Opinion of 4 May 2011 on the notificatin for prior checking concerning the Consumer Protection Co-operation System ("CPCS") (Case 2009-0019)
In this Opinion the EDPS assesses data protection compliance in the Consumer Protection Cooperation System ("CPCS") and recommends further improvements to be made, in particular, technical and organizational measures to be taken by the Commission.
The CPCS is an information technology system designed and operated by the Commission pursuant to Regulation (EC) No 2006/2004 on consumer protection cooperation ("CPC Regulation"). The CPCS facilitates co-operation among “competent authorities” in EU Member States and the Commission in the area of consumer protection. In the framework of their co-operation, competent authorities exchange information including personal data.
The recommendations in this Opinion are addressed to the Commission, which has a central role in designing and operating the CPCS and which is subject to the supervision of the EDPS. With that said, many of the recommendations provided in this Opinion - including those on training, data protection Guidelines, information to data subjects and "privacy by design" solutions built into the system architecture - can also facilitate compliance with data protection rules by other users of the system, such as competent authorities in Member States. Therefore, the recommendations set for the Commission should help ensure a high overall level of data protection within the CPCS.
The EDPS welcomes the fact that CPCS is grounded on a legal basis such as the CPC Regulation and that this legislative text has been complemented over time with the CPC Implementing Decision and the CPC Data Protection Guidelines, which provide more details with regard to the processing as well as specific data protection safeguards. The EDPS also acknowledges the work done at the practical level, with regard to the security and functionalities of CPCS.
In his Opinion, the EDPS recommends the following:
- concerning data quality, (i) the CPCS system architecture should continue to be configured in such a way to facilitate, to the greatest extent possible, compliance with data protection laws; and (ii) the Commission should continue its activities to help ensure that the users of the system should be adequately trained, guided, and empowered to take decisions concerning data protection;
- with regard to the retention period, (i) unless an investigation or enforcement action is ongoing, alerts should be withdrawn and deleted within an appropriate time period from their issuance (the EDPS recommends a period of six months unless another, more appropriate retention period can be justified); the Commission should: (ii) clarify further what is the purpose of the five-year data retention period; (iii) evaluate whether a shorter retention period would allow achieving the same objectives; and (iv) evaluate whether all information currently foreseen needs to be retained or a subset of the information would suffice;
- the Commission should revise and make prominent its draft privacy notice on the website and raise awareness about the importance of notice provision among competent authorities (or SLOs) to help encourage notice provision at national level; and
- further measures should be taken to facilitate the exercise of data subjects' rights to access, rectification and deletion of their data. To facilitate coordination, a data protection module within the CPCS could be considered.