Introduction to Data Protection and the GDPR Lecture 1 PDF

Summary

This is a lecture on the General Data Protection Regulation (GDPR). It covers the historical development of data protection laws and introduces the key concepts of the GDPR. The lecture also covers the differences between data privacy and data protection as well as the impact of technological development.

Full Transcript

Lecture I: Introduction
to Data Protection and
the GDPR
MICHAELA STAVRIDOU
November 2024
Learning Objectives

Right to privacy: identify and
distinguish from the right to
data protection.
Historical development of data
protection.
The right to Data Protection:
Understand fundamental
definitions and principles.
 Lecture content

Privacy v Data Protection
Historical Development of
Data Protection
Focus on EU Data Protection
and Historical Development
Introduction to The General
Data Protection Regulation
(GDPR)
GDPR Preamble and
Fundamental Concepts
Introduction to
Privacy and Data
Protection Rights

Distinct Rights:
Right to respect for private
life and right to personal
data protection are closely
related but not the same.
 Historical Emergence of Privacy Rights
Emerged in international human rights law with the Universal Declaration of
Human Rights (UDHR) in 1948.
Affirmed in Europe by the European Convention on Human Rights
(ECHR) in 1950.
The case law of the ECHR is developed by the European Court of Human Rights
(ECtHR)
Reminder: The Council of Europe was formed in the aftermath of the Second
World War to bring together the states of Europe to promote the rule of law,
democracy, human rights, and social development. For this purpose, it adopted
the ECHR in 1950, which entered into force in 1953.
ECHR Article 8: Right to respect for private and family life, home, and
correspondence.
Article 8 ECHR
Article 7 EU Charter of Fundamental
Rights
 Impact of Technological
Development
Technological Advancements:
Computers and the internet improved quality of life, efficiency,
and productivity.
It also introduced new risks to the right to respect private life.
Emergence of Informational Privacy:
Concept developed to address the collection and use of
personal information.
Known as ‘informational privacy’ or ‘right to informational self-
determination’ in different jurisdictions.
Emphasizing individuals’ control over their personal data.
 1970s Legislation:
European states
began adopting
laws to control
personal
information
processing by
public
authorities and
large companies.
Data Protection
Instruments:
Development of data Established to
provide personal
protection laws data protection.
Data protection as a
fundamental right in EU
Law
Acknowledgement as a Fundamental
Right
Article 16 of the Treaty on the Functioning
of the EU.
Article 8 of the EU Charter of Fundamental
Rights.
Aspect Right to privacy Right to data protection
Article 7 of the EU Charter of Article 8 of the EU Charter of
Legal Basis
Fundamental Rights Fundamental Rights
Protects private and family
life, home, and Specifically addresses the
Scope
communications from protection of personal data
interference
Broad protection of various Ensures fair and lawful
Focus
aspects of privacy processing of personal data
Fair processing, specified
Personal relationships, home
Key Elements purposes, consent, and other
life, correspondence
legitimate bases
EU & DATA
PROTECTIO
N LAWS
 Attempt
The Data Protection
Directive was the first EU
legislation to regulate data
1: The protection.

Data
Protectio
Established a framework for
data protection across EU
member states.
n
Directive Aimed to harmonize data
protection laws and ensure
of 1995 the free flow of personal
data within the EU.
Attempt 1: Issues
Inconsistent Implementation:
The Directive allowed for significant flexibility in how member states
implemented its provisions, leading to inconsistencies across the EU.
Rapid Technological Advancements:
The Directive struggled to keep pace with rapid technological
changes and the increasing complexity of data processing. It was not
fully equipped to address new data protection challenges posed by
the digital age.

Enforcement and Compliance:
There were issues with enforcement and compliance, partly due to
under-resourced data protection authorities.
Attempt 2
Attempt 2: The General Data
Protection Regulation (GDPR)
Adapting to the Digital Age:
In response to rapid technological developments, the EU adopted:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation)

For ease of reference, we commonly refer to the Regulation as GDPR.
The GDPR became applicable in May 2018, replacing the Data Protection
Directive of 1995.
Introduced stronger data protection rules, including enhanced individual
rights and stricter obligations for organizations.
GDPR - Preamble
Rapid technological developments and globalisation have brought new
challenges for the protection of personal data.
The scale of the collection and sharing of personal data has increased
significantly.
Technology allows both private companies and public authorities to make
use of personal data on an unprecedented scale in order to pursue their
activities.
Natural persons increasingly make personal information available
publicly and globally.
Technology has transformed both the economy and social life, and should
further facilitate the free flow of personal data within the Union
and the transfer to third countries and international
organisations, while ensuring a high level of the protection of personal
data.
GDPR - Preamble
Those developments (technological) require a strong
and more coherent data protection framework in the
Union, backed by strong enforcement, given the
importance of creating the trust that will allow the
digital economy to develop across the internal market.
Natural persons should have control of their own
personal data. Legal and practical certainty for natural
persons, economic operators and public authorities
should be enhanced.
GDPR - Preamble
In order to ensure a consistent and high level of
protection of natural persons and to remove the
obstacles to flows of personal data within the Union,
the level of protection of the rights and freedoms
of natural persons with regard to the processing
of such data should be equivalent in all Member
States.
Consistent and homogenous application of the rules for
the protection of the fundamental rights and freedoms
of natural persons with regard to the processing of
personal data should be ensured throughout the Union.
GDPR - Preamble
The protection of natural persons in relation to
the processing of personal data is a fundamental
right. Article 8(1) of the Charter of Fundamental
Rights of the European Union (the ‘Charter’) and Article
16(1) of the Treaty on the Functioning of the European
Union (TFEU) provide that everyone has the right to the
protection of personal data concerning him or her.
FUNDAMENTAL CONCEPTS OF THE
GDPR
ARTICLE 4 GDPR - DEFINITIONS
(1) ‘personal data’ means any information relating to
an identified or identifiable natural person (‘data
subject’);

an identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online identifier
or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or
social identity of that natural person;
ARTICLE 9 GDPR
Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs,
or trade union membership, and the processing of
genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or
data concerning a natural person's sex life or sexual
orientation shall be prohibited.
ARTICLE 4 GDPR - DEFINITIONS
(2) ‘processing’ means any operation or set of
operations which is performed on personal data or on
sets of personal data, whether or not by automated
means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.
Automated Data Processing
In practical terms, this means that any personal data
processing through automated means with the help of,
for example, a personal computer, a mobile device, or a
router.

CJEU, C-212/13, František Ryneš v. Úřad pro ochranu
osobních údajů, 11 December 2014, para. 25.
Non-automated data processing
Data protection under EU law is in no way limited to automated
data processing.
Data protection applies to processing personal data in a manual
filing system, that is, a specially structured paper file.
A structured filing system is one which categorizes a set of
personal data, making them accessible according to certain
criteria.
Why extend protection to structured paper files?
Circumvention of Restrictions: Storing personal data in
structured paper files can bypass legal restrictions intended for
automated data processing
ARTICLE 4 GDPR - DEFINITIONS
(7) ‘controller’ means the natural or legal person, public
authority, agency or other body which, alone or jointly
with others, determines the purposes and means of
the processing of personal data; where the
purposes and means of such processing are determined
by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for
by Union or Member State law;
Controller
A controller’s decision establishes why and how data
shall be processed.
Such decision-making power concerns the purposes and
means of the processing, as well as the data categories
to be processed and access to the data.

CJEU, C-131/12, Google Spain SL, Google Inc. v. Agencia
Española de Protección de Datos (AEPD), Mario Costeja
González [GC], 13 May 2014
Google Spain
A Spanish citizen filed a case seeking the removal of an old
newspaper article about his financial history from Google’s search
results.
The Court of Justice of the European Union (CJEU) was asked to
determine if Google, as a search engine operator, was considered a
‘controller’ of the data under Article 2(d) of the Data Protection
Directive.
The CJEU adopted a broad interpretation of ‘controller’ to ensure
comprehensive data protection for individuals.
They concluded that Google, by deciding the purposes and means of
processing and making data on web pages accessible through
searches, qualifies as a ‘controller’.
ARTICLE 4 GDPR - DEFINITIONS
(8) ‘processor’ means a natural or legal person, public authority,
agency or other body which processes personal data on behalf
of the controller;

In the private sector, this is usually a natural or legal person; in the
public sector, it is usually an authority.
Example: A payroll company processes personal data on behalf of an
SME.
Processors have an obligation to comply with GDPR requirements,
for example must maintain a record of all categories of processing
activities to demonstrate compliance with their obligations under the
regulation
Processors must also notify data breaches to the controller.
Controller v Processor
Aspect Data Controller Data Processor
Determines the purposes and Processes data on behalf of
Definition
means of processing data the controller
Exercises control over data
Executes data processing
processing and holds
Role activities as instructed by the
responsibility, including legal
controller
liability
Relationship status: controller and
processor
Written Contract is Legall Required
Include subject matter, nature, purpose, and duration of processing.
Specify the type of personal data and categories of data subjects.
Outline obligations and rights, including confidentiality and security.
Legal Obligations:
Lack of a written contract is an infringement and can lead to sanctions.
Both controller and processor can be held liable for damages caused by non-
compliance.
Processor: Record-Keeping:
Processors must keep records of all processing activities.
Records must be available to supervisory authorities upon request.
Cooperation with Authorities:
Both controllers and processors must cooperate with supervisory authorities.
Adherence to Codes of Conduct:
Controllers and processors can adhere to approved codes of conduct or
certification mechanisms to demonstrate compliance.
ARTICLE 4 GDPR - DEFINITIONS
(11) ‘consent’ of the data subject means any freely
given, specific, informed and unambiguous
indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative
action, signifies agreement to the processing of
personal data relating to him or her;
Requirements for valid consent
Consent must be given by a clear affirmative act establishing a
freely given, specific, informed and unambiguous indication of the
data subject’s agreement to the processing of his or her personal
data.
Such an act may be an action or a statement.
The data subject must have the right to withdraw consent at any
time.
Requests for consent must be in clear and plain language and in an
intelligible and easily accessible form, which clearly distinguishes
consent from other matters
Example: If consent does not adhere to such requirements in a
‘terms of services’ declaration, it violates the GDPR and the ‘terms
of services’ declaration shall not be binding.
Article 3 GDPR – Territorial Scope
Territorial scope
1. This Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects
who are in the Union by a controller or processor not established in the
Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment
of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes
place within the Union.
3. This Regulation applies to the processing of personal data by a controller
not established in the Union, but in a place where Member State law applies
by virtue of public international law.
Article 3 GDPR – Territorial Scope
1. This Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or
not.
2. This Regulation applies to the processing of personal data of data subjects who
are in the Union by a controller or processor not established in the Union, where the
processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data
subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the
Union.
3. This Regulation applies to the processing of personal data by a controller not
established in the Union, but in a place where Member State law applies by virtue of
public international law.
Establishment
The GDPR applies to a controller or processor's "establishment"
in EU.
What does ‘establishment’ mean? Simply put, a company
based in Europe that has European customers. This could be a
subsidiary, an office.
This means that the GDPR generally applies if:
1. Your company is based in Europe, or
2. Your company is based outside of Europe but has a European
presence/establishment (regardless of whether the processing
takes place in Europe).
Example: If an EU-based company or office, stores customer
data on a server in California, the GDPR still applies to that data.
Article 3 GDPR – Territorial Scope
1. This Regulation applies to the processing of personal data in the context of
the activities of an establishment of a controller or a processor in the Union,
regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are related
to:
(a) the offering of goods or services, irrespective of whether a payment
of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within
the Union.
3. This Regulation applies to the processing of personal data by a controller not
established in the Union, but in a place where Member State law applies by
virtue of public international law.
Offering goods and
services/targeting
This means that if your company is based outside of
Europe but has or wants European customers, you'll
need to comply with the GDPR when processing their
personal data.
It doesn't matter if you have any office,
employees, or other physical presence in Europe.
This rule applies regardless of whether you charge for
your products or services. For example, if you offer a
subscription or free app to people in Europe, the GDPR
applies.
Article 3 GDPR – Territorial Scope
1. This Regulation applies to the processing of personal data in the context
of the activities of an establishment of a controller or a processor in the
Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of
data subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are
related to:
(a) the offering of goods or services, irrespective of whether a payment of
the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes
place within the Union.
3. This Regulation applies to the processing of personal data by a controller
not established in the Union, but in a place where Member State law applies
by virtue of public international law.
Monitoring
Even if your company has no European presence and does not want
any European customers, you might still have to comply with the
GDPR if you are "monitoring the behavior" of people in Europe.
What does "monitoring behavior" mean? There's a brief explanation
at Recital 24 of the GDPR:
In order to determine whether a processing activity can be considered
to monitor the behaviour of data subjects, it should be ascertained
whether natural persons are tracked on the internet including
potential subsequent use of personal data processing techniques
which consist of profiling a natural person, particularly in order to
take decisions concerning her or him or for analysing or predicting
her or his personal preferences, behaviours and attitudes..
Monitoring
The European Data Protection Board (EDPB) provides some examples of the
types of activities that might constitute the "monitoring" of people's
behavior, which include:
Behavioral ads
Geo-localization activities, in particular for marketing purposes
Online tracking via cookies or other tracking techniques
Personalized diet and health analytics
CCTV
Market surveys and other behavioral studies based on individual profiles
Monitoring or regular reporting on people's health
Note that this part of the GDPR, unlike the "targeting" provision above,
doesn't involve intention. You can monitor the behavior of people in
Europe unintentionally and still fall within the GDPR's scope.
Article 3 GDPR – Territorial Scope
1. This Regulation applies to the processing of personal data in the
context of the activities of an establishment of a controller or a processor
in the Union, regardless of whether the processing takes place in the
Union or not.
2. This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not established
in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment
of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place
within the Union.
3. This Regulation applies to the processing of personal data by
a controller not established in the Union, but in a place where
Member State law applies by virtue of public international law.
Public International Law
The Regulation should also apply to a controller not
established in the Union, such as in a Member State's
diplomatic mission or consular post.
Article 2 GDPR Material Scope
1. This Regulation applies to the processing of personal data wholly or
partly by automated means and to the processing other than by
automated means of personal data which form part of a filing system
or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the
scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to
public security.
 Article 5 GDPR – Principles relating
to processing of personal data
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible
with those purposes; further processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with
the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that
are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
(‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)
subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the
rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity
and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
What does processed lawfully, fairly and in a
transparent manner mean?
Come to the workshops to
find out!