The European Union has set up a number of European large-scale IT systems whose supervision is shared between the national Data Protection Authorities ('DPAs') and the EDPS. In order to ensure a high and consistent level of protection, national DPAs and the EDPS work together in supervision coordination.
Currently, the following IT systems are subject to this supervision model:
- Visa Information System (VIS)
- Schengen Information System (SIS)
- Customs Information System (CIS)
Some of these systems include vast amounts of data - for example, Eurodac contains fingerprints of more than two million persons and the VIS tracks millions of visa applications per year.
While there are slight differences between the legal bases for these systems, in general they establish that national DPAs and the EDPS shall cooperate to ensure coordinated supervision. To this end, representatives of the national DPAs and of the EDPS meet regularly - usually twice a year - to discuss common issues regarding supervision. Activities include inter alia joint inspections and inquiries and work on a shared methodology.
The Secretariat of those groups is provided by the EDPS.
Article 62 of Regulation 2018/1725 provides for a harmonised model of coordinated supervision, applicable where the relevant act of Union law refers to this Article. Pursuant to Article 62, the EDPS and the national data protection authorities, each acting within their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. They shall meet for these purposes within the framework of the European Data Protection Board (EDPB).
Following a recent revision of the IMI Regulation 1024/2012, the coordinated supervision of the IMI system has been aligned with the Article 62 model. As a result, the support for the IMI Supervision Coordination Group has been handed over to the EDPB Secretariat.