(...)

The CSC was created by the EDPB in accordance with Article 62 of Regulation (EU) 2018/1725 of 23 October 2018.

Article 62 provides that the European Data Protection Supervisor (EDPS) and the national supervisory authorities, each acting within the scope of their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. For this purpose, Article 62 sets forth that they shall meet at least twice a year within the framework of the EDPB. This provision allows the EDPB to develop any further working methods as necessary.

Pursuant to Article 62 of Regulation (EU) 2018/1725, the EDPB created the CSC and regulated it in Title VII of the EDPB Rules of Procedure. The EDPB enabled the CSC to adopt its own rules of procedures and working methods to allow for its autonomous functioning and positioning.

On that basis, the CSC adopted its own Rules of Procedure. 

The CSC also conducts its activities in coordinating the supervision of the processing of personal data in an EU large scale IT system or body, office or agency in accordance with the EU legal act establishing the large scale IT system or the EU body, office, or agency.

IMI System

The CSC ensures coordination in the supervision of the processing of personal data in the Internal Market Information System (IMI) in accordance with Article 21 of Regulation (EU) No 1024/2012 (as modified by Article 38 of Regulation (EU) No 2018/1724). More information can be found on the European Commission’s IMI page here.

The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to IMI. The national DPAs of Iceland, Liechtenstein, and Norway also participate, as their respective countries also apply the EU legal acts governing IMI. 

The Internal Market Information System (IMI) is a secure, multilingual online tool, developed by the European Commission in close collaboration with the Member States, that facilitates the Exchange of information between public authorities involved in the practical implementation of EU law and helps authorities to fulfil their cross-border administrative cooperation obligations in multiple Single Market policy areas. Further information is available here.   

Data subjects may exercise their rights under the GDPR by contacting directly the competent national authority, which collected their data for the purposes of processing in IMI. If they are not satisfied with the response provided or consider that their rights are not being ensured, they may address their national DPA via the contacts mentioned here.

European Union Agency for Criminal Justice Cooperation (Eurojust)

The CSC ensures coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within Eurojust in accordance with Article 42 (2) of Regulation (EU) No 1727/2018. More information can be found on Eurojust’s website here.

The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to Eurojust.

Eurojust is a hub based in The Hague, The Netherlands, where national judicial authorities work closely together to fight serious organised cross-border crime and aims to help make Europe a safer place by coordinating the work of national authorities in investigating and prosecuting transnational crime. Further information about Eurojust and its legal basis is available on this page.

European Public Prosecutor’s Office (EPPO)

The CSC ensures the coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within the EPPO in accordance with Article 87 of Regulation (EU) No 1939/2017. More information is available on the EPPO website.

The national Data Protection Authorities ('DPAs') of the 22 participating EU Member States participate in the activities of the CSC in relation to the EPPO.

The European Public Prosecutor’s Office (www.eppo.europa.eu) is an independent and decentralised prosecution office of the European Union, with the competence to investigate, prosecute and bring to judgment crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud.

European Union Agency for Law Enforcement Cooperation (Europol)

The CSC ensures that national data protection authorities (DPAs) and the EDPS cooperate closely in their supervision of the processing of personal data transmitted to and from Europol, in accordance with Article 44.2 of Regulation (EU) 2022/991. More information on Europol’s activities is available on the Europol website.

The national DPAs of the 26 EU Member States that are part of Europol participate in the activities of the CSC in relation to this EU agency.

Europol is an agency of the European Union with a mandate to support and strengthen the action of Member States law enforcement authorities and their cooperation in preventing and combating serious crime affecting two or more EU Member States, terrorism and forms of crime which affect a common interest covered by a Union policy.

Until the entry into force of Regulation 2022/991, the supervision of Europol was coordinated among the national supervisory authorities and the EDPS via the Europol Cooperation Board (ECB). The ECB archive can be consulted here.

Schengen Information System (SIS)

The CSC ensures coordination in the supervision of the processing of personal data in the Schengen Information System (SIS) in accordance with Article 71 of Regulation (EU) No 2018/1862, and Article 57 of Regulation (EU) No. 2018/1861.

The national Data Protection Authorities ('DPAs') of the Schengen Member States, together with the European Data Protection Supervisor (EDPS) participate in the activities of the CSC in relation to SIS. The Schengen Member States consist of 27 EU Member States, plus Iceland, Norway, Liechtenstein and Switzerland.

More information is available on the dedicated SIS website of the European Commission here.

Until the entry into force of Regulations 2018/1862 and 2018/1861, the supervision of SIS was coordinated among the national supervisory authorities and the EDPS via the Schengen Information System II Supervision Coordination Group (“SIS II SCG”) since the entry into force of the second generation Schengen Information System (“SIS II”) on 9 April 2013. The archive of the SIS II SCG can be consulted here. Before that, the supervision was coordinated among the national supervisory authorities via the Joint Supervisory Authority (JSA). You can find the JSA archive here.

Renewed SIS was launched and became fully operational on March 2023.

Covered in the near future

The processing of personal data in the following EU large scale IT systems and agencies will also fall under the scope of the CSC coordinating activities, once this is foreseen in the EU legal act governing them and they enter into operation.

• Entry/Exit System (EES)
• The European Travel Information and Authorisation System (ETIAS)
• The European Criminal Records Information System on non EU-nationals (ECRIS-TCN)
• Visa Information System (VIS)
• European Asylum Dactyloscopy Database (EURODAC)
• Customs Information System (CIS)
• Interoperability of EES, ETIAS, ECRIS-TCN, EURODAC, SIS, and VIS

In the meantime, the coordinated supervision of some EU systems is already made under “Supervision Coordination Groups” for which the EDPS is providing the secretariat. More information is available here.

The Coordinated Supervision Committee (CSC) is a group of national supervisory authorities and the European Data Protection Supervisor (EDPS) to ensure coordinated supervision of large scale IT systems and of EU bodies, offices and agencies, in accordance with Article 62 of Regulation (EU) 2018/1725 or with the EU legal act establishing the large scale IT system or the EU body, office or agency.

The current EU information systems, bodies and agencies falling within the scope of the CSC include:

• Internal Market Information System (IMI)
• European Union Agency for Criminal Justice Cooperation (Eurojust)
• European Public Prosecutor’s Office (EPPO)
• European Union Agency for Law Enforcement Cooperation (Europol)
• The Schengen Information System (SIS)
• Visa Information System (VIS)
• Customs Information System (CIS)
• Prüm II

Covered in the near future:

• Entry/Exit System (EES)
• The European Travel Information and Authorisation System (ETIAS)
• The European Criminal Records Information System on non EU-nationals (ECRIS-TCN)
• European Asylum Dactyloscopy Database (EURODAC)
• Interoperability of EES, ETIAS, ECRIS-TCN, EURODAC, SIS, Prüm II and VIS

The CSC also provides a forum for cooperation in the context of the supervision of personal data processing activities covered by Regulation (EU) 2023/2854 ("Data Act"), Regulation (EU) 2023/1773 on the carbon border adjustment mechanism transitional registry and Commission Implementing Regulation 2024/3084 establishing an Information System to facilitate the transfer of information between Member States competent authorities, and customs authorities related to deforestation and forest degradation.

For further details on these EU information systems, bodies and agencies please see the page CSC Legal Framework.

The CSC is established within the framework of the European Data Protection Board (EDPB) and composed of representatives of the national data protection authorities of each EU Member State and the EDPS, as well as of national data protection authorities of non-EU Members of the Schengen Area when foreseen under EU law.  

The representatives of the national data protection authorities may participate in the activities of the CSC concerning a specific large scale IT system or EU office, body or agency, only when their respective country applies the EU legal act establishing the large scale IT system or the EU office, body or agency.

The EDPB Secretariat provides the Secretariat of the CSC.

Coordinator and Deputy Coordinator

Fanny Coudert, Coordinator; representative from European Data Protection Supervisor (EDPS)

Sebastian Hümmeler, Deputy Coordinator, representative from the German Federal supervisory authority

Matej Sironič, Deputy Coordinator, representative from the Slovenian supervisory authority

Mission

The CSC ensures the coordinated supervision by data protection authorities of large scale IT systems and of EU bodies, offices and agencies falling under its scope, in accordance with Article 62 of Regulation (EU) 2018/1725 or with the EU legal act establishing the large scale IT system or the EU body, office or agency.

To get an overview of the EU information systems and agencies currently falling within the scope of the CSC, please see the page CSC Legal Framework.

Tasks and duties

Within its mission to ensure the coordinated supervision of some large scale IT systems and of EU bodies, offices and agencies, the CSC can:

- Exchange relevant information
- Assist the supervisory authorities in carrying out audits and inspections
- Examine difficulties of interpretation or application of the EU legal act establishing the large-scale IT system or the EU office, body or agency subject to coordinated supervision
- Study problems with the exercise of independent supervision or with the exercise of the rights of data subjects
- Draw up harmonised proposals for solutions to problems
- Promote awareness of data protection rights

The CSC also produces a report of its activities on coordinated supervision every two years. The CSC communicates this report to the EDPB for submission to the European Parliament, the Council, the Commission and other addressees when specifically required in the EU legal act establishing the large-scale IT system or the EU body, office or agency subject to coordinated supervision.

Nature

The CSC is a committee established within the framework of the EDPB in accordance with Article 62 of Regulation (EU) 2018/1725. The Committee enjoys an autonomous functioning and positioning, pursuant to Article 37.2 of the EDPB Rules of Procedure. The Committee adopts its own rules of procedure and working methods.