The CSC was created by the EDPB in accordance with Article 62 of Regulation (EU) 2018/1725 of 23 October 2018.
Article 62 provides that the European Data Protection Supervisor (EDPS) and the national supervisory authorities, each acting within the scope of their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. For this purpose, Article 62 sets forth that they shall meet at least twice a year within the framework of the EDPB. This provision allows the EDPB to develop any further working methods as necessary.
Pursuant to Article 62 of Regulation (EU) 2018/1725, the EDPB created the CSC and regulated it in Title VII of the EDPB Rules of Procedure. The EDPB enabled the CSC to adopt its own rules of procedures and working methods to allow for its autonomous functioning and positioning.
On that basis, the CSC adopted its own Rules of Procedure.
The CSC also conducts its activities in coordinating the supervision of the processing of personal data in an EU large scale IT system or body, office or agency in accordance with the EU legal act establishing the large scale IT system or the EU body, office, or agency.
IMI System
The CSC ensures coordination in the supervision of the processing of personal data in the Internal Market Information System (IMI) in accordance with Article 21 of Regulation (EU) No 1024/2012 (as modified by Article 38 of Regulation (EU) No 2018/1724). More information can be found on the European Commission’s IMI page here.
The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to IMI. The national DPAs of Iceland, Liechtenstein, and Norway also participate, as their respective countries also apply the EU legal acts governing IMI.
The Internal Market Information System (IMI) is a secure, multilingual online tool, developed by the European Commission in close collaboration with the Member States, that facilitates the Exchange of information between public authorities involved in the practical implementation of EU law and helps authorities to fulfil their cross-border administrative cooperation obligations in multiple Single Market policy areas. Further information is available here.
Data subjects may exercise their rights under the GDPR by contacting directly the competent national authority, which collected their data for the purposes of processing in IMI. If they are not satisfied with the response provided or consider that their rights are not being ensured, they may address their national DPA via the contacts mentioned here.
European Union Agency for Criminal Justice Cooperation (Eurojust)
The CSC ensures coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within Eurojust in accordance with Article 42 (2) of Regulation (EU) No 1727/2018. More information can be found on Eurojust’s website here.
The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to Eurojust.
Eurojust is a hub based in The Hague, The Netherlands, where national judicial authorities work closely together to fight serious organised cross-border crime and aims to help make Europe a safer place by coordinating the work of national authorities in investigating and prosecuting transnational crime. Further information about Eurojust and its legal basis is available on this page.
European Public Prosecutor’s Office (EPPO)
The CSC ensures the coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within the EPPO in accordance with Article 87 of Regulation (EU) No 1939/2017. More information is available on the EPPO website.
The national Data Protection Authorities ('DPAs') of the 22 participating EU Member States participate in the activities of the CSC in relation to the EPPO.
The European Public Prosecutor’s Office (www.eppo.europa.eu) is an independent and decentralised prosecution office of the European Union, with the competence to investigate, prosecute and bring to judgment crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud.
European Union Agency for Law Enforcement Cooperation (Europol)
The CSC ensures that national data protection authorities (DPAs) and the EDPS cooperate closely in their supervision of the processing of personal data transmitted to and from Europol, in accordance with Article 44.2 of Regulation (EU) 2022/991. More information on Europol’s activities is available on the Europol website.
The national DPAs of the 26 EU Member States that are part of Europol participate in the activities of the CSC in relation to this EU agency.
Europol is an agency of the European Union with a mandate to support and strengthen the action of Member States law enforcement authorities and their cooperation in preventing and combating serious crime affecting two or more EU Member States, terrorism and forms of crime which affect a common interest covered by a Union policy.
Until the entry into force of Regulation 2022/991, the supervision of Europol was coordinated among the national supervisory authorities and the EDPS via the Europol Cooperation Board (ECB). The ECB archive can be consulted here.
Schengen Information System (SIS)
The CSC ensures coordination in the supervision of the processing of personal data in the Schengen Information System (SIS) in accordance with Article 71 of Regulation (EU) No 2018/1862, and Article 57 of Regulation (EU) No. 2018/1861.
The national Data Protection Authorities ('DPAs') of the Schengen Member States, together with the European Data Protection Supervisor (EDPS) participate in the activities of the CSC in relation to SIS. The Schengen Member States consist of 27 EU Member States, plus Iceland, Norway, Liechtenstein and Switzerland.
More information is available on the dedicated SIS website of the European Commission here.
Until the entry into force of Regulations 2018/1862 and 2018/1861, the supervision of SIS was coordinated among the national supervisory authorities and the EDPS via the Schengen Information System II Supervision Coordination Group (“SIS II SCG”) since the entry into force of the second generation Schengen Information System (“SIS II”) on 9 April 2013. The archive of the SIS II SCG can be consulted here. Before that, the supervision was coordinated among the national supervisory authorities via the Joint Supervisory Authority (JSA). You can find the JSA archive here.
Renewed SIS was launched and became fully operational on March 2023.
Covered in the near future
The processing of personal data in the following EU large scale IT systems and agencies will also fall under the scope of the CSC coordinating activities, once this is foreseen in the EU legal act governing them and they enter into operation.
- Entry/Exit System (EES)
- The European Travel Information and Authorisation System (ETIAS)
- The European Criminal Records Information System on non EU-nationals (ECRIS-TCN)
- Visa Information System (VIS)
- European Asylum Dactyloscopy Database (EURODAC)
- Customs Information System (CIS)
- Interoperability of EES, ETIAS, ECRIS-TCN, EURODAC, SIS, and VIS
In the meantime, the coordinated supervision of some EU systems is already made under “Supervision Coordination Groups” for which the EDPS is providing the secretariat. More information is available here.