Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα
 

LOGO


The Commissioner’s supervisory role
and the exercise of data subject rights in large scale IT systems operated in the EU

Several large scale Information technology systems operate in the EU, which allow to Member States’ competent authorities to exchange information for effective execution of their competences and tasks. These systems are supervised at central level by the European Data Protection Supervisor (EDPS) and at national level by the data protection supervisory authorities (NSAs). For the effective cooperation of the EDPS with the NSAs there are institutionalized Joint Supervisory Bodies (JSBs) or Coordinated Supervision Groups (CSGs), where the Commissioner’s Office participates as member or observer.

The role of the Commissioner, as supervisory authority of the national systems described below is to ensure that the competent authorities of the Republic process personal data in accordance with the relevant EU and national legislation and that the citizens’ rights are exercised in line with these legislations. Interested persons can exercise before Cypriot competent authorities, the right to access, rectification, erasure and restriction of data that concern them. The exercise of these rights may be subject to restrictions which are foreseen in the EU or national relevant legislations or are permitted by the Commissioner.

Europol Information System

Europol is the EU’s law enforcement agency, with its headquartered in The Hague and Europol National Units (ENUs) in each Member State. Europol allows the exchange of information among MS’s law enforcement authorities for the purpose of mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy.

The object of Europol is to assist with the prevention and investigation of organised crime, terrorism and other forms of serious crime, as listed in Annex I of the Europol Regulation, which affect two or more Member States. It does so by exchanging information and by acting as the EU’s information hub, providing intelligence analyses and threat assessments.

To achieve its aims, Europol has established the Europol Information System, which provides a database for Member States to exchange criminal intelligence and information through their ENUs. The Europol Information System may be used to make available data which relate to: persons who are suspects or who have been convicted of a criminal offence which is subject to Europol’s competence; or persons regarding whom there are factual indications that they will commit such offences.

The European Data Protection Supervisor (EDPS) is responsible for monitoring and ensuring the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data by Europol, and for advising Europol and data subjects on all matters concerning the processing of personal data. To that end, the EDPS acts as an investigating and complaints body and acts in close cooperation with the national supervisory authorities.

An appeal against a decision of the EDPS can be brought before the CJEU. Any individual who has suffered damage as a result of an unlawful data processing operation has the right to receive compensation for damage suffered, either from Europol or from the responsible Member State, by bringing an action before the CJEU in the first case, or before the competent national court in the second case. In addition, a specialised Joint Parliamentary Scrutiny Group (JPSG) of the national parliaments and the European Parliament can scrutinise Europol’s activities.

Every individual has a right of access to any personal data that Europol may be holding about him or her, in addition to a right to request that these personal data be checked, corrected or erased. These may be subject to exemptions and limitations.

The Competent authority in Cyprus is the national Europol Unit of the Police. For more information and for the exercise of data subjects’ rights, visit the Police’s website.

EUROJUST

Eurojust is an EU body which promotes judicial cooperation in investigations and prosecutions relating to serious crime concerning at least two Member States.

Eurojust allows the exchange of information among MS’s judicial and prosecuting authorities for the purpose of strengthening coordination and cooperation among national authorities for investigating and prosecuting serious crimes that affect two or more Member States, or requires prosecution on common bases, on the basis of operations conducted and information supplied by the Member States’ authorities, by Europol, by EPPO and by OLAF.

The functions of Eurojust are performed by national members. Each Member State delegates one judge or prosecutor to Eurojust, whose status is subject to the national law and is empowered with the necessary competences to perform the tasks necessary to stimulate and improve judicial cooperation.

Eurojust may process personal data as far as this is necessary to achieve its objectives. It may cooperate with other EU institutions, bodies and agencies and exchange personal data with them. Eurojust may also cooperate and exchange personal data with third countries and organisations.

An independent Joint Supervisory Body (JSB) has been established at Eurojust with the task of monitoring the processing of personal data performed by Eurojust. Individuals may appeal to the JSB if they are not satisfied with Eurojust’s decision to a request for access, rectification, blocking or erasure of personal data. Where Eurojust processes personal data unlawfully, Eurojust shall be liable in accordance with the national law of the Member State where its headquarters is located, the Netherlands, for any damage caused to the data subject.

The competent authorities in Cyprus are the Office of the Attorney General and the competent Courts.

Under Article 19 of the Eurojust Decision, you have a right of access, rectification and deletion to personal data concerning you processed by Eurojust under the conditions laid down in this article, or you can ask to have such information checked. There is no charge for exercising this right.

To exercise your rights, you should make a request in writing either to Eurojust or to a competent authority in one of the Member States. Your request will then be sent to Eurojust. Eurojust is required to have fully dealt with your request within three months of receipt. In Cyprus you can make a request to the Commissioner for Personal Data Protection and the Commissioner will transmit your request to Eurojust. More information about the exercise of data subject rights can be found on the dedicated webpage of Eurojust.

EURODAC

Eurodac stands for European Dactyloscopy. It is a centralised system that contains the fingerprint data of third-country nationals and stateless persons who apply for asylum in one of the EU Member States. It allows the exchange of information among MS’s asylum authorities for the purpose of determining the Member State responsible for examining an application for international protection submitted by a third country national and for the comparison of fingerprint data with those stored in the Central System for law enforcement purposes.

Its purpose is primarily to assist in determining which Member State should be responsible for examining a particular asylum application under Regulation (EC) No. 604/2013. Personal data in Eurodac mainly serve the purpose of facilitating the application of the Dublin III Regulation.

Eurodac consists of a central unit, operated by eu-LISA, for storing and comparing fingerprints, and a system for electronic data transmission between Member States and the central database. Member States take and transmit the fingerprints of every person of at least 14 years of age who asks for asylum in their territory, and of every non-EU national or stateless person of at least 14 years of age who is apprehended for the unauthorised crossing of their external border.

Collection and transmission of fingerprint data is subject to judicial review by the national courts. If a person suffers damage as a result of an unlawful processing operation, or from any act that is incompatible with the Eurodac regulation, this person is entitled to compensation from the Member State responsible for the damage.

The Eurodac SCG has been set up to ensure supervision of Eurodac. It consists of representatives of the EDPS and the national supervisory authorities, which meet up twice a year. This group consists of the representatives of the 28 EU Member States and those of Iceland, Liechtenstein, Norway and Switzerland.

The Commissioner for Personal Data Protection assists and advises the data subjects on the exercise of their rights granted by the GDPR.

The competent authorities in Cyprus are the Asylum Unit and the Police.

Schengen Information System (SIS II)

The second generation Schengen Information System (SIS II) allows the exchange of information among MS’s competent authorities for purposes of migration and border control and for law enforcement purposes. In the system there is filed information for third countries’ nationals, wanted persons with a European arrest warrant, missing persons, persons monitored by the police or persons prohibited to enter the Schengen area, stolen vehicles and stolen or lost travelling documents such as passports and identity cards.

SIS II consists of a central system (C-SIS), a national system (N-SIS) in each Member State, and a communication infrastructure between the central system and the national systems. C-SIS contains certain data entered by the Member States on persons and objects. SIS is used by national border control, police, customs, visa and judicial authorities throughout the Schengen Area. Each of the Member States operates a national copy of the C-SIS, known as National Schengen Information Systems (N-SIS), which are constantly updated, thereby updating the C-SIS.

There are different types of alerts in SIS:
- the person does not have the right to enter or stay in the Schengen territory; or
- the person or object is sought by judicial or law enforcement authorities (e.g. European Arrest Warrants, requests for discreet checks); or
- the person has been reported as missing; or
- goods, such as banknotes, cars, vans, firearms and identity documents, have been reported as stolen or lost property.

The SIS II Regulation also contains certain rights for the data subject: the right of access, rectification, erasure and the right to be informed if there is an alert issued against the data subject. The information shall be in writing and be accompanied with a copy or a reference to the national decision to issue the alert.

The rights can be restricted by national law, amongst other things, for safeguarding national security or preventing criminal offences.

The SIS II’s Supervision Coordination Group (SCG) has been set up to ensure the SIS’s supervision coordination and it meets up to twice a year. This group consists of the EDPS and representatives of the supervisory authorities of those Member States that have implemented SIS II, as well as Iceland, Liechtenstein, Norway and Switzerland, since the SIS applies to them as well, given that they are members of Schengen.

Cyprus, Croatia and Ireland are not yet part of SIS II and therefore only participate as observers to the SCG. Within the context of the SCG, the EDPS and the national supervisory authorities cooperate actively, by exchanging information, assisting each other in the conducting of audits and inspections, designing harmonised proposals for common solutions to potential problems and in promoting awareness of data protection rights.

The SIS II SCG adopted a guide to assist data subjects in exercising their access rights

SIS II does not operate in Cyprus yet. When the national legislation comes into force, the competent authority shall be the national SIS Unit of the Police.

Visa Information System (VIS)

The Visa Information System (VIS), which also operated by the eu-LISA, was developed to support the implementation of a common EU visa policy. The VIS allows the exchange of information among MS’s competent authorities for purposes of issuing visas to third counties’ nationals.

The VIS allows Schengen states to exchange data concerning visa applicants through a fully centralized system which connects the consulates and embassies of the Schengen states situated in non-EU countries with the external border-crossing points of all Schengen states. The VIS processes data regarding applications for short-stay visas to visit or to transit through the Schengen area. The VIS enables border authorities to verify, with the help of biometric attributes, notably fingerprints, whether or not the person presenting a visa is its rightful holder and to identify persons with no or fraudulent documents.

However, the Cypriot VIS is used only for processing visa applications submitted to Embassies and Consulates of the Republic or exceptionally at the points of entry. The national VIS is not connected to the central EU VIS and the Ministry of Foreign Affairs does not have the capability of exchanging information with other MS’s competent authorities. For more information about VIS, in English, see the relevant note of the Ministry of Foreign Affairs.


Customs Information System (CIS)

Another important information system established at EU level is the Customs Information System (CIS). In the course of establishing an internal market, all checks and formalities in respect of goods moving within the EU territory were abolished, leading to a heightened risk of fraud. This risk was counterbalanced by intensified cooperation between the Member States’ customs administrations. The purpose of CIS is to assist the Member States in preventing, investigating and prosecuting serious violations of national and EU customs and agricultural laws.

The Customs Information System (CIS) allows the exchange of information among MS’s custom authorities for purposes of prevention, investigation and prosecution of criminal offences related to the EU law for customs and agriculture and for purposes of mutual assistance and cooperation of these authorities for ensuring the correct application of customs and agricultural regulations.

The information contained in CIS comprises personal data related to commodities, means of transport, businesses, persons, goods and cash retained, seized or confiscated. The categories of data that can be processed are clearly defined, and include the names, nationality, sex, place and date of birth of the individuals concerned, the reason for the inclusion of their data in the system and the registration number of the means of transport.

The processing of personal data must comply with the specific rules established by Regulation No. 515/97 and Council Decision 2009/917/JHA, as well as the provisions of the General Data Protection Regulation, the EU Institutions Data Protection Regulation, Modernised Convention 108 and the Police Recommendation. The EDPS is responsible for supervising CIS’s compliance with Regulation (EC) No. 45/2001. It convenes a meeting at least once a year with all national data protection supervisory authorities with competence regarding CIS-related supervisory issues.

Data subjects can exercise the rights granted by the GDPR, namely the right of access, rectification and erasure, where personal data were processed unlawfully. The exercise of the rights may be subject to restrictions.

A guide was prepared and describes the modalities of exercising these rights in each of the countries involved.

In Cyprus, the competent authority for CIS is the Customs and Excise Department. For more information, visit the Department’s website.


Internal Market Information System (IMI)

The Internal Market Information System (IMI) allows to competent authorities of a MS which implement EU legislation on Internal Market issues to find the respective authorities of other MSs and to exchange information, through standardized questions, in the frame of their competences, for the effective implementation of the EU legislation.

The IMI serves a number of EU Acts, such as the Directive for professional qualifications, the Directive for Services, the Directive for the posting of workers, the Regulation for cross-border transportation of euro cash by road, the Directive for patients’ rights the cross-border handling of complaints through SOLVIT and the Directive for electronic commerce. In Cyprus, the national coordinator for IMI is the Ministry of Energy, Commerce, Industry and Tourism. For more information visit the Ministry’s website.





Κατεβάστε το αρχείο τύπου Acrobat VI CIS Guide of Access right.pdf


Back To Top