This is an HTML version of an attachment to the Freedom of Information request 'Electronic Exchange of Social Security Information (EESSI) - personal data protection'.


Ref. Ares(2013)3797346 - 23/12/2013
EUROPEAN COMMISSION 
 EMPL/-/11 - EN 
A.C. 419/11 
EDPS Opinion on a notification for 
prior-checking received from the 
Data Protection Officer of the 
European Commission on EESSI  
SECRETARIAT –26.08.2011 

 
 Orig.: EN 
 
 Annex: 1 
 
 
 
ADMINISTRATIVE COMMISSION 
FOR THE COORDINATION OF SOCIAL SECURITY SYSTEMS 
 
 
Subject:  

European Data Protection Supervisor (EDPS) Opinion on a notification for prior-
checking received from the Data Protection Officer of the European Commission on 
EESSI  

 
 

Note from the Secretariat of 26 August 2011 
 
 
Art. 27 (1) of Regulation (EC) No 45/20011, applicable to European institutions (and thus the Commission) 
provides that "Processing operations likely to present specific risks to the rights and freedoms of data 
subjects by virtue of their nature, their scope or their purposes shall be subject to prior checking by the 
European Data Protection Supervisor
". Article 27 (2) of the Regulation contains a list of processing 
operations likely to present such risks. The exchanges of information in EESSI include personal data 
relating to health therefore the processing of health related data is subject to prior checking by the 
European Data Protection Supervisor ("EDPS") pursuant to Article 27(2)(a) of the Regulation. For this 
reason, the Data Protection Officer of the European Commission sent the EDPS a notification for prior 
checking concerning EESSI on 5 January 2011.  
 
The EDPS issued its final Opinion on 28 July 2011. This Opinion is attached in the annex. 
 
The Opinion establishes the compliance of EESSI with Regulation (EC) No 45/2001, provided that a 
number of recommendations are fully taken into account before the system goes to operations.  
 
While Regulation (EC) No 45/2001 applies to the European institutions and bodies (the Commission 
in this case), the EDPS recalls that at the Member States' level personal data are collected and 
processed by competent administrations in accordance with the national data protection rules 
implementing Directive 95/46/EC. The EDPS states that "… Although this Opinion does not assess the 
level of data protection compliance in EESSI at national level, many of the recommendations provided 
herein can facilitate compliance with data protection rules by users of the system, such as competent 
administrations in Member States…
". 
 
A subsequent note from the Secretariat will consider all recommendations of the Opinion and the 
implications that they have for the project. 
                                                 
1 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of 
individuals with regard to the processing of personal data by the Community institutions and bodies and on the free 
movement of such data