EU Data Protection Regulation and is supervised by the EDPS.
This supervision, therefore, requires a coordinated approach. Supervision Coordination Groups consisting of the national data protection authorities and the EDPS, meet regularly to coordinate their activities.
Please note that due to this setup, the EDPS cannot help you with complaints concerning your information contained in any of the databases. Please contact the relevant national data protection authority.
The Schengen Information System (SIS) is a database used for police cooperation and border control.
It includes information on wanted or missing persons and persons under surveillance by the police.
The database only contains information on those people who live outside the Schengen area and are banned from entering it.
The database also contains information on stolen or missing vehicles and objects such as identity papers, vehicle registration certificates and vehicle number plates.
The Regulation that established the SIS database, Regulation (EC) 1987/2006 (SIS II Regulation) and Council Decision 2007/533/JHA (SIS II Decision), obliges the EDPS to inspect the SIS at least every four years.
The Visa Information System (VIS) is a database which contains information, photographs and fingerprint data on those applying for short-stay visas in the Schengen Area.
One of the main purposes of the database is to prevent visa shopping or the practice of applying for a visa in other EU Member States when the first application has been rejected.
EURODAC contains the fingerprints of applicants for asylum and irregular immigrants within the EU.
It helps in the effective application of the Dublin Regulation which determines the Member State responsible for examining an asylum application.
The Internal Market Information System (IMI) is a software application accessible via the internet, developed and hosted by the European Commission. It was developed to provide a secure way to exchange information between Member States.
It helps, among other things, to verify the validity of professional qualifications of those wanting to work in another EU country than their own.
Regulation (EU) 1024/2012 established the IMI application.
The Customs Information System (CIS) is a platform for exchanging information between customs authorities in the EU Member States.
The Customs Files Identification Database (FIDE after its French name fichier d'identification d'enquêtes douanières) is an index of persons and entities who are or have been investigated by Customs authorities in the Member States.
Regulation (EC) No 515/1997 established the use of CIS and FIDE for customs fraud cases when importing agricultural products; Council Decision 2009/917/JHA established the use of CIS and FIDE in arms and drug trafficking cases. The latter is supervised by the Customs Joint supervisory Authority (JSA).
The EDPS is a member of the International Conference of Data Protection and Privacy Commissioners (ICDPPD), which takes place every year in the autumn. We are especially active in its working groups on Enforcement Cooperation and on Data Protection in Humanitarian Action.
Together with the Bulgarian data protection authority, the EDPS will host the 2018 International Conference in Brussels. The main theme of the conference will be ethics and new technologies.
The data protection authorities from the Member States of the EU and of the Council of Europe meet annually for a spring conference to discuss matters of common interest and to exchange information and experiences on different topics. The EDPS actively contributes to the discussions. The conference usually ends with the adoption of a number of important documents.
The EDPS supports international organisations in their efforts to develop a data protection framework and to interact with each other. For that purpose, a network was created and workshops organised on a regular basis. Since 2005, we have jointly organised five workshops with international organisations. This work is done in parallel to and consistent with the initiative of the International Conference on humanitarian international organisations.
The Council of Europe is an important player in privacy and data protection law and policy, not only in Europe but increasingly on other continents where pan European norms are often taken as a source of inspiration for legislation and policies.
The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) is open to accession by both European and non European countries. It is used as a tool to help spread the European model of data protection as a fundamental and human right.
The EDPS is an observer at the Council of Europe’s expert groups on data protection, including the Consultative Committee (T PD) of Convention 108 and the ad hoc committee on data protection (CAHDATA), entrusted with the modernisation of Convention 108.
We attend the meetings of these expert groups and provide informal oral and written comments with a view to ensure a good level of protection and compatibility with EU data protection standards.
The EDPS is an observer at the Organisation for Economic Cooperation and Development (OECD) Working Party on Security and Privacy in the Digital Economy (SPDE).
We advise the European Commission where necessary and provide comments to the Working Party on recommendations relating to the protection of privacy and data protection in fields such as eHealth and eCommerce.
The EDPS also participates as an observer in other networks to support regional initiatives that aim to strengthen data protection worldwide.
These include the Global Privacy Enforcement Network (GPEN), the Asia Pacific Privacy Forum (APPA), the French-speaking association of personal data protection authorities (AFAPDP), the Ibero-American data protection network (RIPD) and the International Conference of Data Protection and Privacy Commissioners (ICDPPD), including its working groups on Enforcement Cooperation and on Data Protection in Humanitarian Action.
The EDPS regularly participates in the annual case-handling workshops organised by national data protection authorities (DPAs) and supervisory authorities in Europe (including non-EU countries such as Montenegro, hosts of the 2016 workshop). These workshops are useful fora to discuss practical issues at working level and bring together DPA staff (complaint handlers and inspectors for example) from all over Europe. Subjects in past workshops include the right to be forgotten by search engines, the processing of data by private investigators/detectives, CCTV, credit scoring and anti-money-laundering.
The International Working Group on Data Protection in Telecommunications serves as an early warning mechanism to alert privacy and data protection authorities around the world about new technological challenges for personal data protection.
Also known as the Berlin Group, as it is facilitated by the Berlin Commissioner for Data Protection and Information Freedom, it is made up of data protection and privacy commissioners, including the EDPS, from Europe, America, Asia Pacific and Africa and a limited number of legal and technical experts from civil society, academia and business.
The task of the Group is to provide its members and the public with working papers on specific technological developments.