As data flows digitally across borders, there is a need to consider data protection in a global context. Moreover, the EDPS has a special responsibility to do so.
When appointed Supervisor in 2014, Giovanni Buttarelli, was entrusted by the EU with the task of developing and maintaining effective relationships with stakeholders in the EU Institutions, Member States, non-EU countries and other international organizations.
To this end, we work with European data protection authorities, in particular in the framework of the European Data Protection Board, and we also cooperate with international partners to develop cross-border, coordinated approaches to ensure the rights of individuals.
For instance, the EU manages a number of European large-scale IT systems for managing visa applications, asylum seekers among other things. As these systems process vast amounts of data from a large number of people from all over the world, a coordinated approach is necessary in order to ensure a high level of data protection.
Supervision of these systems is therefore shared between national data protection authorities and the EDPS. Regardless of the partner or policy areas, our cooperation work includes:
- sharing information and good practice;
- working together to improve understanding of data protection law;
- finding common positions where possible; and
- developing guidance where necessary.
Furthermore, the EDPS supports international organizations in their efforts to develop a data protection framework and to interact with each other; we also interact with international data protection authorities and regulators to develop a consistent approach to cross-border data protection.
Here we outline some areas of our cooperation work including the European Data protection Board, Europol,, European large scale IT systems, International Conferences and Workshops, the Council of Europe, OECD, other Regional and International Networks and the Berlin Group.
European Data Protection Board (EDPB)
European large scale IT Systems
Schengen Information System (SIS)
Visa Information System (VIS)
Customs Information System (CIS) and the Customs Files Identification Database (FIDE)
Internal Market Information System (IMI)
International conferences and workshops
Council of Europe
Other Regional and International Networks
The Berlin Group
Data Protection and International Organisations
European Data Protection Board
As from 25 May 2018, the European Data Protection Board (EDPB) has succeeded the Article 29 Working Party.
The General Data Protection Regulation (GDPR) provides that the EDPB is in charge of ensuring the consistency of its application throughout the Union.
To achieve this, the EDPB is empowered to issue opinions regarding a variety of matters such as Binding Corporate Rules, Certification criteria and codes of conduct used by companies; to adopt binding decisions to ensure consistency between supervisory authorities; and to issue guidance on relevant issues concerning the interpretation and application of the GDPR.
Bilateral and international cooperation with data protection authorities is an essential element of EDPS activities particularly within the EDPB.
Besides its role as full member of the EDPB, the EDPS also provides an independent secretariat for the EDPB. The secretariat offers administrative and logistic support for the EDPB as well as performs analytical work to contribute to the EDPB’s tasks.
1 May 2017 marked the date of entry into application of the current Europol Regulation, which has been subsequently amended by Regulation (EU) 2022/991.
It is also the date that the EDPS took over the supervision of the EU Agency for Law Enforcement Cooperation (Europol) from the Joint Supervisory Body.
Our responsibilities include:
- monitoring and ensuring the application of the data protection provisions of the Europol Regulation by Europol; and
- advising Europol and relevant stakeholders on matters concerning the processing of personal data.
National data protection authorities continue to play an important role. Until the entry into force of Regulation 2022/991, the supervision of Europol was coordinated among the national supervisory authorities and the EDPS via the Europol Coordination Board (ECB). Now the Coordinated Supervision Committee of the EDPB, of which the EDPS is also part, has taken over this task.
European large-scale IT Systems in the area of freedom, security and justice
One of the duties of the EDPS as laid down in law, is the supervision of the central units of a number of EU large-scale IT databases or information systems to facilitate the exchange of data between Member States in these areas.
As the data is personal, supervision of the databases is required to be sure that they comply with data protection rules.
The responsibilities of this supervision are shared by data protection authorities. The use national authorities, such as the police, make of these databases and any national copies is supervised by the respective national data protection authorities; the central unit is subject to the EU Data Protection Regulation and is supervised by the EDPS.
This supervision, therefore, requires a coordinated approach. Supervision Coordination Groups consisting of the national data protection authorities and the EDPS, meet regularly to coordinate their activities. Their secretariat is provided by the EDPS. Article 62 of Regulation 2018/1725 provides for a harmonised model of coordinated supervision, applicable where the relevant act of Union law refers to this Article. Pursuant to Article 62, the EDPS and the national data protection authorities, each acting within their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. They shall meet for these purposes within the framework of the European Data Protection Board (EDPB). In other words, the coordinated supervision concerning the large-scale IT systems mentioned below remains applicable until it is aligned with Article 62.
Please note that due to this setup, the EDPS cannot help you with complaints concerning your information contained in any of the databases. Please contact the relevant national data protection authority.
Schengen Information System
The Schengen Information System (SIS) is a database used for police cooperation and border control.
It includes information on wanted or missing persons and persons under surveillance by the police.
The database only contains information on those people who live outside the Schengen area and are banned from entering it.
The database also contains information on stolen or missing vehicles and objects such as identity papers, vehicle registration certificates and vehicle number plates.
In 2018, the SIS legal framework went through a significant revision primarily to enlarge its purposes, to add certain categories of alerts, and to expand the authorities with granted access to SIS data. The new legal framework was adopted on 28 November 2018 and published on 7 December 2018.
It consists of three Regulations, covering three areas of competence:
- Regulation (EU) 2018/1860 (“SIS Regulation on the use of SIS for the return of illegally staying third-country nationals”) ,
- Regulation (EU) 2018/1861 (“SIS Regulation in the field of border checks”) ,
- Regulation (EU) 2018/1862 (“SIS Regulation in the field of police and judicial cooperation”)
This framework obliges the EDPS to inspect the SIS at least every four years.
Visa Information System
The Visa Information System (VIS) is a database which contains information, photographs and fingerprint data on those applying for short-stay visas in the Schengen Area.
One of the main purposes of the database is to prevent visa shopping or the practice of applying for a visa in other EU Member States when the first application has been rejected.
Council Decision 2014/512/EC and Regulation (EC) 767/2008 (VIS Regulation) that established the VIS database obliges the EDPS inspect the VIS at least every four years.
EURODAC contains the fingerprints of applicants for asylum and irregular immigrants within the EU.
It helps in the effective application of the Dublin Regulation which determines the Member State responsible for examining an asylum application.
Regulation (EU) 603/2013, establishing Eurodac obliges the EDPS to inspect EURODAC at least every three years.
Customs Information System and the Customs Files Identification Database
The Customs Information System (CIS) is a platform for exchanging information between customs authorities in the EU Member States.
The Customs Files Identification Database (FIDE after its French name fichier d'identification d'enquêtes douanières) is an index of persons and entities who are or have been investigated by Customs authorities in the Member States.
Regulation (EC) No 515/1997 established the use of CIS and FIDE for customs fraud cases when importing agricultural products; Council Decision 2009/917/JHA established the use of CIS and FIDE in arms and drug trafficking cases. The latter is supervised by the Customs Joint supervisory Authority (JSA).
Internal Market Information System
Regulation (EU) 1024/2012 established the Internal Market Information System (IMI) application. The IMI is a software application accessible via the internet, developed and hosted by the European Commission. It was developed to provide a secure way to exchange information between Member States.
It helps, among other things, to verify the validity of professional qualifications of those wanting to work in another EU country than their own.
Following a recent revision of the IMI Regulation 1024/2012, the coordinated supervision of the IMI system has been aligned with the Article 62 model of Regulation 2018/1725. Pursuant to Article 62, the EDPS and the national data protection authorities, each acting within their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. As a result, the support for the IMI Supervision Coordination Group has been handed over to the EDPB Secretariat.
International conferences and workshops
The EDPS is a member of the Global Privacy Assembly (GPA), which takes place every year in the autumn. We are especially active in its working groups on the Future of the Conference, on the cooperation with consumers’ protection authorities and on Enforcement Cooperation.
Together with the Bulgarian data protection authority, the EDPS hosted the 2018 International Conference in Brussels. The main theme of the conference was ethics and new technologies.
The data protection authorities from the Member States of the EU and of the Council of Europe meet annually for a spring conference to discuss matters of common interest and to exchange information and experiences on different topics. The EDPS actively contributes to the discussions.
The EDPS supports international organisations in their efforts to develop a data protection framework and to interact with each other. For that purpose, a network was created and workshops organised on a regular basis. Since 2005, we have jointly organised seven workshops with international organisations.
The Council of Europe is an important player in privacy and data protection law and policy, not only in Europe but increasingly on other continents where pan European norms are often taken as a source of inspiration for legislation and policies.
The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) is open to accession by both European and non-European countries. It is used as a tool to help spread the European model of data protection as a fundamental and human right. The Convention 108 has been recently modernised to deal with challenges resulting from the use of new information and communication technologies and to strengthen the Convention’s effective implementation.
The EDPS is an observer at the Council of Europe’s expert groups on data protection, including the Consultative Committee (T PD) of Convention 108 and the ad hoc committee on data protection (CAHDATA).
We attend the meetings of these expert groups and provide informal oral and written comments with a view to ensure a good level of protection and compatibility with EU data protection standards.
The EDPS is an observer at the Organisation for Economic Cooperation and Development (OECD) Working Party on Security and Privacy in the Digital Economy (SPDE).
We advise the European Commission where necessary and provide comments to the Working Party on recommendations relating to the protection of privacy and data protection.
Other Regional and International Networks
The EDPS also follows the activities of other networks to support regional initiatives that aim to strengthen data protection worldwide.
These include the Global Privacy Enforcement Network (GPEN), the Asia Pacific Privacy Forum (APPA), the French-speaking association of personal data protection authorities (AFAPDP), the Ibero-American data protection network (RIPD)
The EDPS regularly participates in the annual case-handling workshops organised by national data protection authorities (DPAs) and supervisory authorities in Europe (including non-EU countries such as Montenegro). These workshops are useful fora to discuss practical issues at working level and bring together DPA staff (complaint handlers and inspectors for example) from all over Europe. Subjects in past workshops include the right to be forgotten by search engines, the processing of data by private investigators/detectives, CCTV, credit scoring and anti-money-laundering.
The International Working Group on Data Protection in Telecommunications serves as an early warning mechanism to alert privacy and data protection authorities around the world about new technological challenges for personal data protection.
Also known as the Berlin Group, as it is facilitated by the Berlin Commissioner for Data Protection and Information Freedom, it is made up of data protection and privacy commissioners, including the EDPS, from Europe, America, Asia Pacific and Africa and a limited number of legal and technical experts from civil society, academia and business.
The task of the Group is to provide its members and the public with working papers on specific technological developments.