The CSC was created by the EDPB in accordance with Article 62 ofRegulation (EU) 2018/1725 of 23 October 2018.
Article 62 provides that the European Data Protection Supervisor (EDPS) and the national supervisory authorities, each acting within the scope of their respective competences, shall cooperate actively within the framework of their responsibilities to ensure effective supervision of large-scale IT systems and of Union bodies, offices and agencies. For this purpose, Article 62 sets forth that they shall meet at least twice a year within the framework of the EDPB. This provision allows the EDPB to develop any further working methods as necessary.
Pursuant to Article 62 of Regulation (EU) 2018/1725, the EDPB created the CSC and regulated it in Title VII of theEDPB Rules of Procedure. The EDPB enabled the CSC to adopt its own rules of procedures and working methods to allow for its autonomous functioning and positioning.
On that basis, the CSC adopted its ownRules of Procedure.
The CSC also conducts its activities in coordinating the supervision of the processing of personal data in an EU large scale IT system or body, office or agency in accordance with theEU legal act establishing the large scale IT system or the EU body, office, or agency.
The CSC ensures coordination in the supervision of the processing of personal data in the Internal Market Information System (IMI) in accordance with Article 21 of Regulation (EU) No 1024/2012 (as modified by Article 38 ofRegulation (EU) 2018/1724).
The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to IMI. The national DPAs of Iceland, Liechtenstein, and Norway also participate, as their respective countries also apply the EU legal acts governing IMI.
The Internal Market Information System (IMI) is a secure, multilingual online tool, developed by the European Commission in close collaboration with the Member States, that facilitates the Exchange of information between public authorities involved in the practical implementation of EU law and helps authorities to fulfil their cross-border administrative cooperation obligations in multiple Single Market policy areas.
Data subjects may exercise their rights under the GDPR by contacting directly the competent national authority, which collected their data for the purposes of processing in IMI. If they are not satisfied with the response provided or consider that their rights are not being ensured, they may address their national DPA,contacts.
Further information is available on the European Commission’sIMI page.
The CSC ensures coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within Eurojust in accordance with Article 42 (2) ofRegulation (EU) 2018/1727.
The national Data Protection Authorities ('DPAs') of the 27 EU Member States participate in the activities of the CSC in relation to Eurojust.
Eurojust is a hub based in The Hague, The Netherlands, where national judicial authorities work closely together to fight serious organised cross-border crime and aims to help make Europe a safer place by coordinating the work of national authorities in investigating and prosecuting transnational crime. Further information aboutEurojust and its legal basis.
Further information is availableEurojust website.
The CSC ensures the coordination in the supervision of the processing of operational personal data in the context of cooperation between the national members within the EPPO in accordance with Article 87 ofRegulation (EU) 2017/1939.
The national Data Protection Authorities ('DPAs') of the 24participating EU Member States participate in the activities of the CSC in relation to the EPPO.
TheEuropean Public Prosecutor’s Office is an independent and decentralised prosecution office of the European Union, with the competence to investigate, prosecute and bring to judgment crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud.
Further information is available on theEPPO website.
The CSC ensures that national data protection authorities (DPAs) and the EDPS cooperate closely in their supervision of the processing of personal data transmitted to and from Europol, in accordance with Article 44.2 ofRegulation (EU) 2022/991.
The national DPAs of the 27EU Member States that are part of Europol participate in the activities of the CSC in relation to this EU agency.
Europol is an agency of the European Union with a mandate to support and strengthen the action of Member States law enforcement authorities and their cooperation in preventing and combating serious crime affecting two or more EU Member States, terrorism and forms of crime which affect a common interest covered by a Union policy.
Until the entry into force of Regulation 2022/991, the supervision of Europol was coordinated among the national supervisory authorities and the EDPS via the Europol Cooperation Board (ECB). Consult theECB archive.
Further information on Europol’s activities is available on theEuropol website.
The CSC ensures coordination in the supervision of the processing of personal data in the Schengen Information System (SIS) in accordance with Article 71 ofRegulation (EU) No 2018/1862, and Article 57 ofRegulation (EU) No. 2018/1861.
The national Data Protection Authorities ('DPAs') of the Schengen Member States, together with the European Data Protection Supervisor (EDPS) participate in the activities of the CSC in relation to SIS. The Schengen Member States consist of 27 EU Member States, plus Iceland, Norway, Liechtenstein and Switzerland.
Until the entry into force of Regulations 2018/1862 and 2018/1861, the supervision of SIS was coordinated among the national supervisory authorities and the EDPS via the Schengen Information System II Supervision Coordination Group (“SIS II SCG”) since the entry into force of the second generation Schengen Information System (“SIS II”) on 9 April 2013. The archive of the SIS II SCG can be consultedhere. Before that, the supervision was coordinated among the national supervisory authorities via the Joint Supervisory Authority (JSA). Consult theJSA archive.
Renewed SIS was launched and became fully operational on March 2023.
Further information is available on the dedicatedSIS website of the European Commission.
The CSC ensures coordination in the supervision of personal data processing in the Entry/Exit System (EES) in accordance with Art. 57 ofRegulation (EU) 2017/2226.
The EES is an automated border management system for registering non-Schengen nationals travelling with a short-stay visa or travellers who are visa exempt.
The national Data Protection Authorities (DPAs) of the Schengen member states, together with the European Data Protection Supervisor (EDPS), participate in the activities of the CSC in relation to the EES. The Schengen Schengen area comprises 25 EU member states, plus Iceland, Norway, Liechtenstein and Switzerland.
The new EES has become operational on 12 October 2025. European countries using the EES are introducing the system gradually at their external borders withfull implementation by 10 April 2026.
Further information is available on the dedicatedEES website of the European Commission.
The processing of personal data in the following EU large scale IT systems and agencies will also fall under the scope of the CSC coordinating activities, once this is foreseen in the EU legal act governing them and they enter into operation.
In the meantime, the coordinated supervision of some EU systems is already made under “Supervision Coordination Groups” for which the EDPS is providing thesecretariat.