EU Law Overview

Questions and Answers

What legal basis is usually required for processing data for marketing purposes?

• Legitimate interest or consent only
• Consent, performance of a contract, or legitimate interest (correct)
• Only consent
• Performance of a contract only

Which directive aims to protect the economic interests of consumers?

• EU Charter of Fundamental Rights
• Unfair Contract Terms Directive (UCTD)
• Unfair Commercial Practices Directive (UCPD) (correct)
• General Data Protection Regulation (GDPR)

What must a request for consent for direct marketing be?

• Lengthy and detailed
• Optional and vague
• Informal and conversational
• Clear, concise, and not unnecessarily disruptive (correct)

How can consent for marketing purposes be given?

By ticking a box or choosing a technical setting (D)

Which of the following statements about withdrawing consent is correct?

Individuals have the right to withdraw consent at any time (A)

What is one requirement for consent to be considered valid under Art. 4(11)?

Consent must be specific, informed, and unambiguous. (D)

Which of the following is NOT an aspect of how consent should be given according to Art. 7(3)?

Consent must be formalized through a contract. (D)

Under what circumstance is consent ineffective as a legal basis according to Article 7(4)?

When access to a service is conditional on consent to data processing not necessary for the contract. (C)

What is a characteristic of consent regarding the power dynamics between the data subject and controller?

Consent should not be valid if there is a clear imbalance in power. (C)

What does Art. 6(1) specifically provide regarding the bases for lawful processing?

At least one legitimate basis for processing must apply. (B)

What is the main purpose of processing personal data in terms of compliance?

To comply with legal requirements such as taxation (B)

Which article of GDPR specifies the need for implementing security measures for processing personal data?

Article 32 (C)

What responsibility does a data controller have under GDPR in the context of accountability?

To demonstrate compliance with data processing regulations (B)

Which type of personal data is categorized under Article 9 of GDPR?

Sensitive personal data (B)

Which legitimate basis for processing personal data is linked to direct marketing?

6(1)(a) (A)

Under what condition can an individual invoke the right to erasure?

The personal data is no longer necessary for the purpose for which it was collected. (A)

Which scenario does NOT allow for the right to erasure?

The data is required for fulfilling a contractual obligation. (B)

Which of the following is a valid ground for exercising the right to erasure?

The individual objects to processing for direct marketing. (B)

If personal data has been disclosed to others, what must the processor do if the right to erasure is invoked?

Contact each recipient and inform them to erase the data. (C)

Which statement correctly identifies an exception to the right to erasure?

The data is needed to comply with a legal obligation. (C)

When can the right to erasure be invoked based on the individual's objection?

When the objection is not overridden by legitimate grounds for processing. (A)

What is an example of a direct marketing purpose where the right to erasure can apply?

Sending promotional materials via email. (A)

Which lawful basis under Article 6 is associated with the initiation of the right to erasure when consent is withdrawn?

Consent. (D)

What is the primary function of the Court of Justice of the EU (CJEU)?

To interpret and uphold EU law (C)

Which type of EU law is directly binding and applicable in all Member States?

Regulation (A)

Which document is NOT considered primary law in the EU?

International agreements (B)

What is the role of a directive in EU legislation?

It mandates specific results to be achieved by the Member States (C)

Which aspect is NOT considered when interpreting data protection law?

Legislative history (D)

What does Article 7 of the Charter ensure for individuals?

Respect for private and family life (D)

What procedure is used for proposing legislation in the EU?

Joint adoption by European Parliament and European Council (B)

Why was GDPR implemented in the EU?

To ensure the right to integrity of personal data (D)

Which of the following must be included to ensure safe data transfers within a corporate group?

Privacy principles and tools of effectiveness (B)

What is required for transferring personal data when there is a request from a third country's court or authority?

An international agreement (C)

Which of these situations allows for the transfer of personal data in the absence of an adequacy decision?

Performance of a contract (C)

What must a data controller do if personal data is transferred based on compelling legitimate interests?

Inform the supervisory authority and data subject (C)

Which option represents a situation that does NOT allow personal data to be transferred without adequate safeguards?

Repetitive transfers to multiple recipients (A)

What must the rules for data transfer contain to be considered binding?

Details that confer enforceable rights on data subjects (A)

Which of these is NOT a tool of effectiveness for safe data transfers?

Data encryption software (A)

In what situation can personal data be transferred if it does not involve repeated transfers and concerns a limited number of data subjects?

If compelling legitimate interests are present (B)

Flashcards

EU Law

The legal framework governing the European Union, ensuring the law is upheld across member states.

Primary EU Law

The foundational legal acts of the EU, including treaties and the Charter of Fundamental Rights.

Secondary EU Law

EU legal acts derived from primary law, like regulations, directives, and decisions.

Regulation (EU Law)

A binding legal act applying equally to all EU member states, immediately effective.

Directive (EU Law)

A binding legal act setting goals for member states, leaving them to choose methods.

CJEU (Court of Justice of the EU)

The EU's highest court, upholding EU law and providing preliminary rulings.

Preliminary Ruling (CJEU)

A ruling requested from CJEU on the interpretation and validity of EU law, for national courts.

GDPR and fundamental rights

The General Data Protection Regulation (GDPR) is guided by EU fundamental rights, like privacy and freedom of expression.

GDPR Data Security

Data must be protected against unauthorized access, loss, or damage, using proper technology and procedures.

Legitimate Basis for Processing

Different kinds of personal data need different reasons for processing, like contracts or legal compliance.

Data Controller Accountability

Data controllers are responsible for showing they comply with data protection rules and can prove it.

Marketing Data Storage

Businesses can store personal data for marketing, as long as the company exists.

Security Measures for Data

Companies must implement security measures suitable for the risk involved when handling personal data.

Data categories not in Art. 9

The GDPR (General Data Protection Regulation) does not list specific categories of data that may not be processed.

Legitimate basis of Consent

Consent to process personal data must be freely given, specific, informed, and unambiguous. It's a specific way individuals show agreement to data processing.

Freely given consent

Consent must be genuine and free-willed, without negative consequences for refusing. Right to withdraw at any time.

Informed consent

Consent given after understanding the data being processed, its purpose, and who will process.

Consent and imbalanced power

Consent isn't a suitable legal basis when the power between individuals and controllers (like public authorities or employers) is unequal.

Right to Erasure

The individual's right to have personal data removed under specific conditions.

Personal Data Redundancy

Data no longer needed for its original purpose.

Consent-Based Data Holding

Data processing permitted based on the individual's agreement.

Legitimate Interest Exception

Data processing justified by a valid need, overriding any objections.

Unlawful Data Processing

Data processing in violation of legal requirements.

Legal Obligations

Data retention required by law.

Data Disclosure and Erasure

If data shared, recipients must also erase it, unless impractical.

Reliance on Consent

Processing allowed if the individual permits data usage.

Data Transfers within Corporate Group

Data transfers within a company group must be safe, following privacy principles and approved by the supervisory authority.

International Data Transfers (Art. 48)

Data transfers to third countries require international agreements, like mutual legal assistance treaties or PNRs if necessary by a third-country court or administration.

Safeguards for transfers

Appropriate safeguards or adequacy decisions must be present, while explicit consent, contract performance, or vital interests must be evaluated for transfer justification.

Exceptions to Transfer Rules

Data transfers may still occur without adequacy decisions or safeguards if explicit consent, contract performance, public interest, legal claims, or vital interests apply.

Adequacy Decisions (GDPR)

Formal EU recognition that a third country provides an adequate level of personal data protection, allowing risk-free transfer without extra measures.

Appropriate Safeguards (GDPR)

Supplemental measures put in place by data controllers to ensure adequate protection of personal data when transferring to countries without recognition (adequacy decisions).

Compelling Legitimate Interest

A strong, justifiable reason (e.g., public health or investigation) to transfer data that outweighs the individual's privacy rights, considering all aspects.

Supervisory Authority Notification

Data controllers must inform the supervisory authority and data subjects about transfers, emphasizing the legitimate interest driving the transfer.

Article 6(1)(e) (public employer)

The legal basis for processing personal data by a public entity in the workplace under EU law.

GDPR article 6(1)(f) (private employer)

The basis for private employers processing data in the workplace, focusing on 'legitimate interest'.

Marketing consent

Explicit permission needed for direct marketing activities.

Legitimate interest

A lawful basis for marketing, sometimes used to process data.

Performance of contract & marketing

Consent cannot be used as the basis for marketing activities related to a contract.

Study Notes

EU Law Summary

• The Court of Justice of the EU (CJEU) must ensure EU law is observed and remedies are available to guarantee effective legal protection.
• Ordinary legislative procedure involves the European Commission proposing regulations, directives, or decisions that are jointly adopted by the European Parliament and the European Council.
• Primary EU law consists of the Treaty on European Union, the Treaty on the Functioning of the EU, and the Charter of Fundamental Rights of the EU, with general principles of Union law reflected through case law.
• Secondary EU law includes international agreements and legislation, such as regulations (binding in all member states), directives (binding on the result, but national authorities choose the method), and decisions (binding and addressed to specific member states).
• Interpretation of data protection law considers the wording, objectives, legislative context, and the overall context of EU law, possibly including its origins.
• The CJEU provides preliminary rulings on the interpretation and validity of EU law, often requested by national courts in GDPR cases.
• The Internet is a place for exercising fundamental freedoms, such as freedom of expression, information, and association, and also respects private and family life, personal integrity, and non-discrimination.

GDPR Overview

• GDPR principles are derived from Article 8 of the Charter of Fundamental Rights of the EU.
• It replaced the 1995 Data Protection Directive.
• GDPR aims to protect fundamental rights and freedoms of natural persons with regard to the processing of personal data, and the free movement of personal data.
• GDPR principles are legitimacy (purpose limitations, fairness, processing must be limited to what's necessary), proportionality, transparency, and accountability, Security, and data minimization.