Law & Data 2024/2025 University of Padova PDF
Document Details
Uploaded by Deleted User
University of Padua
2024
Fiorella Dal Monte
Tags
Summary
Course materials for the 2024/2025 academic year at the University of Padova covering law and data. The syllabus and main course content are included.
Full Transcript
LAW & DATA 2024/2025 University of Padova 2 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics...
LAW & DATA 2024/2025 University of Padova 2 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 The Course Target Syllabus | Contents Reference materials Exams Students’ meetings Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 Main contents - Law - Legal systems - the EU legal system - Basics of EU Law - Sources of EU Law - EU Privacy and Personal Data Protection - General Principles of EU Personal Data Protection - Enforcement of EU Data Protection - Protection of Other Data (non-personal data) - Case-study analyses and possible workshops - EU Digital Strategy - AI Act - References to different legal systems and comparisons Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Basic legal notions Notion of Law Basic legal notions Legal systems to be taken into consideration International Law European Union Law Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 What is Law? Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 What is Law? Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 Fiorella Dal Monte, PhD Law & Data | 2024-2025 8 Fiorella Dal Monte, PhD Law & Data | 2024-2025 9 Fiorella Dal Monte, PhD Law & Data | 2024-2025 10 Fiorella Dal Monte, PhD Law & Data | 2024-2025 11 Fiorella Dal Monte, PhD Law & Data | 2024-2025 12 Fiorella Dal Monte, PhD Law & Data | 2024-2025 13 Law «Set of conditions under which the choices of each person can be united with the choices of others under a universal law of freedom» Immanuel Kant The Metaphysical Elements of Justice Fiorella Dal Monte, PhD Law & Data | 2024-2025 14 «Set of conditions under which the choices of each person can be united with the choices of others under a universal law of freedom» Fiorella Dal Monte, PhD Law & Data | 2024-2025 15 LAW WHAT IS A LEGAL ORDER/SYSTEM? Fiorella Dal Monte, PhD Law & Data | 2024-2025 16 «A LEGAL ORDER is an aggregate or a plurality of general and individual norms that govern human behavior, that prescribe, in other words, how one ought to behave. That behavior is prescribed in a norm or, what amounts to the same thing, is the content of a norm means that one ought to behave in a certain way. The concept of the norm and the concept of the "ought" coincide. To prescribe in a norm how one ought to behave is understood here not only as a command but also as a positive permission or an authorization. A plurality of norms is an order if the norms constitute a unity, and they constitute a unity if they have the same basis of validity. If the law is positive law, the norms of a legal order are "posited" or "created" through human acts. To say that a norm prescribing how one ought to behave is "posited" or "created" through an act is a metaphorical way of saying that the norm is the subjective meaning of the act. Acts through which the norms of a legal order are posited or created comprise legislative acts, acts constituting legally binding custom, judicial acts, administrative acts, and private law transactions, in particular contracts. These acts are characterized here as legal acts, and the individuals authorized by the legal order to perform such acts are characterized as legal officials». H. Kelsen, The concept of the legal order, in The American Journal of Jurisprudence (translated by S.L. Paulson) Fiorella Dal Monte, PhD Law & Data | 2024-2025 17 The LEGAL SYSTEM includes rules, procedures and institutions by which activities, both public and private, can be carried out through legitimate means. A legal system is a system for interpreting and enforcing the laws. PLURALITY OF LEGAL SYSTEMS in light of several and different social groups Fiorella Dal Monte, PhD Law & Data | 2024-2025 18 Examples of what legal systems can be / where legal systems can be found STATES e.g. Italy, France, USA, India, China, etc. EUROPEAN UNION Legal system encompassing 27 Member States COUNCIL of EUROPE Legal system including 47 Member States INTERNATIONAL LEGAL ORDER Special legal system – independent from States WORLD WIDE WEB? Fiorella Dal Monte, PhD Law & Data | 2024-2025 19 Modern theory of the SEPARATION OF POWERS Legislative Executive Judicial MAKE IMPLEMENT INTERPRET & ENFORCE LAW separate and independent bodies so to ensure legal certainty, impartiality, equality before the Law Fiorella Dal Monte, PhD Law & Data | 2024-2025 Montesquieu, The Spirit of the Laws (1748) 20 LAW & DATA 2024/2025 University of Padova 4 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 Modern theory of the SEPARATION OF POWERS Legislative Executive Judicial MAKE IMPLEMENT INTERPRET & ENFORCE LAW separate and independent bodies so to ensure legal certainty, impartiality, equality before the Law Montesquieu, The Spirit of the Laws (1748) Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 system of CHECKS & BALANCES to limit the power of a single individual/entity/body of government to ensure balanced and harmonious and relationships and co-existence Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 BRANCHES OF LAW fundamental universally accepted exhaustive PUBLIC LAW PRIVATE LAW Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 TYPE OF STATE LEGAL SYSTEMS MAIN DIFFERENCE between CIVIL LAW COMMON LAW Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 SOURCES OF LAW HARD LAW SOFT LAW contents binding legal provisions (agreements, principles, which can be legally enforced declarations, statements, etc.) before a court which are not legally binding usually cannot be enforced by a party before a court, but can be used by a judge to interpret hard law Fiorella Dal Monte, PhD Law & Data | 2023-2024 6 LAW & DATA 2024/2025 University of Padova 9 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 SOURCES OF LAW HARD LAW SOFT LAW contents binding legal provisions (agreements, principles, which can be legally enforced declarations, statements, etc.) before a court which are not legally binding usually cannot be enforced by a party before a court, but can be used by a judge to interpret hard law Fiorella Dal Monte, PhD Law & Data | 2023-2024 2 Examples of SOURCES OF LAW Treaties / Conventions Legislation (Constitution, acts, laws, statutes, regulations, codes, etc.) Case-law Public and Private Policies Doctrine Fundamental/General Principles of Law Customary Law Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 HIERARCHY OF THE SOURCES OF LAW Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 WHAT IS the EUROPEAN UNION? Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 DIFFERENCES COUNCIL OF EUROPE EUROPEAN FREE TRADE EUROPEAN ECONOMIC AREA - CoE - ASSOCIATION - EEA - - EFTA - Continental level Regional trade organisation EU MS + EFTA MS (no Switzerland) 46 Member States Iceland, Norway, Liechtenstein, Switzerland Defined by an international agreement (1994) within which Institutions Free trade area the EU single market basic rules (European Court of Human apply Rights ) Participation in the Schengen Area Participation in the European Single Market Geneva (Switzerland) Bruxelles + Luxembourg Strasbourg (France) Fiorella Dal Monte, PhD Geographical area Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 11 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 DIFFERENCES COUNCIL OF EUROPE EUROPEAN FREE TRADE EUROPEAN ECONOMIC AREA - CoE - ASSOCIATION - EEA - - EFTA - Continental level Regional trade organisation EU MS + EFTA MS (no Switzerland) 46 Member States Iceland, Norway, Liechtenstein, Switzerland Defined by an international agreement (1994) within which Institutions Free trade area the EU single market basic rules (European Court of Human apply Rights ) Participation in the Schengen Area Participation in the European Single Market Geneva (Switzerland) Bruxelles + Luxembourg Strasbourg (France) Fiorella Dal Monte, PhD Geographical area Law & Data | 2024-2025 2 DIFFERENCES | Members - EFTA - - EEA - - SCHENGEN - Iceland Austria Italy Austria Liechtenstein Liechtenstein Belgium Latvia Belgium Lithuania Norway Bulgaria Liechtenstein Croatia Luxembourg Switzerland Croatia Lithuania Czech Republic Malta Cyprus Luxembourg Denmark Netherlands Czech Republic Malta Estonia Norway Denmark Netherlands Finland Poland Estonia Norway France Portugal Finland Poland Germany Slovakia France Portugal Greece Slovenia Germany Romania Hungary Spain Greece Slovakia Iceland Sweden Hungary Slovenia Italy Switzerland Iceland Spain Latvia Ireland Sweden NO Bulgaria, Cyprus, Ireland, Romania Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 EUROPEAN UNION 27 MEMBER STATES 1 January 1958 1 January 1973 1 January 1 January 1986 1 January 1995 1 May 2004 1 January 2007 1 July 2013 Treaty of Rome 1981 Italy Denmark Greece Spain Austria Czech Bulgaria Croatia The Netherlands Ireland Portugal Finland Republic Romania Belgium [United Sweden Estonia Luxembourg Kingdom] Cyprus France Latvia Germany Lithuania Hungary Malta Poland Slovenia Slovakia Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 EUROPEAN UNION «The Community constitutes a NEW LEGAL ORDER OF INTERNATIONAL LAW for the benefit of which the states have limited their sovereign rights» ECJ, case 6/64, Costa v. ENEL «its own legal system which, on the entry into force of the Treaty, became an integral part of the legal systems of the Member States and which their courts are bound to apply (…)» ECJ, case 26/62, Van Gend en Loos REGIONAL LEVEL 27 MEMBERS STATES Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 APPLICATION FOR EU MEMBERSHIP ART. 2 TEU «any European state which respects the common values of the Member States and undertake to promote them may apply to become a member of the Union. These values include human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities» ART. 49 TEU «any European State which respects the values referred to in Article 2 and is committed to promoting them may apply to become a member of the Union. The European Parliament and national Parliaments shall be notified of this application. The applicant State shall address its application to the Council, which shall act unanimously after consulting the Commission and after receiving the consent of the European Parliament, which shall act by a majority of its component members. The conditions of eligibility agreed upon by the European Council shall be taken into account. The conditions of admission and the adjustments to the Treaties on which the Union is founded, which such admission entails, shall be the subject of an agreement between the Member States and the applicant State. This agreement shall be submitted for ratification by all the contracting States in accordance with their respective constitutional requirements» Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 16 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 APPLICATION FOR EU MEMBERSHIP ART. 2 TEU «any European state which respects the common values of the Member States and undertake to promote them may apply to become a member of the Union. These values include human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities» ART. 49 TEU «any European State which respects the values referred to in Article 2 and is committed to promoting them may apply to become a member of the Union. The European Parliament and national Parliaments shall be notified of this application. The applicant State shall address its application to the Council, which shall act unanimously after consulting the Commission and after receiving the consent of the European Parliament, which shall act by a majority of its component members. The conditions of eligibility agreed upon by the European Council shall be taken into account. The conditions of admission and the adjustments to the Treaties on which the Union is founded, which such admission entails, shall be the subject of an agreement between the Member States and the applicant State. This agreement shall be submitted for ratification by all the contracting States in accordance with their respective constitutional requirements» Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 COPENAGHEN CRITERIA FOR EU ACCESSION - Political stability of institutions guaranteeing democracy, the rule of law*1, human rights and respect for and protection of minorities - Economic a functioning market economy and the capacity to cope with competition and market forces - Administrative and institutional capacity to effectively implement the acquis communautaire*2 and ability to take on the obligations of EU membership Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 *1 RULE OF LAW ALL PUBLIC POWERS MUST ACT WITHIN THE CONSTRAINTS SET OUT BY LAW LAW-MAKING PROCESS: transparent, accountable, democratic and pluralistic JUDICIAL PROTECTION: effective → access to justice, independent and impartial courts, separation of powers EQUAL PROTECTION: everyone enjoys equal protection under the law and prevents the arbitrary use of power by governments. POLITICAL AND CIVIL RIGHTS: protection of basic political and civil rights, civil liberties Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 *2 ACQUIS COMMUNAUTAIRE BODY OF COMMON RIGHTS AND OBLIGATIONS BINDING UPON EU MEMBER STATES Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 HIERARCHY OF SOURCES OF EUROPEAN UNION LAW PRIMARY LAW INTERNATIONAL AGREEMENTS SECONDARY LAW SUPPLEMENTARY LAW https://eur-lex.europa.eu/homepage.html Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 18 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 HIERARCHY OF SOURCES OF EUROPEAN UNION LAW PRIMARY LAW INTERNATIONAL AGREEMENTS SECONDARY LAW SUPPLEMENTARY LAW https://eur-lex.europa.eu/homepage.html Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 PRIMARY LAW o TREATIES Founding treaties (establishing EC → EU) Amending treaties Protocols annexed to Treaties Accession treaties o CHARTER OF FUNDAMENTAL RIGHTS (since 2009 Lisbon Treaty – same value as Treaties) o GENERAL PRINCIPLES ESTABLISHED BY THE ECJ Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 TREATIES o TREATY ON THE EUROPEAN UNION objectives and principles of the EU institutions of the EU o TREATY ON THE FUNCTIONING OF EUROPEAN UNION organisational, functional provisions to reach EU objectives procedures for the functioning of EU institutions Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 o TREATY ON THE EUROPEAN UNION Art. 2 The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail. Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 LAW & DATA 2024/2025 University of Padova 23 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 o TREATY ON THE EUROPEAN UNION Art. 2 The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail. Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 Art. 3 1. The Union's aim is to promote peace, its values and the well-being of its peoples. 2. The Union shall offer its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime. 3. The Union shall establish an internal market. It shall work for the sustainable development of Europe based on balanced economic growth and price stability, a highly competitive social market economy, aiming at full employment and social progress, and a high level of protection and improvement of the quality of the environment. It shall promote scientific and technological advance. It shall combat social exclusion and discrimination, and shall promote social justice and protection, equality between women and men, solidarity between generations and protection of the rights of the child. It shall promote economic, social and territorial cohesion, and solidarity among Member States. It shall respect its rich cultural and linguistic diversity, and shall ensure that Europe's cultural heritage is safeguarded and enhanced. 4. The Union shall establish an economic and monetary union whose currency is the euro. 5. In its relations with the wider world, the Union shall uphold and promote its values and interests and contribute to the protection of its citizens. It shall contribute to peace, security, the sustainable development of the Earth, solidarity and mutual respect among peoples, free and fair trade, eradication of poverty and the protection of human rights, in particular the rights of the child, as well as to the strict observance and the development of international law, including respect for the principles of the United Nations Charter. 6. The Union shall pursue its objectives by appropriate means commensurate with the competences which are conferred upon it in the Treaties. Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 o TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION Art. 16(1) Everyone has the right to the protection of personal data concerning them. Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 EU CHARTER OF FUNDAMENTAL RIGHTS ART. 6(1) TEU «The Union recognises the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union of 7 December 2000, as adapted at Strasbourg, on 12 December 2007, which shall have the same legal value as the Treaties» CHAPTERS: I DIGNITY «Human dignity is inviolable, it must be respected and protected» II FREEDOMS Respect for private and family life Protection of personal data III EQUALITY IV SOLIDARITY V CITIZENS’ RIGHTS VI JUSTICE VII GENERAL PROVISIONS Safeguard clause Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 EU CHARTER OF FUNDAMENTAL RIGHTS ‘SAFEGUARD CLAUSE’ ART. 52(1) CFR «Scope and interpretation of rights and principles» «Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and Fiorella Dal Monte, PhD freedoms of others» Law & Data | 2024-2025 6 GENERAL PRINCIPLES OF EU LAW ESTABLISHED BY THE COURT OF JUSTICE legal principles developed by the Court of Justice over time no exaustive list - under constant development stemming from constitutional traditions of EU Member States examples Legal certainty Legitimate expectation Primacy of EU Law Direct effect of EU Law Protection of fundamental rights → art. 6(3) TEU «Fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms and as they result from the constitutional traditions common to the Member States, shall constitute general principles of the Union's law» Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 LAW & DATA 2024/2025 University of Padova 25 October 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 INTERNATIONAL AGREEMENTS agreements concluded by the European Union and third countries within the sphere of compentence of the EU Art. 216 TFEU «1. The Union may conclude an agreement with one or more third countries or international organisations where the Treaties so provide or where the conclusion of an agreement is necessary in order to achieve, within the framework of the Union's policies, one of the objectives referred to in the Treaties, or is provided for in a legally binding Union act or is likely to affect common rules or alter their scope. 2. Agreements concluded by the Union are binding upon the institutions of the Union and on its Member States». Art. 217 TFEU «The Union may conclude with one or more third countries or international organisations agreements establishing an association involving reciprocal rights and obligations, common action and special procedure». Art. 218 TFEU Procedure for negotiating and concluding international agreements, involving Council, European Parliament (possibily, the ECJ) Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 SECONDARY LAW o TYPICAL ACTS – Art. 288 TFEU REGULATIONS | DIRECTIVES | DECISIONS (hard law) OPINIONS | RECOMMENDATIONS (soft law) o ATYPICAL ACTS communications | resolutions |white papers | green papers Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 SECONDARY LAW REGULATION DIRECTIVE DECISION binding binding binding in its entirety as to the result in its entirety to be achieved directly applicable IMPLEMENTATION GENERAL // in all Member States IN MS INDIVIDUAL* = the choice of form *decision which specifies and methods to those to whom it is addressed shall be binding achieve the result lies only on the addressees with the national Fiorella Dal Monte, PhD Law & Data | 2024-2025 authorities 4 Examples of EU secondary legislation on data Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data - Data Protection Directive Regulation (EU) 2016/679 on the protection individuals with regard to the processing of personal data and on the free movement of those data, known as the GDPR - General Data Protection Regulation Directive (EU) 2016/680 on protecting individuals when personal data are used by law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties – Data Protection Law Enforcement Directive Regulation (EU) 2018/1725 laying down rules for protecting individuals with regard to the processing of personal data by the EU institutions, bodies, offices and agencies and on the free movement of those data. Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector – E-communications Directive Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence – Artificial Intelligence Act Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 INSTITUTIONS OF THE EU ART. 13 TEU EUROPEAN PARLIAMENT EUROPEAN COUNCIL COUNCIL OF THE EUROPEAN UNION (Council) EUROPEAN COMMISSION COURT OF JUSTICE OF THE EU EUROPEAN CENTRAL BANK COURT OF AUDITORS Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 6 November 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 INSTITUTIONS OF THE EU ART. 13 TEU EUROPEAN PARLIAMENT EUROPEAN COUNCIL COUNCIL OF THE EUROPEAN UNION (Council) EUROPEAN COMMISSION COURT OF JUSTICE OF THE EU EUROPEAN CENTRAL BANK COURT OF AUDITORS Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 EUROPEAN PARLIAMENT ▪ max 750 members = MEPs (currently 705) every MS has a different number of MEPs according to its population ▪ 5 years’ term ▪ since 1979 directly elected by EU citizens representing citizens’ interests (not MS) ▪ groups formed according to affinities in political parties (not upon nationality) ▪ Strasbourg | Brussels | Luxembourg Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 FUNCTIONS LEGISLATIVE one of the legislative chambers of the EU BUDGETARY monitoring on the expenditures SUPERVISORY on the activities of other EU Institutions – general report question the Commission investigate (temporary Committees of Inquiry) receive petitions by EU citizens election of Ombudsman = civil mediator ELECTIVE President of the EU Commission (proposed by the Council) Fiorella Dal Monte, PhD EU Commissioners (proposed by the Commission’s President) Law & Data | 2024-2025 4 European Council Council (Council of the EU) 27 Heads of State and Governments One representative for each MS, able to commit the government of that State President elected for a 2.5 years’ term and cast its vote → interests of the Governments No legislative function, but guideline function (objectives in CFSP + Different configurations (GA, FA, EU external action; broad guidelines Economic and financial, Environment, on economic policies) JHA, …) It can intervene in some areas LEGISLATIVE FUNCTION foreseen by Treaties (one chamber) Conclusions Supervisory functions on other institutions Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 EUROPEAN COMMISSION 27 Commissioners – approved by the EP (5 years’ term) but independent from MS, appointed with a procedure involving EP, President of the Commission and MS (President is proposed by the European Council) Divided into Directorates General Representing the interests of the EU as a whole FUNCTIONS: LEGISLATIVE – initiative EXECUTIVE AND ADMINISTRATIVE – enforcement of EU law BUDGETARY – management of EU budget SUPERVISORY – on MS (possible breaches of EU law) and on private entities Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 8 November 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 EUROPEAN COURT OF JUSTICE European Court of Justice + General Court of the EU JUDGES and ADVOCATES GENERAL whose number depends on the number of MS (usually one per MS) 6 years’ term – renewable every three years Appointed among individuals possessing qualifications required for appointment to the highest judicial offices in their respective countries or jureconsults of recognised competence BUT independent from their MS FUNCTIONS: JURISDICTIONAL → litigation INTERPRETATIVE / PRELIMINARY RULINGS → not litigation ADVISORY / CONSULTATIVE → not litigation Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 LITIGATION PROCEEDINGS BEFORE THE ECJ DIRECT APPEALS FAILURE TO ACT COMPENSATION FOR DAMAGES 263 TFEU 265 TFEU 340(2) TFEU Appeal of acts adopted PRELITIGATION by EU Institutions Initiative by individuals, legal Letter of formal notice persons, and Member States PUBLIC initiative MS, other EU institutions 2 months for acting Damage must be proved as unlawful, serious, certain PRIVATE initiative Non-performance Any natural or legal person «against an act addressed to that person or which is of direct and LITIGATION before the ECJ individual concern to them, and against a regulatory act which is of direct concern to them and does not entail implementing measures» VICES lack of competence, invalidity, voidness, misuse of powers Time-limit: 2 months + 10 days Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 NON-LITIGATION PROCEEDINGS BEFORE THE ECJ PRELIMINARY RULINGS ECJ + General Court 267 TFEU Initiative: by any jurisdiction of any MS (nature and instance – also upon the parties’ request) Object: INTERPRETATION of any EU law provision VALIDITY of acts of EU Institutions Development: 1. MS National proceedings 2. national judge refers the preliminary rulings to the ECJ 3. (usually) suspension of the national proceedings 4. Decision of the ECJ (judgment / order) which is compulsory for the national judge Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 BODIES OF THE EU European Data Protection Supervisor (EDPS) independent body ensuring that EU institutions and bodies respect people’s right to privacy when processing their personal data European Data Protection Board (EDPB) independent body ensuring the consistent application of data protection rules throughout the EU, promoting cooperation between national data protection authorities in the EU Agencies of the European Commission - EU decentralised bodies distinct from the institutions - specific tasks FUNDAMENTAL RIGHTS AGENCY Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 LAW & DATA 2024/2025 University of Padova 13 November 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 WHAT IS PRIVACY? Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 PRIVACY NEGATIVE POSITIVE prevention exclusion of intrusions Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 PRIVACY 1890 S. Warren // L. Brandeis RIGHT TO BE LET ALONE «most comprehensive of rights and the right most valued by civilized men» - right to reputation - right to honour and moral integrity - right to one’s own image - right to private/family life - right to non-interference - personhood / protection of identity and dignity -… - right to control personal information COMMON LAW ORIGIN Fiorella Dal Monte, PhD Law & Data | 2024-2025 distinction between what is private from what is public 4 PRIVACY Common Law tradition Civil Law tradition RIGHT TO LIBERTY RIGHT TO DIGNITY Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 (RIGHT TO) PERSONAL DATA «Everyone has the right to protect personal data concerning him or her» Article 8(1) CFR PERSONAL DATA ? «any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person» Art. 4(1)(1) GDPR Fiorella Dal Monte, PhD Law & Data | 2024-2025 CIVIL LAW ORIGIN 6 LAW & DATA 2024/2025 University of Padova 15 November 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 Right to PRIVACY & PERSONAL DATA - ‘same, but different’ - intertwined - different, but overlapping HUMAN RIGHTS rights belonging to individuals as human beings regardless of race, sex, nationality, etchnicity, language, religion or any other status Fiorella Dal Monte, PhD Law & Data | 2023-2024 2 History - RIGHT TO PRIVACY UN Universal Declaration of Human Rights (1948) Article 12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. International Covenant on Civil and Political Rights (1966) Article 17 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks. Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 LAW & DATA 2024/2025 University of Padova 27 November 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 Right to PRIVACY & PERSONAL DATA - ‘same, but different’ - intertwined - different, but overlapping HUMAN RIGHTS rights belonging to individuals as human beings regardless of race, sex, nationality, etchnicity, language, religion or any other status Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 History - RIGHT TO PRIVACY UN Universal Declaration of Human Rights (1948) Article 12 No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. International Covenant on Civil and Political Rights (1966) Article 17 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks. Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 History - RIGHT TO PRIVACY UN Convention on the Rights of the Child (1989) Article 16 No child shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. The child has the right to the protection of the law against such interference or attacks. Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 History - RIGHT TO PRIVACY European Convention of Human Rights (1950) Article 8 – Right to respect for private and family life 1. Everyone has the right to respect for his private and family private life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well- being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 RIGHT TO PRIVACY Nice Charter (2009) → EU Charter of Fundamental Rights (2009) Article 7 – Respect for private and family life 1. Everyone has the right to respect for his or her private and family life, home and communications. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 RIGHT TO PRIVACY → PERSONAL DATA PROTECTION Nice Charter (2009) → EU Charter of Fundamental Rights (2009) (EU primary law) Article 8 – Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 RIGHT TO PRIVACY → PERSONAL DATA PROTECTION Nice Charter (2009) → EU Charter of Fundamental Rights (2009) Article 52 – Scope and interpretation 1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others. 2. Rights recognised by this Charter for which provision is made in the Treaties shall be exercised under the conditions and within the limits defined by those Treaties. (…) Fiorella Dal Monte, PhD Law & Data | 2024-2025 8 LAW & DATA 2024/2025 University of Padova 4 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 RIGHT TO PERSONAL DATA PROTECTION OECD Privacy Guidelines (1980) Soft law universal standards ✓ Collection Limitation Principle ✓ Data Quality Principle ✓ Purpose Specification Principle ✓ Use Limitation Principle ✓ Security Safeguards Principle ✓ Openness Principle ✓ Individual Participation Principle ✓ Accountability Principle Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 RIGHT TO PERSONAL DATA PROTECTION CoE Convention 108 (28 January 1981 – Data Privacy Day) Convention for the protection of individuals with regard to automated processing of personal data first legally binding instrument at the international level on data protection UNIVERSAL STANDARDS CoE Convention 108+ (adopted on 18 May 2018) Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 RIGHT TO PERSONAL DATA PROTECTION CoE Convention 108 Main principles: Protection of the individuals against PD abuses Regulation of transborder data flows Fair and lawful collection Legitimate purposes Processing for the same purposes for which data were collected Storage duration (no longer than necessary) Quality of data: adequate, relevant not excessive (proportionality) Sensitive data (special categories of data) Right to know information stored and to have it rectified Possible overriding interests for different processing activities Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 Applicable EU Legislation (Primary law) RIGHT TO PERSONAL DATA PROTECTION TEU Article 39 In accordance with Article 16 of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 Applicable EU Legislation – RIGHT TO PERSONAL DATA PROTECTION TFEU Article 16 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. 3. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union. Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 6 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 History – EU DATA PROTECTION DIRECTIVES Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data limited harmonization → GDPR Directive 2006/24/EC – Data Retention Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC repealed by ECJ in Digital Rights Ireland | C-293/12 + C-594/12 Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 Applicable – EU DATA PROTECTION DIRECTIVES Directive 2002/58/EC Directive on privacy and electronic communications Directive 2016/680/EU on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Directive 2002/58/EC | E-PRIVACY DIRECTIVE USER any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service (SUBSCRIBER) TRAFFIC DATA any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof LOCATION DATA any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service COMMUNICATION any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications Fiorella Dal Monte, PhD Law & Data | 2024-2025 network except to the extent that the information can be related 4 to the identifiable subscriber or user receiving the information Directive 2002/58/EC | E-PRIVACY DIRECTIVE Scope of ‘services concerned’ application processing of PD in connection with the provision of publicly available electronic communications services in public communications networks within the EU Service Provider required to take appropriate technical and organizational measures to ensure security of its services Objective require MS to ensure confidentiality of communications and related PD (i.e. traffic data) processed through public communication networks/publicly available eletronic Fiorella Dal Monte, PhD Law & Data | 2024-2025 communications services 5 Directive 2002/58/EC | E-PRIVACY DIRECTIVE ✗ AUTOMATIC CALL FORWARDING by third parties to the subscriber’s terminal, unless stopped ✗ DIRECTORIES OF SUBSCRIBERS possible, but based on consent (express or implied) ✗ UNSOLICITED COMMUNICATIONS automated calling systems without human intervention / fax / e-mail / direct marketing possible, but with clear, distinct and prior consent Fiorella Dal Monte, PhD Law & Data | 2024-2025 possibility to object free of charge & easily 6 LAW & DATA 2024/2025 University of Padova 11 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 Directive 2018/1972 European Electronic Communications Code (Recast) NO PROCESSING OF PERSONAL DATA Harmonised framework for the regulation of electronic communications networks, electronic communications services, associated facilities and services, and some aspects of terminal equipment Goals: ✓ implement an internal market in electronic communications ✓ promote fair competition between companies ✓ ensure equal and fair access to these services ✓ Fiorella Dal Monte, PhD Law & Data | 2024-2025 promote connectivity all across EU 2 Directive 2016/680/EU Data Protection Law Enforcement Directive Repealed Decision 2008/977/JHA – protection of PD processed in the framework of police and judicial cooperation in criminal matters Filled the void of Data Retention Directive Adoption in parallel with GDPR → new ‘PDP PACKAGE’ Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Directive 2016/680/EU | DP Law Enforcement Directive - data protection by design / by default - data security - data breach notifications - appointment of Data Protection Officers - emerging tech challenges ❖ NO decisions based solely on automated processing (including profiling) (in principle) ❖ MUST NOT be based on sensitive data ❖ MUST NOT LEAD to any discrimination against any person Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 4 Applicable - EU DATA PROTECTION REGULATIONS Regulation 2016/679/EU General Data Protection Regulation Regulation 2018/1725/EU setting forth the rules applicable to the processing of personal data by European Union institutions, bodies, offices and agencies [ Digital Services Act – DSA ] [ Digital Markets Act – DMA ] [ Artificial Intelligence Act – IAA ] Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 5 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 6 LAW & DATA 2024/2025 University of Padova 13 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 GDPR MAIN SUBJECTS DATA SUBJECT CONTROLLER PROCESSOR SUB-PROCESSOR DATA PROTECTION OFFICER SUPERVISORY AUTHORITY Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 GDPR | DATA SUBJECT Identified or identifiable person to which any information may relate Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Main rights of the Data Subject Right to transparency of communication Right to be informed of purposes Right to access Right to rectification, erasure*, restriction, Right to data portability Right to object *Right to be forgotten Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 GDPR | CONTROLLER the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data JOINT CONTROLLERS Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 Obligations of the Controller As a general rule, it is responsible and liable for any processing of personal data carried out by itself on its behalf Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 LAW & DATA 2024/2025 University of Padova 18 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 Lessons in January Wednesday, 8th 12:30-16:30 (2) Friday, 10th 16:30-18:30 (1) Wednesday, 15th 12:30-16:30 (2) Possible precall: Thursday 16th OR Monday 20th Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 GDPR | CONTROLLER the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data JOINT CONTROLLERS Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Obligations of the Controller As a general rule, it is responsible and liable for any processing of personal data carried out By itself On its behalf Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 Main obligations of the Controller Adoption of appropriate TOMs (technical & organizational measures) (+ protection policies) Record of processing activities Cooperation with Data Subjects Cooperation with Supervisory Authorities Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 - DPMS - DATA PROTECTION MANAGEMENT SYSTEM risk-based internal compliance system typically consisting in an IT security concept that introduces and monitors technical and organisational conduct of data processing activities, and records/documents processing activities to achieve compliance with the GDPR Aim = achieve compliance with GDPR, by adopting appropriate TOMs Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 GDPR | PROCESSOR a natural or legal person, public authority, agency or other body which processes* personal data on behalf of the controller Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 *PROCESSING OF PERSONAL DATA ANY OPERATION OR SET OF OPERATIONS WHICH IS PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS SUCH AS COLLECTION, RECORDING, ORGANISATION, STRUCTURING, STORAGE, ADAPTATION OR ALTERATION, RETRIEVAL, CONSULTATION, USE, DISCLOSURE BY TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE, ALIGNMENT OR COMBINATION, RESTRICTION, ERASURE OR DESTRUCTION Fiorella Dal Monte, PhD Law & Data | 2024-2025 8 LAW & DATA 2024/2025 University of Padova 20 December 2024 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 *PROCESSING OF PERSONAL DATA ANY OPERATION OR SET OF OPERATIONS WHICH IS PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS SUCH AS COLLECTION, RECORDING, ORGANISATION, STRUCTURING, STORAGE, ADAPTATION OR ALTERATION, RETRIEVAL, CONSULTATION, USE, DISCLOSURE BY TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE, ALIGNMENT OR COMBINATION, RESTRICTION, ERASURE OR DESTRUCTION Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 Main obligations of the Processors Act upon instructions of the Controller Implement TOMs Appoint a Representative within the EU Maintain a record of processing activities Cooperate with Supervisory Authotiries Designate a Data Protection Officer (where required) Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 Contents of the RECORD CONTROLLER PROCESSOR Name and contact details of the (joint) Name and contact details of the processor(s) and controller(s), the representative(s) and DPO(s) (joint) controller(s), the representative(s) and DPO(s) Purposes Categories of processing Description of the categories of data subjects and -- categories of personal data Categories of recipients to whom personal data -- are or will be disclosed (including outside EU and/or international organisations) Transfer to third countries/international organisation Transfer to third countries/international organisation and documentation of suitable safeguards and documentation of suitable safeguards Envisaged time-limits for erasure of the different -- categories of data General description of TOSMs General description of TOSMs Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 DATA PROTECTION BY DESIGN DEFAULT the controller shall, both at the time of the The controller shall implement appropriate determination of the means for processing and at technical and organisational measures for ensuring the time of the processing itself, implement that, by default, only personal data which are appropriate technical and organisational necessary for each specific purpose of the measures, such as pseudonymisation, which are processing are processed. That obligation applies designed to implement data-protection principles, to the amount of personal data collected, the such as data minimisation, in an effective manner extent of their processing, the period of their and to integrate the necessary safeguards into the storage and their accessibility. In particular, such processing in order to meet the requirements of the measures shall ensure that by default personal GDPR and protect the rights of data subjects data are not made accessible without the individual's intervention to an indefinite number of Fiorella Dal Monte, PhD natural persons Law & Data | 2024-2025 5 GDPR | DATA PROTECTION OFFICER Person who advises on compliance with data protection rules in organisations undertaking data processing Voluntarily appointed by controllers, unless: a public authority or body carries out the processing the controller’s or processor’s core activities consist of processing operations requiring the regular and systematic monitoring of data subjects on a large scale the core activities consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offences Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 GDPR | SUPERVISORY AUTHORITIES Independent public authority which is established by each Member State pursuant to Article 51 data subjects’ complaints be responsible for monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union contribute to the consistent application of the GDPR throughout the Union and collaboration with the EU Commission Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 GDPR | MAIN NOTIONS PERSONAL DATA SENSITIVE DATA PURPOSES CONSENT PROCESSING TRANSFER CROSS-BORDER PROCESSING DATA PROTECTION IMPACT ASSESSMENT Fiorella Dal Monte, PhD Law & Data | 2024-2025 8 LAW & DATA 2024/2025 University of Padova 8 January 2025 Fiorella Dal Monte, PhD Adjunct Professor University of Padova | Department of Mathematics 1 *PROCESSING OF PERSONAL DATA ANY OPERATION OR SET OF OPERATIONS WHICH IS PERFORMED ON PERSONAL DATA OR ON SETS OF PERSONAL DATA, WHETHER OR NOT BY AUTOMATED MEANS SUCH AS COLLECTION, RECORDING, ORGANISATION, STRUCTURING, STORAGE, ADAPTATION OR ALTERATION, RETRIEVAL, CONSULTATION, USE, DISCLOSURE BY TRANSMISSION, DISSEMINATION OR OTHERWISE MAKING AVAILABLE, ALIGNMENT OR COMBINATION, RESTRICTION, ERASURE OR DESTRUCTION Fiorella Dal Monte, PhD Law & Data | 2024-2025 2 GDPR | MAIN NOTIONS PERSONAL DATA SENSITIVE DATA PURPOSES CONSENT PROCESSING TRANSFER CROSS-BORDER PROCESSING DATA PROTECTION IMPACT ASSESSMENT Fiorella Dal Monte, PhD Law & Data | 2024-2025 3 GDPR | PERSONAL DATA means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person Fiorella Dal Monte, PhD Law & Data | 2024-2025 4 GDPR | SENSITIVE DATA special categories of personal data personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation Fiorella Dal Monte, PhD Law & Data | 2024-2025 5 SENSITIVE DATA - Processing In principle: PROHIBITED Exceptions: ✓ Explicit consent (specified purposes) ✓ Employment law / social security and social protection law ✓ Protection of vital interests ✓ Legitimate activities of foundations, associations, non-profit bodies – members or former members ✓ Manifestly made public by DS ✓ Legal claims ✓ Substantial public interest ✓ Preventive / occupational medicine ✓ Health - public interest ✓ Scientific and historical research – public interest Fiorella Dal Monte, PhD Law & Data | 2024-2025 6 GDPR | PURPOSES (not expressly defined by GDPR) aims for which data are collected and processed Fiorella Dal Monte, PhD Law & Data | 2024-2025 7 GDPR | CONSENT (OF THE DATA SUBJECT) any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her Fiorella Dal Monte, PhD Law & Data | 2024-2025 8 GDPR | PROCESSING any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Fiorella Dal Monte, PhD Law & Data | 2024-2025 9 GDPR | DPIA DATA PROTECTION IMPACT ASSESSMENT assessment of the impact of the envisaged processing operations on the protection of personal data CONTROLLER → DPO Fiorella Dal Monte, PhD Law & Data | 2024-2025 10 Mandatory (in certain cases): - systematic/extensive evaluation of personal data based on automated processing, including profiling activities - processing on a large scale of special categories of data - systematic monitoring of a publicly accessible area on a large scale Fiorella Dal Monte, PhD Law & Data | 2024-2025 11 GDPR | DPIA Contents ▪ systematic description of the envisaged processing operations + purposes + legitimate interest of the Controller (if any) ▪ assessment of the necessity and proportionality of the processing operations in relation to the purposes ▪ an assessment of the risks to the rights and freedoms of data subjects ▪ the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance Fiorella Dal Monte, PhD Law & Data | 2024-2025 12 GDPR | Main principles for PD Processing (corresponding rights of the Data Subject) LAWFULNESS FAIRNESS & TRANSPARENCY PURPOSE LIMITATION DATA MINIMISATION ACCURACY STORAGE LIMITATION INTEGRITY & CONFIDENTIALITY ACCOUNTABILITY Fiorella Dal Monte, PhD Law & Data | 2024-2025 13 LAWFULNESS & FAIRNESS Legal permission / DS consent CASES OF LEGAL PERMISSION – NECESSARY FOR o PERFORMING A CONTRACT o COMPLYING WITH A LEGAL OBLIGATION o PROTECTING VITAL INTERESTS o PERFORMANCE OF A TASK OF PUBLIC INTEREST o LEGITIMATE INTERESTS OF THE CONTROLLER/THIRD PARTY Fiorella Dal Monte, PhD Law & Data | 2024-2025 14 TRANSPARENCY How PD are collected, used, consulted or otherwise disclosed Information o on the identity of the controller o on the purposes of the processing o on the DS rights / to obtain confirmation and communication of processing activities o on risks, rules, safeguards and rights in relation to processing activities Fiorella Dal Monte, PhD Law & Data | 2024-2025 15 PURPOSE LIMITATION Processing for SPECIFIED, EXPLICIT AND LEGITIMATE PURPOSES o Legitimacy accordance with existing applicable laws o Detail of the purpose further processing operations need to be verified (if compatible with initial purposes) Fiorella Dal Monte, PhD Law & Data | 2024-2025 16 DATA MINIMISATION Personal data shall be ADEQUATE, RELEVANT AND LIMITED to what is necessary in relation to the purposes for which they are processed Assessment on PROPORTIONALITY Technical and organisational measures Fiorella Dal Monte, PhD Law & Data | 2024-2025 17 ACCURACY Personal data shall be ACCURATE and KEPT UP TO DATE If inaccurate → erasure or rectification Personal data shall reflect the reality of any given situation Inaccuracy may imply legal consequences even for the subjects involved Fiorella Dal Monte, PhD Law & Data | 2024-2025 18 STORAGE LIMITATION Personal data shall be kept in a form that permits identification of data subjects FOR NO LONGER THAN NECESSARY for the processing purposes STRICT MINIMUM Fiorella Dal Monte, PhD Law & Data | 2024-2025 19 INTEGRITY & CONFIDENTIALITY Personal data shall be processed in a manner that ensures their appropriate SECURITY Necessary to avoid: ▪ Unauthorised/unlawful processing ▪ Unauthorised/unlawful access ▪ Accidental loss, destruction, damage Fiorella Dal Monte, PhD Law & Data | 2024-2025 20 ACCOUNTABILITY 1.CONTROLLER 2.PROCESSOR Fiorella Dal Monte, PhD Law & Data | 2024-2025 21 PRIVACY POLICY Templates - https://gdpr.eu/privacy-notice/ Topics What data do we collect? How do we collect your data? How will we use your data? What are cookies? How do we store your data? How do we use cookies and what types of cookies do we use? Marketing How to manage your cookies What are your data protection rights? Privacy policies of other websites How to contact us Changes to our privacy policy How to contact the appropriate authorities Fiorella Dal Monte, PhD Law & Data | 2024-2025 22
