28.4.2007   

EN

Official Journal of the European Union

C 94/3

1.

The goal of the Proposal for a Regulation of the European Parliament and the Council of 13 March amending Council Regulation (EC) No 515/97 on mutual assistance between administrative authorities of the Member States and cooperation between the latter and the Commission to ensure the correct application of the law on customs and agricultural matters (3) (hereinafter ‘the Proposal’) is twofold. On the one hand, the Proposal aims to bring the existing Council Regulation (EC) No 515/97 in line with the new Community powers in the area of Community customs cooperation. On the other hand, the Proposal aims to strengthen the cooperation and information exchanges between Member States and between them and the Commission.

2.

To achieve its two objectives the Proposal inter alia, increases the functionalities of the existing Custom Information System (‘CIS’) and sets up an additional European Data Directory which will reflect the movements of containers and/or means of transport as well as the goods and persons concerned (‘European Data Directory’).

3.

Furthermore, the Proposal brings into Community law the Customs Files Identification Database (‘FIDE’), originally created by Member States pursuant to Title VI of the Treaty on European Union) (4). From now on, FIDE will fall both within the framework of European Community actions and under the third pillar, with the relevant legal instrument governing the functioning of FIDE in each situation. The same situation applies to CIS (5). In practice, this is achieved by setting up two databases, which are made available to different entities in order to ensure their use for different purposes (first and third pillar).

4.

The Proposal was sent by the Commission to the European Data Protection Supervisor (‘EDPS’) for advice as foreseen in Article 28 (2) of Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (hereinafter ‘Regulation (EC) No 45/2001’). The EDPS received this request on 4 January 2007.

5.

In view of the mandatory character of Article 28 (2) of Regulation (EC) No 45/2001, a reference to this consultation exercise should be mentioned in the preamble of the Proposal, before the recitals. To this end, the EDPS suggests mirroring the language used by other legislative proposals to refer to EDPS Opinions (6), which reads as follows: ‘After consulting the European Data Protection Supervisor’.

6.

The creation and upgrading of the various instruments intended to strengthen Community cooperation, i.e. CIS, FIDES and the European Data Directory, entail an increase in the share of personal information that will be originally collected and further exchanged with Member States' administrative authorities and, in some cases, also with third countries. The personal information processed and further shared may include information relating to individuals' alleged or confirmed involvement in wrongdoing actions in the area of customs or agricultural operations. From this perspective, the Proposal has important effects as far as the protection of personal data is concerned. Furthermore, its importance is enhanced if one considers the type of data collected and shared, notably suspicions of individuals being engaged in wrongdoings, and the overall finality and outcome of the processing.

7.

In the light of the Proposal's effect on the protection of personal data, the EDPS considers relevant to issue the present Opinion analysing the impact of the Proposal on the protection of individuals' rights and freedoms with regard to the processing of personal data.

8.

The main elements of the Proposal which have significance from a data protection perspective are the following: (i) The creation of an European Data Directory (Articles 18a and 18b); (ii) the provisions updating the rules on CIS (Articles 23 to 37), and (iii) the rules setting forth FIDE as a Community database (Articles 41a to 41d). Also relevant are various provisions, including those dealing with supervision on data protection, which have been amended to take account of the adoption of Regulation (EC) No 45/2001 (Articles 37, 42, and 43).

9.

The EDPS recalls that his previous Opinion on the Proposal for a Regulation on mutual administrative assistance for the protection of the Community administrative against fraud and other illegal activities (7) pointed out the need to adapt some of the provisions of Council Regulation (EC) No 515/97 to bring it in line with the new data protection legislation applicable to EU institutions, namely the Regulation (EC) No 45/2001. The EDPS is therefore pleased by the Proposal's amendments in this direction.

10.

Furthermore, the EDPS is glad to see that the provisions setting forth the European Data Directory and those updating the rules on the CIS contain safeguards intended to ensure the protection of individuals' personal information and privacy. The EDPS also welcomes the decision to bring FIDES within the scope of Community law, hence under the coverage of Regulation (EC) No 45/2001.

11.

The EDPS understands the relevance of the goals pursued by the Proposal, namely to strengthen the cooperation both between Member States and between them and the Commission. He further recognises the need to set up or update existing instruments such as CIS and FIDE in order to meet these goals. Moreover, the EDPS is pleased to see that in carrying out this endeavour, the Proposal has included data protection safeguards that take into account current data protection legislation applying to EU institutions. However, the EDPS considers that there is room for improvement in order to ensure the Proposal's overall compatibility with the existing legal framework on data protection and the effective protection of individuals' personal data. Towards this end, the EDPS makes the comments and suggestions described in the next section.

12.

Pursuant to Article 18a1 of the Proposal the Commission will create and manage a European Data Directory with the purpose ‘(to) detect movements of goods that are the object of operations in potential breach of customs and agricultural legislation and means of transports’. The Commission will obtain most of the data from public or private service providers active in the international logistical chain or in the carriage of goods. The Directory may be enriched ‘from other data sources’ex Article 18a2 (b). Article 18a.3 lists the data that may be included in the Directory, including the list of personal data that is concerned (8). The Commission will make the data in the Directory available to the relevant authorities in Member States.

13.

The Proposal asserts that the creation of a Directory will be useful towards detecting operations presenting risk of irregularity in relation to customs and agricultural legislation. However, the EDPS considers that, as it should occur each time a central database containing personal data is created, the need for such a database must be properly and carefully assessed and when the database is established, specific safeguards have to be implemented in the light of the data protection principles. The reason being to avoid any developments which would unduly affect the protection of personal data.

14.

The EDPS considers that the Proposal does not provide sufficient arguments supporting the need for the creation of the Directory. In order to ensure that only truly needed databases are created, the EDPS calls upon the Commission to carry out a proper assessment of the necessity of the creation of the Directory and report about the its findings.

15.

As far as data protection safeguards are concerned, the EDPS notes that the Proposal provides for some safeguards, however, he considers that additional measures are necessary.

16.

The EDPS notes that taking into account that the Commission will establish and manage the European Data Directory, and that the Directory will contain personal data, Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data certainly applies to the Directory. Hence, the Commission in its role of data controller of the Directory (9) must ensure compliance with all the provisions contained in this Regulation.

17.

Whereas in the light of the above, Regulation (EC) No 45/2001 applies per se to the creation and management of the Directory, for consistency reasons, the EDPS considers that it would be appropriate to include a new paragraph recalling its application. Indeed, the EDPS notes that Article 34 of the Proposal regarding the Custom Information System (CIS) and the Customs Files Identification Database (‘FIDE’) contains a provision recalling the application of Regulation (EC) No 45/2001. To be congruent with this approach, a similar provision should be included regarding the Directory. Accordingly, the EDPS suggests that Article 18.1 includes a new paragraph borrowing from the language used in Article 34 as follows: ‘The Commission shall regard the European Data Directory as a personal data processing system which is subject to Regulation (EC) No 45/2001’.

18.

The EDPS notes that Article18a.2(b) of the Proposal confirms the application of Regulation (EC) No 45/2001 for certain uses of the Directory, in particular when the Commission uses the Directory to ‘compare and contrast data … to index, to enrich …’. Unless there is a general statement confirming the application of Regulation (EC) No 45/2001 to the Directory as a whole, including the processing operations carried out from the establishment to the management of the Directory, any other activity/stage that is not explicitly mentioned by Article 18a.2 (b) may be deemed as not being covered by Regulation (EC) No 45/2001. This is an additional reason that supports the introduction of the language suggested above.

19.

The EDPS recalls that the Commission, in complying with Regulation (EC) No 45/2001, will be under obligation, among others, to inform individuals whose names are included in the Directory of this fact (10). In particular, it should be kept in mind that such a right exists even if the personal information input in the Directory was collected from public sources. Furthermore, taking into account the purpose of the Directory, the Commission will be bound by Article 27 of Regulation 45/2001, according to which the EDPS must prior check the system before it is implemented (11).

20.

Under Article 18a2(c) of the Proposal, the Commission is empowered to make data available to the Member States' relevant authorities. The EDPS notes that whereas such a transfer is governed by Regulation (EC) No 45/2001, subsequent uses of the data by Member States' authorities will be covered by Directive 95/46/EC. Whereas Article 18a2(c) seems to intend to convey this concept, as further described below, its language could be improved to express this notion more clearly.

21.

Article 18a.2(c) states: ‘In clarmanaging that directory, the Commission is empowered: (c) to make the data in this directory available to the relevant authorities referred to in Article 1(1) for the sole purpose of achieving the objectives of this Regulation and in full compliance with national provisions implementing Directive 95/46/EC’. In the EDPS view, Article 18a.2(c) does not properly reflect the notion that further uses of the personal data by Member States' authorities are regulated by national provisions implementing Directive 95/46/EC. To provide more clarity on this point, the EDPS considers that the final part of Article 18a.2(c) should be amended as follows: ‘… for the sole purpose of achieving the objectives of this Regulation. Subsequent uses of the personal data by those authorities are subject to national provisions implementing Directive 95/46/EC’. In any case, such further use at the national level will have to be compatible with the purpose for which the data are made available by the Commission, unless special conditions are fulfilled (see Article 6.1.b and Article 13.1 of Directive 95/46/EC).

22.

The EDPS supports the approach taken in Article 18.4 of the Proposal to restrict within the Commission the departments empowered to process personal data contained in the European Data Directory. This is in line with Article 22 of Regulation (EC) No 45/2001 which requires data controllers, inter alia, to implement technical and organisational measures, such as ensuring that information is available on a ‘need to know ’basis, to ensure an appropriate level of security of the data.

23.

The last paragraph of Article 18.4 establishes that personal data not necessary for the purposes for which it was collected should have identifying factors removed. It goes on to say that in any event data may not be stored for more than one year. The EDPS welcomes the obligation which is in line with Article 4.1.e of the Regulation which specifies that personal data may be kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which the data were collected or further processed.

24.

As required under Article 22 of Regulation (EC) No 45/2001, the Directory must be adequately protected. Ensuring that an optimal security level for the Directory is respected constitutes a fundamental requirement for the protection of personal data stored in the database. Whereas the provisions that regulate the Customs Information System foresee the implementation of specific security measures, the Proposal is silent as far as the European Data Directory is concerned. The EDPS considers that security matters regarding this Directory should be subject to complementary administrative rules setting forth specific measures to ensure the confidentiality of the information. In adopting these rules, the EDPS should be consulted.

25.

Articles 23 to 41 of Council Regulation (EC) No 515/97 set forth the provisions establishing the Custom Information System, a database managed by the Commission, available to Member States and to the Commission, intended to assist them in preventing, investigating and prosecuting operations that breach custom or agricultural legislation.

26.

The Proposal has amended some of the initial provisions establishing the operation and use of CIS. In particular, Article 25 has enlarged the categories of personal data that may be stored in CIS and Article 27 has broadened the list of possible uses of the personal data stored in CIS to include operational analysis enabling, among others, ‘to evaluate the reliability of the information source and the information itself’, ‘to formulate observations, recommendations (…) to detect operations and or identify natural or legal persons’. Furthermore, Article 35.3 opens the possibility to copy the content of CIS into other data processing systems to engage in ‘systems of risk management used to direct national customs controls or in an operational analysis system used to direct coordination actions at community level’.

27.

According to the Proposal, the additional uses outlined above are necessary to assist the detection and prosecution of operations in breach of customs and agricultural legislation. Although the EDPS does not challenge that such needs exist, he considers that the Commission's Proposal should have given more comprehensive information and sound reasons supporting such a need.

28.

The EDPS is glad to see that the above amendments have been accompanied by data protection safeguards. Indeed, the Proposal has kept a closed list of personal data that may be included in CIS (ex Articles 25.1), which can only be included if there is ‘real evidence’that the person has carried out or is about to carry out the wrongdoings (ex Article 27.2). In addition, ex Article 25.3., no sensitive data (12) can be entered in CIS. Furthermore, Article 35.3 has restricted the individuals empowered to copy the content of CIS for the purposes established in the same article and limited the time to retain data copied from CIS. These measures are in line with the data quality principle set forth in Article 4 of Regulation (EC) No 45/2001.

29.

Article 34 of the Proposal has taken into account the adoption of Regulation (EC) No 45/2001 which applies to the processing of personal data by Community institutions and bodies. Accordingly, it requires the Commission to consider that Regulation (EC) No 45/2001 applies to CIS. The EDPS confirms that taking into account that CIS contains personal data and that the Commission has access to the database regarding which it has a role of data controller, Regulation (EC) No 45/2001 certainly applies to it. Accordingly, the EDPS welcomes this amendment which reflects the current legal framework on data protection.

30.

The EDPS reminds that as a result of the application of Article 27 of Regulation (EC) No 45/2001, and taking into account that the purposes of CIS may be deemed to present specific risks to the rights and freedoms of data subject, the EDPS must prior check the system.

31.

In addition to the application of Regulation (EC) No 45/2001, Article 34 the Proposal maintains the simultaneous application of the national provisions implementing Directive 95/46/EC. The EDPS considers this to be the correct approach insofar as Member States' authorities have access to CIS as well as the competence to include and further process the data included in the CIS. In sum, the EDPS considers that control for CIS is shared between the Commission and Member States which act as co-controllers of CIS data.

32.

As a result of the application of Regulation (EC) No 45/2001, the European Data Protection Supervisor is responsible for ensuring the application of the Regulation as far as CIS is concerned. Whereas some of the Articles of the Proposal reflect the EDPS' competences, some do not. In particular, the EDPS regrets that some of the sections of Article 37 dealing with supervision have not been amended accordingly and calls upon the legislators to introduce the amendments described below.

33.

The EDPS notes that Article 37.1 explicitly recognises Member State authorities' competences for the supervision of CIS. However, Article 37.1 does not mention similar EDPS competences under Regulation (EC) No 45/2001. This problem is further emphasized in Article 37.3 which has not been amended by the Proposal. Article 37.3 says ‘The Commission shall take every step within its departments to ensure personal data protection supervision which offers safeguards of a level equivalent to that resulting from paragraph 1…’. In other words, Article 37.1 entrusts the data protection supervision to ‘the Commission’. Evidently, this Article should have been amended to reflect the new EDPS supervisory role. As it stands now, Article 37.3 does not make any sense. To remedy this problem, Article 37.3 should be amended to state that ‘The European Data Protection Supervisor will supervise CIS compliance with Regulation (EC) No 45/2001’.

34.

Furthermore, since CIS is governed not only by Regulation (EC) No 45/2001 but also by the national provisions implementing Directive 95/46/EC, the supervision of CIS falls upon both the EDPS and national data protection authorities. Finally, the supervision activities of the national supervisory authorities and the EDPS should be coordinated to a certain extent, in order to ensure a sufficient level of consistency and overall effectiveness. As stated in previous opinions of the EDPS regarding databases under the supervision of the EU Member States and the EDPS ‘there is a need for a harmonized implementation of the Regulation and for working towards a common approach of common problems’ (13).

35.

Unfortunately, the Proposal does not provide for a coordination procedure in order to structure and enhance the cooperation between the EDPS and national data protection authorities. To remedy this problem, the EDPS mentions as a first option including a new section in Article 37, which deals with data protection supervision, establishing that ‘The EDPS shall convene a meeting with all national supervisory authorities, at least once a year, to address CIS related supervision issues. The members of national data protection authorities and the EDPS shall be referred to as the supervisory authorities’.

36.

A better solution to reflect the layered approach to supervision, as mentioned before, would be to split the provisions on supervision (Article 37) into several provisions, each of them dedicated to a level of supervision, as it has been properly done in the recently adopted legal instruments establishing the Schengen Information System (SIS II). In particular, Articles 44 to 46 of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (14) provide for a well-balanced system of supervision shared between national and European level, with coordination of the two. The EDPS strongly suggests providing for the same system of supervision (with some slight adjustments) for the CIS. Indeed, CIS and SIS II are to a large extent comparable as far as the structure of supervision is concerned.

37.

Article 43.5 foresees that an ad hoc formation of the committee referred to under Article 43.1 (hereinafter ‘ad hoc formation committee’) will meet periodically to examine CIS related data protection problems. The EDPS considers that this ad hoc formation committee should not be considered as the appropriate body to exercise the supervision of CIS, as this competence lies uniquely on the national Member States authorities and the EDPS. The ad hoc formation set forth under Article 43.5 is in fact a ‘comitology ’committee.

38.

However, EDPS considers that the ad hoc formation committee is an appropriate forum to examine data protection problems connected with the operation of the CIS. To this end, the EDPS suggests rephrasing Article 43.5 in order to reflect the tasks and role of the ad hoc formation committee under Article 43.5 as follows: ‘The committee together with the supervisory group referred to under Article … shall examine all problems with the operation of the CIS which are encountered by the supervisory authorities. The Committee shall meet in its ad hoc formation at least once a year’.

39.

The EDPS also wants to draw the attention of the legislator to another characteristic shared by the CIS and SIS II systems: they operate both under First and Third Pillars, which entails the existence of two distinct legal bases for each system. The Third Pillar CIS is governed by the Convention mentioned under point 3 of this opinion. This has a number of consequences, amongst which the structure of the supervision: the First Pillar part of CIS will be supervised by the EDPS and national data protection authorities, while the Third Pillar part is supervised by a Joint Supervisory Authority (composed by representatives of the same national authorities). This constitutes a rather cumbersome system of supervision, which may lead to inconsistencies and not be very effective. This illustrates the difficulties of a complex legal environment such as this one.

40.

It is worth noting that in the framework of the SIS II, the European legislator has opted for a rationalisation of the supervision model, by applying the same layered model as described above in both the First and Third Pillar environments of the system. This is an approach, certainly worth considering, and the EDPS recommends examining further the opportunities it would present for a better and more consistent supervision.

41.

The data protection rights of individuals under the Proposal, particularly the right of access, are regulated in Articles 36 and 37 which have been partially modified by the Proposal. The EDPS would like to address the following three issues related to the right of access: (i) The applicable law ex Article 36.1; (ii) the limits to the right of access ex Article 36.2 and, (iii) the procedure for individuals to submit access requests ex Article 37.2 of the Proposal.

42.

The applicable law : Article 36.1 which has been left untouched by the Proposal recognises en passage the application of individuals' data protection rights and provides that the right of access will be governed by Member States' laws or the data protection rules applicable to the Commission depending on whether such rights have been invoked respectively in Member States or within the EU institutions. This criterion reflects what was said above regarding Article 34 of the Proposal, namely, that both the Commission and Member States are co-controllers of CIS. The EDPS agrees with this approach and is glad that the Proposal has maintained the language of Article 36.1. It is clear in any case that this provision implicitly refers to the relevant national law implementing Directive 95/46/EC or Regulation (EC) No 45/2001. The applicable law in each case will depend on where the rights are exercised.

43.

The limits to the right of access: The second paragraph of Article 36.2 establishes that ‘access shall be denied during the period when sighting, reporting operations analysis or investigation is ongoing’. For the reasons outlined below, the EDPS would favour an amendment that reads ‘access may be denied ’(as opposed to ‘access shall be denied’).

44.

Under Regulation (EC) No 45/2001, as a matter of general principle, individuals are entitled to exercise the right of access to their personal data. However, Article 20 of Regulation (EC) No 45/2001 recognises that such a right can be restricted if one of the specific conditions justifying a restriction applies. In other words, individuals have the right of access in principle, but such access can be restricted. Conversely, the language of Article 36.2 ‘access shall be denied’gives no room for assessment on whether access can be granted or not. It basically means that individuals have no such right for a certain period of time. There is no reason why the general approach of Regulation (EC) No 45/2001 would not work for this situation, particularly if Article 20 would enable restriction of access rights during the period foreseen by Article 36.2. Indeed, if the Commission wished to deny access, it could avail itself of Article 20 according to which access can be denied to safeguard the investigation.

45.

The EDPS considers that the Proposal should be formulated in the same approach as Regulation (EC) No 45/2001. The opposite would be in contradiction with the general framework that foresees the right of access under Regulation (EC) No 45/2001. The problem could be solved simply by replacing the word ‘shall ’by ‘may’.

46.

The procedure for individuals to make access requests : The Proposal has amended the old Article 37.2 of Regulation (EC) No 515/97 which dealt with the procedure to launch access requests to obtain information as to whether CIS contained personal information related to an individual. The new Article 37.2 recognises the possibility for individuals to launch access requests with the European Data Protection Supervisor as well as with the national supervisory authorities, depending on whether the data were included in the CIS by the Commission or a Member State.

47.

The EDPS welcomes that this amendment brings the procedure more in line with the current legal framework on data protection. However, for the following reasons, the EDPS considers that the competence of Member States or the Commission should not be dependent on the entity that has introduced the information in CIS. In the first place, the EDPS notes that individuals will most likely not be aware of the entity that has introduced the information in CIS, whether the Commission or a Member State. Accordingly, they will not know which entity is competent to deal with their access request. The procedure to request access will become cumbersome, if individuals are obliged to first ascertain who introduced the data. In the second place, the EDPS considers that this provision contradicts the criterion chosen by Article 36.1 according to which the right of access will be governed by Member States' laws or the data protection rules applicable to the Commission, depending on whether such rights have been invoked in Member States or within EU institutions respectively. Thus, if only for consistency with Article 36, the competence for access requests should depend on whether such access has been invoked with national supervisory authorities or with the EDPS.

48.

In order to solve this problem, the sentence ‘depending whether the data were included in the CIS by a Member State or the Commission’should be replaced by ‘depending whether the rights have been invoked with the national supervisory authorities or with the EDPS’. Also, if this approach is taken, the sentence of paragraph 37.2 that follows makes full sense: ‘If the data were included by another Member State or by the Commission, they shall be checked in close cooperation with the national supervisory authority of that other Member State or with the European Data Protection Supervisor’.

49.

The Proposal does not add new elements as far as exchanges of personal data with third countries' authorities are concerned. This matter is addressed in Article 30.4 of the Proposal. The EDPS considers that this article should have been amended to refer to the need for the Commission (not only Member States) to take special measures to ensure the security of the data when they are transmitted or supplied to departments located in third countries. In addition, Article 30.4 should be amended to ensure compliance with legislation applicable to the transfer of personal data to third countries.

50.

Articles 41a, b, c and d of the Proposal set forth the rules for the operation of the Customs Files Identification Database. FIDE enables competent authorities to check whether a person or a business has been the subject of a criminal investigation in any Member State.

51.

FIDE already exists as a tool used by Member States under the third pillar (15). Thus, the purpose of Article 41 is to provide a legal basis for the Community FIDE, which the EDPS welcomes.

52.

Because all the provisions of the Proposal that apply to CIS, also apply to FIDE ex Article 41a, the comments made under section II above apply mutatis mutandis to FIDE.

53.

The EDPS notes that taking into account that the Commission is competent to process the data contained in FIDE, it should be clear that Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data applies to FIDES. The EDPS considers that it would be appropriate for Article 41 to recall the application of Regulation (EC) No 45/2001 to FIDE and the EDPS supervisory competences to monitor and ensure compliance with the provisions of the Regulation.

54.

The EDPS reminds that as a result of the application of Article 27 of Regulation EC) No 45/2001, and taking into account the purposes of FIDES and the nature of the data included, it may be deemed to present specific risks to the rights and freedoms of the data subject, and thus, the EDPS must prior check the system.

55.

Article 41d sets forth specific data retention periods. The EDPS considers that the time limits foreseen by Article 41d are reasonable.

56.

It is uncertain how this provision relates to Article 33, regarding CIS. Supposedly, 41d takes priority over the provision on the same subject that deals with CIS, but this is not explicitly mentioned in the Proposal. A provision clarifying this point would be useful.

57.

The data quality principle ex Article 4 of Regulation (EC) No 45/2001 requires personal data to be adequate, relevant and not excessive in relation to the purpose for which they are collected. It is clear that the quality of the personal data can only be ensured if its accuracy is regularly and properly checked. The EDPS also welcomes the provision of Article 41d requiring files to be immediately deleted as soon as a person is cleared of suspicion under the laws, regulations and procedures of the supplier Member State.

58.

On the other hand, in order to ensure that data not needed does not remain in FIDE, the EDPS suggest applying to FIDE some of the data retention rules defined for CIS under Article 33. Particularly, the EDPS suggests applying to FIDE the provisions of Article 33.1 according to which the need for the retention of data should be reviewed annually by the supplying partner. To this end, the EDPS suggests the following language to be inserted after Article 41d.2: ‘The need for the retention of data shall be reviewed at least annually by the supplying Member State’.

59.

The EDPS welcomes being consulted on the Proposal, which foresees the creation or updating of various systems containing personal data: European Data Directory, Custom Information System (CIS) and Customs Files Identification Database (FIDE) in order to strengthen the cooperation and information exchanges both between Member States and between them and the Commission.

60.

On the substance , the EDPS concludes:

61.

To ensure that personal data not needed is purged from FIDE, the EDPS suggest the following language to be inserted after Article 41d.2: ‘The need for the retention of data shall be reviewed at least annually by the supplying Member State’.

62.

As to procedure , the EDPS: