Summary & Notes on EU Law - General Data Protection Regulation (GDPR) PDF

Summary & Notes 1 EU Law Treaty on European Union specifies that the CJEU must ensure that the law is observed in accordance with EU Treaties and that Member States provide remedies sufficient to ensure effective legal protection Ordinary legislative procedure: regulation, directive or decision are proposed by the European Commission and jointly adopted by European Parliament and European Council Primary law: Treaty on EU Treaty on the Functioning of the EU Charter of Fundamental Rights of the EU General principles of Union law (e.g. reflected through case law) Secondary law International agreements Legislation: o Regulation: binding in its entirety and directly applicable in all Member States o Directive: binding as to the result to be achieved, addressed to specific Member States, form and methods chosen by national authorities o Decision: binding in its entirety, can be addressed to specific Member States Case law (CJEU) Requests and preliminary ruling Interpretation of data protection law must take account of: Wording Objectives Legislative context Provisions of EU law as a whole Possibly its origins Court of Justice of the EU (CJEU) Upholds the rules of EU law Provides preliminary rulings concerning The interpretation of Treaties Validity and interpretation of acts ➔ Most GDPR case law: Court or tribunal of EU Member State requests a preliminary ruling from the CJEU concerning interpretation of EU law in relation to national case (only guidance, national court applies guidance to make decision) Why GDPR? Internet is a place of exercising fundamental freedoms such as freedom of expression and information and freedom of assembly and association Other fundamental rights are being challenged including right to integrity of the person, respect for private and family life (Art. 7 Charter), protection of personal data (Art. 8 Charter), non-discrimination Article 7 Charter. Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. ➔ Right to privacy is not limited to protection of personal data ➔ Interference with right to privacy not possible on basis of consent (unlike Art. 8) but only on basis of national security, public safety, economic well-being, prevention of disorder and crime, protection of health and morals, protection of rights and freedoms of others ➔ Interference must be: legitimate (in accordance with law), proportionate (necessary) to the aim pursued (interest) Article 8 Charter. Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority ➔ Supplements Art. 7 of Charter ➔ Subject to proportionality like in Art. 7 ePrivacy directive Directive on Privacy and Electronic Communications Objective: ensure equivalent level of protection across Member States of fundamental rights and freedoms and right to privacy with respect to processing of personal data GDPR takes precedence over ePrivacy Directive when there is a conflict (lex specialis vis a vis GDPR) prohibits interception or surveillance of communications and traffic data by third parties covers any operations enabling third parties to become aware of communications and data other than operations for conveyance of communication Interference justified by consent or a necessary, appropriate and proportionate measure within democratic society Access to traffic and location data only for purposes of fighting serious crime 2 Legal Framework of General Data Protection Regulation (GDPR) GDPR principles are derived from Article 8 of the Charter of Fundamental Human Rights Main legislation on privacy in the EU, replaced Data Protection Directive from 1995 in 2018 Purpose (Article 1): Protect the fundamental rights and freedoms of natural persons with regard to the processing of personal data, in particular their right to privacy, as well as the free movement of personal data ➔ Establish balance between protection of data subject’s rights and legitimate interests of data controllers, third parties, and public interests. GDPR distilled: Data controller must ensure legitimacy, transparency, security to demonstrate accountability and ensure empowerment of the data subject. For due diligence purposes, the principles can be roughly grouped: Lawful processing (legitimacy, including proportionality) Data controller’s obligations (accountability, including security) Data subject’s rights (empowerment, including transparency) Six principles Legitimacy Purpose limitation: personal data may be processed for legitimate purposes that are specified and explicit Processing must be fair (extensive, more detail later) and have legitimate basis Legitimacy depends on nature, scope, context, purposes, risks to the rights and freedoms of natural persons (likelihood and severity) Proportionality balance between protection of data subject’s right and legitimate interests of data controllers, third parties, and public interests personal data should be limited to what is necessary (data minimization) and not kept longer than necessary (storage limitation) legitimate basis for each purpose the data is processed for, Art 6(1) provides legitimate basis: ▪ consent freely given, specific, informed, unambiguous indication of data subject’s wishes which signifies agreement to the processing (Art. 4 (1)(11)) consent request must be clearly distinguishable from other matters and consent may be withdrawn at any time (Art. 7) ▪ performance of a contract ▪ legal obligation ▪ legitimate interest of controller or third party except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms (balancing test) connected to accountability (state of the art (Art. 25) and implementation cost (Art. 32) of certain measures) and security (technical and organizational measures must be appropriate (Art. 5(1)(f)), for rectification and erasure account must be taken of available technology, cost of implementation and disproportionate effort) Empowerment Legal framework must enable human agency and right to self-determination Consent (see proportionality) is clear example of empowerment Rights concerning access (Art. 15), rectification (Art. 16), erasure (Art. 17, right to be forgotten, equivalent to irreversible anonymization), objection (Art. 21(1), data controller must comply unless there are compelling legitimate grounds which override data subject’s interests and rights) Right to obtain confirmation as to whether or not personal data are processed Right to data portability (Art. 20) Right to not being subject to automated individual decision-making (e.g. online decision to award a loan), including profiling (Art. 22) Transparency Prerequisite for accountability and empowerment Data subject must be informed about data controller’s identity, categories of personal data, purposes for processing, legitimate interests, logic involved in, significance and consequences of automated decision-making Information must be provided in concise, transparent, intelligible, easily accessible form, using clear and plain language (Art. 12(1)) (privacy policies on websites are an efficient way to do so) Accountability Art. 5(2): The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’) Art. 24, appropriate technical and organizational measures) ▪ Record of processing activities (Art. 30) ▪ Data Protection Impact Assessment in case the processing results in a high risk to the rights and freedoms of natural persons (Art. 35) If DPIA concludes high risk, data controller must consult supervisory authority (Art. 36) ▪ Data controller must designate a data protection officer in certain cases (Art. 37) ▪ Protection by design and default (Art. 25) Technical and organizational measures to ensure compliance, safeguards, and that only necessary personal data are processed Security Avoid the risk of e.g. accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access Level of security appropriate to the risk to natural persons (see proportionality) technical and organizational measures ▪ Pseudonymization and encryption ▪ Ensure confidentiality, integrity, availability, resilience of processing systems and services ▪ Ability to restore availability and access to personal data in a timely manner in the event of physical or technical incident ▪ Testing, assessing and evaluating the effectiveness of technical and organizational measures Ensure that natural persons with access to personal data acting under the authority of data controller or processor do not process without instructions (Art. 32(4)) In case of personal data breach data controller must inform supervisory authority (art. 33) and data subjects (Art. 34) where there is a risk to rights and freedoms of natural persons (data subjects must only be informed when there is high risk) Key actors Data subject: identified or identifiable natural person (Art. 4(1)) Data controller: o the one who determines the purposes and means of the processing of personal data (Art. 4(7)) o can act alone or jointly with others Data processor: the one who processes personal data on behalf of the data controller (Art. 4(8)) Supervisory authority: independent public authority established by a Member State (Art. 4(1)) Third party: Someone other than data subject, controller, processor and persons who are authorized to process under direct authority of data controller or processor (Art. 4(1)) Recipient: The one to which the personal data are disclosed (Art. 4(1)) 3 Scope of application GDPR is a regulation (binding in its entirety and directly applicable in all Member States) -> individual implementation neither necessary nor permissible o However, GDPR provides for a number of derogations which must be laid down in national law (e.g. specific conditions for processing of national ID number) The principle of priority: The GDPR takes precedence over any conflicting legislation that may exist in any Member State national law (including sector-related regulations). Sector regulations The GDPR allows EU member states to adopt supplementary laws in certain defined areas (e.g. in the field of employment law). These local laws can provide further regulation to the principles of protection in the GDPR. Delegated acts The GDPR allows the European Commission and the European Data Protection Board (EDPB) to adopt delegated and implementing acts in certain areas. Delegated or implementing acts are non-legislative acts adopted by the European Commission that serve to amend or supplement the non-essential elements of the legislation to update it to reflect developments in a particular sector or to ensure that it is implemented properly 3.1 Material Scope GDPR Article 2(1) Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Personal data: GDPR Article 4 (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ➔ Personal data is information concerning an identifiable person, and not only information that identifies the person ➔ GDPR protection does not apply to data which is rendered irrevocably anonymous Any information: Any sort of statement about a person in any format Subjective and objective information (facts, opinions and assessments), does not have to be true Any kind of activities (private life, working relations, economic and social behavior, etc.) Regardless of position or capacity of the person (consumer, patient, employee, etc.) Relating to: Data that refer to identity, characteristics or behaviour of the person Data that are used to determine or influence the way in which the person is treated or evaluated “relates” to the data subject where the information, by reason of its content, purpose or effect, is linked to a particular person ➔ Determination through content element, purpose element, and result element Identified or identifiable: Identified: the person is distinguished from other members of the group Identifiable: possible to identify the person (whether any potential identifier actually identifies an individual depends on the context) Direct identification (e.g. name) or indirect identification (e.g. social security number, combination of significant criteria that allow to single out the person) GDPR provides a non-exhaustive list of identifiers, including name, identification number, location data, online identifiers (IP address, cookies which might be personal data ➔ To determine identifiability one should consider all the means likely to be used, e.g., cost of conducting identification, intended purpose, way of data processing, advantage expected by the controller, interest at stake for the person, risk of data breaches ➔ Data can be anonymized, however reidentification possible with large sets of data ➔ Pseudonymized data: anonymous for recipient, but accessible for the sender with a key for re-identification -> still personal data Natural person: Living human beings Some exemptions to deceased persons and unborn children Some provisions of the ePrivacy Directive extend protection to legal persons If information regarding legal person relates to natural person, it is considered personal data Processing: GDPR Article 4 (2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing relates to any activity in the data life cycle, e.g., generation, use, transfer, transformation, storage, archival, destruction Exeptions from material scope: Article 2(2) This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law; (b)by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (“specific provisions on the common foreign and security policy); (c) by a natural person in the course of a purely personal or household activity; (d)by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Art. 23 – Union or Member State law may restrict the scope of the GDPR, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: a) national security; b) defence; c) public security; d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; f) the protection of judicial independence and judicial proceedings; g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points a) to e) and g); i) the protection of the data subject or the rights and freedoms of others; j) the enforcement of civil law claims. Article 85(2) Processing carried out for journalistic purposes or the purpose of academic artistic or literary expression If necessary to reconcile the right to the protection of personal data with the freedom of expression and information See also art. 85-90 3.2 Territorial scope Data controllers established in the EU Data controllers not established within the EU that process data concerning data subjects in the EU with a view to offering products or monitoring behaviour within the EU GDPR Article 3 (1) activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (2) applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. ➔ Determination: Controller or processor envisages offering services to data subject in the EU (accessibility of website or general use of language do not count) Processing data to monitor the behaviour of data subjects, especially tracking on the internet to profile the person (3) applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. Responsibilities of the data controller Know for which purposes you are processing personal data. Know which personal data is needed for fulfilling the purposes and their legality of processing. Know your processing landscape – physically and digitally. Adapt your processing accordingly. Document your processing. Be transparent and inform the data subjects. 4 Lawful Processing of Personal Data Any processing of personal data must satisfy two requirements: be in compliance with the six basic principles for processing personal data set out in GDPR article 5 have a legitimate basis in GDPR article 6 or 9 Requirements are cumulative: data controller must comply with all the general principles laid out in Art. 5 and have a legitimate basis in accordance with Art. 6(1) 4.1 GDPR Art 5(1) - Basic principles for processing personal data Personal data shall be: (a) “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)” Lawfulness: Art 6 or 9 build the legitimate basis for processing Fairness: o vague legal norm that seeks to ensure general compliance with Charter, GDPR and national law o depends on context (purpose, proportionality, consent), e.g. processing on the basis of a consent given under a threat of violence is not lawful (not freely given) o processing must be reasonable from a data subjects point of view – only relevant information Transparency: o Duty to inform data subjects related to fair processing o Duty to inform data subjects about their rights, risks, rules, safeguards o Facilitate data subjects’ exercise of their rights ➔ Importance: data subject needs to know which and to which extent personal data are processed ➔ Information must be easily accessible and easy to understand (clear and plain language) ➔ As long as the data controller makes the information available in a readable and understandable format, the data controller is compliant with transparency, even if data subject does not read it (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’) Exception: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes Specified: Purpose sufficiently defined as to enable the implementation of data protection safeguards and to delimit the scope of the processing operation Explicit: purpose must be sufficiently unambiguous and clear in their meaning or intent Legitimate: o Art 6 and 9 build the legitimate basis for processing o Compatible with broader legal principles of applicable law (e.g. employment law, contract law, fundamental rights) (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’) Adequate: only process personal data if the purpose cannot be fulfilled by other means Relevant: Only use personal data which is relevant to fulfil the purposes of the processing. Do not collect data which is “nice to have”. Limited: o Process as few personal data as possible o Processing period must be limited to a strict minimum Related to Privacy by design and by default: data is not automatically processed when you don’t confirm it, e.g., location is not automatically turned on when opening an app (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) Personal data must be kept up to date and incorrect personal data must be deleted or rectified Obligation of ongoing control Inaccurate information can have adverse consequences for data subject, e.g. false information about credit worthiness can worsen loan terms, wrong tax report can reduce social benefits (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’) Exception: personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject proportionality, e.g., does the data retention to provide better services (purpose) overweigh the right to privacy of the data subject e.g. storage of personal data o for marketing as long as the business is a going concern o for complying with legal requirements such as anti-money laundering or taxation purposes (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’) Obligation to implement technical and organizational security measures appropriate to the risk o article 32 (security of processing) o Depends on the nature of personal data and processing Example Webshop: someone buys something in a webshop and indicates his personal data for the order. Purposes Contract 6(1)(b) Legal obligation reporting tax 6(1)(c) Direct marketing 6(1) (a) Targeted marketing 6(1) (f) Security 6(1) (f) 4.2 GDPR Art 5(2) - Accountability The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). ➔ The burden of evidence is laid upon the data controllers and processors if a claim of non-compliance is made 5 Lawful processing – legitimate basis Different types of personal data require different legitimate basis: Ordinary (Art. 6) Sensitive (Art. 9) Relating to criminal conviction and offences (Art. 10) National Identification Numbers (Art. 87) 5.1 Ordinary personal data (Art. 6) Also normal or non-sensitive data, i.e. categories of data not listed in Art. 9 Art. 6(1) provides possible legitimate bases for lawful processing (at least one must apply): a) Consent o Art. 4(11): any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her ▪ Freely given: Genuine and free choice Refusal or withdrawal of consent without detriment, right for the data subject to withdraw consent at any time, it shall be as easy to withdraw consent as to give it (Art. 7(3)) Consent should not provide a legal basis in cases where there is a clear imbalance (in power) between the data subject and controller (in particular where the controller is a public authority or employer) “[...] utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." (Art. 7(4)) o Note that access to services and functionalities can be made conditional on consent, e.g. to cookies, argument: there are alternatives that do not require consent for access, therefore it is still a free choice ▪ Specific: Purpose specification (safeguard against function creep) Granularity in consent requests (no bundling) -> separate consent to different personal data processing operations Clear separation from other matters Intelligible and easily accessible, clear and plain language no unfair terms ▪ Informed: When requesting consent the controller must inform the data subject about Identity of data controller Purpose of each processing operation What data is being used Right to withdraw consent (prior to giving consent) Use of data for automated decision-making where relevant Risks of data transfers when there is no decision on adequacy made and appropriate safeguards ▪ Unambiguous: Direct and obvious consent is necessary, no indirect approval (e.g. through pre-tick boxes), active motion or declaration Written (including electronic) or oral statement (e.g. tick boxes with text next to them) o Consent does not exempt the data controller from his general obligations b) Performance of a contract (or steps to enter into a contract on request of data subject) o E.g. employment contract: name, address, bank account number necessary for the data controller to fulfill the obligations towards the data subject o E.g. purchase of goods and services online c) Compliance with a legal obligation o E.g. companies must process employee and customer data for taxation reasons (income tax, VAT) o Law determines the purpose and specifications of processing d) Protection of a vital interest (data subject or another natural person) o E.g. monitoring epidemics (vital + public interest, weighing up against right to privacy) o May only be invoked as legitimate basis for processing personal data of another natural person if such processing cannot be based on another legal basis e) Task carried out in public interest or in the exercise of official authority (öffentliche Gewalt) o Often in conjunction with legal obligation (c) o E.g. register to investigate criminal activities f) Legitimate interests pursued by the controller or by a third party (includes general public) + legal claims (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject -> “balancing test”) o Three elements of the legitimate interest basis ▪ identify a legitimate interest ▪ show that the processing is necessary to achieve it If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply ▪ balance it against the individual’s interests, rights and freedoms If individuals would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests Factors: nature of legitimate interest, impact on data subject, provisional safeguards to prevent any undue impact on data subject 5.2 Sensitive personal data (art. 9) Exhaustive list: Racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership genetic data biometric data (for unique identification of a natural person) data concerning health data concerning sex life or sexual orientation Also data capable of revealing sensitive data by means of an intellectual operation involving comparison or deduction (e.g. name of spouse or partner may reveal sexual orientation) Processing of sensitive data is prohibited (Art. 9(1)) but there are exemption Art. 9(2) provides an exhaustive list of exemptions: Explicit consent (express statement of consent) Carrying out obligations or exercising specific rights in the field of employment and social security and social protection law Protection of a vital interest (person must be physically or legally incapable of giving consent) Legitimate activities with appropriate safeguards by charities or not-for-profit body with a political, philosophical, religious or trade union aim (members, former members or regular contact) Manifestly made public by the data subject Legal claims (or judicial capacity of courts) Substantial public interest Preventive or occupational medicine, assessment of working capacity, medical diagnosis, provision of health or social care, treatment, management of health or medical care systems and services Public interest in the area of public health Archiving purposes in the public interest, scientific or historical research purpose or statistical purposes Art. 9(4): Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. 5.3 Personal data relating to criminal convictions and offences Special rule laid out in Art. 10: Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. Example: It is doubtful if processing of criminal record data in the employment process can be based on consent because it is probably not freely given (imbalance of power and refusing the consent comes with the detriment of not receiving a job offer). Processing can be allowed based on national laws, if sufficient safeguards are in place. 5.4 National identification numbers Special rule laid out in Art. 87: Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. 6 General Obligations and Responsibilities Accountability: Art. 5(2): The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). Art. 24(1): Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. Measures: Proactive and adequate measures at all stages of data processing must be introduced and documented. Privacy by design and default Appointment of DPOs Keeping of records and documentation related to the processing Conduct of privacy impact assessments communication in case of data breach 6.1 Art. 30 – Records of processing activities Requires controllers, controllers’ representatives and processors to document processing activities in written form. 1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: (a) name and contact details of Controller joint controller controller's representative DPO (b) purposes of the processing Purpose must be comprehensive and logically related to one or more processing activities and must be distinct from other purposes (c) categories of data subjects and personal data (d) categories of recipients (including outside EU/EEA recipients and international organizations) (e) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization; documentation of suitable safeguards in case of transfers to third countries without adequacy decision or binding corporate rules per Art. 49(1) (f) data retention periods if possible (g) technical and organisational security measures referred to in Article 32(1) if possible 2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing: (a) name and contact details of Controller Controller’s representative Processor Processor’s representative DPO (b) categories of processing (c) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization; documentation of suitable safeguards in case of transfers to third countries without adequacy decision or binding corporate rules per Art. 49(1) (d) technical and organisational security measures referred to in Article 32(1) if possible Exemptions Art. 30(5) Enterprise or organisation employing fewer than 250 persons unless processing is likely to result in a risk to the rights and freedoms of data subjects processing is not occasional processing includes sensitive data per Art. 9(1) or data relating to criminal convictions and offences per Art. 10 ➔ in practice: processing seldom occasional, and contains a risk itself -> almost all controllers and processor must maintain a record of processing activities 6.2 Art. 25 - Data protection by design and by default Based on Art. 5(1)(f) – integrity and confidentiality By design Art. 25(1): Obligation to implement technical and organisational measures supporting data protection principles during planning and performance of the processing, taking into consideration: State of the art and cost of implementation Nature, scope, context, and purposes of the processing Risks for the rights and freedoms for natural persons E.g. pseudonymization of personal data (as soon as possible) and functionalities for the data subject to monitor the processing By default Art. 25(2): Requirements for default settings - limiting data to what is necessary for the purposes of the processing: Amounts and types of data Extent of processing Period of storage Accessibility E.g. data collection features are set to off and can be turned on according to the data subjects preferences 6.3 Art. 32 - Security of processing (‘security by design’) Based on Art. 5(1)(f) – integrity and confidentiality Personal data must be protected from Destruction (intentional or accidental) loss alteration (ransomware, damaged software or hardware) unauthorized access (e.g. hacking, phishing, accidental disclosure) (1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 6.4 Art. 33 and 34 – Personal data breach Based on Art. 5(1)(f) – integrity and confidentiality Examples: British Airways (did not recognize a cyber attack for more than 2 months because it did not have appropriate security measures), 7-eleven (ransomware attack), FB data leak 6.4.1 Art. 33 – Notification to supervisory authority Obligation for the controller to notify the personal data breach to the supervisory authority o Exception: "…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." o The controller has the burden of proof that the exception applies (accountability) When: "… without undue delay and, where feasible, not later than 72 hours after having become aware of it…" o "without undue delay“ should take into account the nature and gravity of the personal data breach and its consequences for the data subject o notification not made within 72 hours shall be accompanied by reasons for the delay Notification should at least contain: o nature of data breach (categories and number of data subjects and personal data records) o contact details of DPO o likely consequences o measures to address the data breach 6.4.2 Art. 34 – Communication to the data subject Obligation to communicate the personal data breach to the data subject o only if high risk to rights and freedoms o not if ▪ controller has implemented appropriate technical and organisational protection measures (in particular those that make the data unintelligible) ▪ controller has taken measures which ensure that the high risk is no longer likely to materialize ▪ disproportionate effort -> in that case, there must be public communication o controller has the burden of proof when he considers the breach not to be high risk (accountability) When: "without undue delay" (no 72h limit) o should allow affected natural persons to take necessary precautions o should take into account the nature and gravity of the personal data breach and its consequences for the data subject Communication should contain (in clear and plain language): o nature of data breach o recommendations for the natural person to mitigate potential adverse effects 6.5 Art. 35 - Data protection impact assessment (DPIA) Based on Art. 5(1)(f) – integrity and confidentiality 6.5.1 Risk assessments must be carried out before processing relates to all the terms in the GDPR that go along the lines of “taking into account/assessing risk to the fundamental rights and freedoms of the data subject -> weighing risks against protection measures No formal requirements but supplementary information in Recital 76 o likelihood and severity of the risk (character, scope, context and purpose of processing operations) o distinction between risk and high risk Examples of risks to the data subject: o Physical injury; o Material damage; o Intangible damage; o Discrimination;. o Identity theft; o Identity fraud; o Economic impact, including financial losses; o Damage to reputation; o Social consequences; o Influence on privacy; o Damage to human dignity; o Damage to legitimate interests; o Restriction/violation of fundamental rights and freedoms; and o Obstacle in exercising control over own personal data 6.5.2 Impact assessments must be carried out when processing carries high risk to the rights and freedoms of natural persons, in particular through the use of new technologies Activities that may require a DPIA: o systematic evaluation or analysis of personal data; o automated decision-making with legal or equivalent significant effect; o systematic monitoring; o sensitive information or information of a highly personal nature; o matching or combination of data sets; o information on vulnerable data subjects (e.g. children); o innovative use or application of new technology or new organisational solutions; o processing itself prevents data subjects from exercising a right or making use of a service or a contract DPIA must contain at least: o systematic description of processing operations and purposes (legitimate interest where applicable) o assessment of the necessity and proportionality in relation to purposes o assessment of the risks to the rights and freedoms of data subjects o measures to address the risks 6.6 Art. 36 – Prior Consultation Based on Art. 5(1)(f) – integrity and confidentiality Controller shall consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller. 6.7 Art. 40 and 41 – Codes of conduct and monitoring of approved codes of conduct The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR Monitoring of approved codes of conduct may be carried out by a body with expertise and accredited by DPA 6.8 Art. 37, 38 and 39 – Data Protection Officer (DPO) 6.8.1 Who must designate a DPO? Art. 37(1) (a) Public authorities and bodies, except for courts acting in their judicial capacity (b) core activity of controller or processor consists of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale Monitoring is described in further detail in recital 24 (c) core activity of controller or processor consists of processing on a large scale of special categories of data pursuant to article 9 and data relating to criminal conviction and offences referred to in article 10 6.8.2 DPO tasks Art. 39(1) (a) Inform and advise on obligation to comply with GDPR and other data protection laws Does not include: o Specific legal advice on data processing activities o Drafting contracts or data processing agreements (b) monitor compliance with GDPR and other data protection laws Including: o assignment of responsibilities o awareness-raising o training of staff involved in processing operations o audits of data processing activities (c) advise on data protection impact assessment and monitor its performance pursuant to Article 35 (DPIA) Whether or not to carry out a DPIA Methodology Inhouse or outsource it What safeguards (including technical and organizational measures) to apply to mitigate any risks to the rights and interests of the data subjects; whether or not the data protection impact assessment has been correctly carried out; and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements. (d) cooperate with supervisory authority (e) Point of contact: controller must provide identity of DPO to supervisory authorities, so they contact regarding processing matters, including Prior consultation Article 36 (i.e. consult supervisory authorities before processing if DPIA indicates high risk) Complaints about DPO Data breaches audits Article 13(1)(b) and 14(1)(b): controller must provide identity of DPO to data subjects Article 12(3): DPO shall inform controller of the duty to provide information on action taken on data subjects’ request under Articles 15 and 22 within the deadlines laid out in Art. 12(3) failure of the controller to comply with deadlines must be assessed by DPO (single error or need to act) Art. 38(4) Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation. 6.8.3 Independence Art. 38(3) The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor. Art. 38(6) There must be no conflict of interest with other tasks and duties. In practice: DPO cannot be responsible for advising and determining the purposes and means of processing DPO employment termination and just cause Case: C-534/20, Leistritz https://gdprhub.eu/index.php?title=CJEU_-_C-534/20_-_Leistritz Company terminated contract woth DPO because of restructuring measures DPO challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(3) GDPR and Section 6(4) BDSG, as the employment could be terminated only in case of a “just cause” The Court agreed with the plaintiff and declared LH's termination unlawful since no “just cause” was to be found in the present case. The Company filed an appeal against the decision. The issue raised was whether Article 38(3) GDPR allows a Member State to make laws that impose stricter conditions for the termination of a DPO. The CJEU concluded that Article 38(3) GDPR is intended only to ensure a DPO's functional independence, not to govern the overall employment relationship between a controller or a processor; it applies irrespective of the nature of the DPO's employment relationship with the controller or processor. What is just cause? Misconduct and criminal offense breach of employment contract Case to case assessment The CJEU has ruled on the question of whether the GDPR allows for the applicability of the German provisions governing the termination of a DPO employment pursuant to the German Federal Data Protection Act. According to the CJEU, the German provisions, under which a DPO's employment may only be terminated for just cause, even if the termination is not related to the performance of his or her duties, in principle do not conflict with EU law. However, the realisation of the objectives of the GDPR must not be compromised by the interpretation of the regulations, i.e., the DPO must continue to be sufficiently competent for his or her activities. This means that a termination must be possible even if the strict requirements under the traditional employee-friendly application of German employment protection law are not met. 7 Controller, Joint Controllers and Processors Sources: Find passage in book, Lecture 5 7.1 Data controller Art. 4(7) the one who determines the purposes and means of the processing of personal data can act alone or jointly with others Guidelines 07/2020 (The European Data Protection Board updated Article 29 WP opinion from 2010) decides on both the purposes and means of the processing through exercising decision- making power for the purpose and deciding essential means Exercising decision-making power requires: o factual deciding influence on the purpose, e.g. anticipated outcome that is intended through the purpose o factual deciding influence on the essential means, e.g. why and how; e.g. type of personal data, categories of data subjects and duration of the processing However, the processor may have some influence on the means of processing o Processor may decide on non-essential means e.g. more practical aspects of implementation, such as the choice for a particular type of hard- or software or the detailed security measures 7.2 Processor Art. 4(1)(8): the one who processes personal data on behalf of the controller Article 28 (3) Processing must be governed by a contract between controller and processor that entails: (a) documented instructions from the controller (also stipulated in Art. 29) (b) confidentiality commitment (c) security measures pursuant to Art. 32 (d) compliance with paragraph 2 and 4 2: processor needs authorization from controller to engage another processor 4: when processor engages another processor same obligations apply and he has to create another contract, the initial processor is fully liable (e) that processor must assist controller in responding to requests of data subjects to exercise their rights (f) that processor must assist controller in ensuring security (Art. 32 and 36) taking into account the nature of processing and the information available to the processor (g) that processor must delete or return all personal data at the choice of the controller after processing agreement ends (h) that processor must make available to the controller all information necessary to demonstrate compliance (10) if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller Relationship between the controller and the processor ➔ It is not sufficient to just comply with the obligations in Art. 28 (information on the procedures to comply with obligations and the necessary level of guarantees and security) ➔ Controller needs to take into account the processors expert knowledge, reliability and resources to ensure sufficient guarantees and security Not a processor of the controller when: Employees and other persons such as temporarily employed staff, is acting under the direct authority of the controller, however they shall only process personal data under instruction of the controller (Art. 29) The provided the entity is not hired to process personal data o Example: ▪ General IT support with access to personal data -> processor ▪ specific IT-support not hired to process personal data -> not a processor, since access to personal data will be purely incidental and very limited Data Processing Agreements Standard contractual clauses to ensure compliance with Art.28(3) and (4), i.e. clauses for contract between data controller and processor and contract between processors DPA has to be complied with no matter what the main contract says Subprocessors can dock in into agreement, i.e. sign a copy 7.3 Joint Controllers Article 26 (1) two or more controllers jointly determine the purposes and means of processing o Common decision or converging decision on the purposes and means of a processing activity of two or more entities if: ▪ Common meaning jointly decision about the purpose and means of processing ▪ Converging meaning decisions about different aspects of the processing if decisions complement each other and are necessary (meaning that processing would not be possible without both parties’ participation). determine their respective responsibilities for compliance with obligations (especially vis a vis the data subjects, i.e. enable data subjects to exercise their rights and inform them) (2) share of control activities may be unequal but each controller can be held fully liable for the whole processing activity, including the parts of processing executed by the other controllers. The essence of the agreement shall be made available to the data subject (3) Data subject may exercise their rights against each of the joint controllers Relationship among joint controllers Agreement on their responsibilities on “who does what” requiring a mapping of processing activities: ➔ “EDPB recommends documenting the relevant factors and the internal analysis carried out in order to allocate the different obligations. This analysis is part of the documentation under the accountability principle” ➔ In practice: updating joint controller agreements with the EDPB recommendations Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV). Like button transmits data if there is a cookie consent When placing a Facebook “Like” button who is mainly responsible for complying with the GDPR principles? The CJEU adopted a broad view of the situations in which a “joint controllership” can arise. It held that, under EU data protection legislation, the operator of a website featuring the Facebook ‘Like’ button (a social plugin that causes the transmission to Facebook of website users’ personal data) can qualify as a controller, jointly with Facebook. Consequently, the website operator is directly responsible for complying with legal obligations in this respect, including by informing its users that their personal data will be transferred to Facebook. However, the CJEU importantly clarified that the website operator’s role as controller (and the corresponding legal obligations, e.g. duty to ensure legal basis, inform etc.) is limited to the collection and transmission of the data to Facebook and does not include any subsequent personal data processing that Facebook carries out. -> However, the website operator can be held liable when Facebook does not comply with GDPR in regard to the joint processing activity. The CJEU’s findings will potentially affect third-party technologies other than the Facebook ‘Like’ button, which are often incorporated into websites, such as cookies and pixels. ➔ Joint purpose: targeted marketing for Fashion ID How would the responsible parts control and ensure compliance with the GDPR? website operator must inform data subjects of the data processing and must collect the data subjects’ consent in this regard when needed o cookie consent o website violated transparency principle FB must collect consent to subsequent processing FB must provide information to the data subjects about the subsequent processing Fashion ID and FB must have an agreement to assign responsibilities for joint purposes ➔ If data is passed on, the data controller is changed, if the purpose is not shared 8 Data subject’s rights Overview Transparency art. 12 -> describes how the information regarding Art. 13-22 must be provided to the data subject Duty to inform art. 13-14 (right to information) Right of Access art. 15 Right to Rectification art. 16 Right to Erasure art. 17 Right to restriction of processing art. 18 Right not to be subject of an automated decision art. 22 8.1 Art. 12 – Transparency (1) The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 (user rights) and 34 (data breach) relating to processing to the data subject in a: concise transparent intelligible (using clear and plain language, in particular for any information addressed specifically to a child), and o indefinite language (e.g. “may”, “might”, “some”, “often” and “possible”, and abstract terms) should be avoided (if not possible controller should explain why and how it undermines the fairness of processing -> accountability) easily accessible form. o data subject should not have to seek out the information o taking into account the different devices and user interfaces o Examples: ▪ 1 klick from the main page to the privacy statement ▪ Link or contextual popups in online form ▪ FAQs ▪ layered privacy notice ▪ Link in app store prior to download (3) controller shall provide information without undue delay and within max. one month (can be extended by 2 months considering complexity and number of requests, controller must inform about extension) (5) free of charge, unless the request is unfounded or excessive 8.2 Art. 13-14 – duty to inform (right to information) Art. 13 and 14 describe which information the controller must provide to the data subject when personal data are collected -> without request from data subject Art. 13 when data are collected directly from data subject Art. when data are not directly collected from data subject, e.g. from other controller, processor or public data sources (1) and (2) of Art. 13-14: information to be provided The identity and the contact details of the controller and, where applicable, of the controller's representative; The contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; Art. 14: the categories of personal data concerned; [only third party collection] Art. 14: data source; [only third-party collection] the recipients or categories of recipients of the personal data if any where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards period for which the personal data will be stored or if not possible criteria to determine period existence of right to access, rectification, erasure and data portability where the processing is based on consent, the existence of the right to withdraw consent at any time right to lodge a complaint with a supervisory authority Art. 13: whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Exceptions: Art. 13 and 14: data subject already has the information Art. 14: o Disproportionate effort / information would render impossible or seriously impair the achievement of the objectives of the processing. o Obtaining or disclosure of personal data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests o Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. Successive controllers (Art. 14) in practice: Consent form of the initial controller entails the privacy statement of the subsequent controller (or a link to it), so data subject gives consent to both, the initial and subsequent processing. 8.3 Art. 15 - Right of access (1) Individuals have the right to access their own personal data (subject access) get information about the related processing from the controller (covered in Art. 13-14) (3) One copy of personal data must be free of charge, administrative fee can be charged for further copies (4) right to obtain copy only when it does not adversely affect the rights and freedoms of others Example: when former employee requests full inbox, information not related to the data subject must be redacted. 8.4 Art. 16 - Right to rectification Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete. Personal data is inaccurate if it is incorrect or misleading as to any matter of fact. right is closely linked to accuracy principle in Art. 5(1)(d) C-434/16– Peter Nowak – access right with the aim of rectification: German student was granted access to the evaluation of his paper after requesting and appealing to court. He aims to get the evaluation rectified. Reasoning: First, the content of the answers reflects the extent of the candidate’s knowledge and competence in a given field and, in some cases, his intellect, thought processes, and judgment. In the case of a handwritten script, the answers contain, in addition, information as to his handwriting. Second, the purpose of collecting those answers is to evaluate the candidate’s professional abilities and his suitability to practice the profession concerned. Last, the use of that information, one consequence of that use being the candidate’s success or failure at the examination concerned, is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought. 8.5 Right to erasure (‘right to be forgotten’) (1) individual has right to erasure when certain grounds apply (not an absolute right): the personal data is no longer necessary for the purpose which you originally collected or processed it for; you are relying on consent as your lawful basis (Art. 6(1)(a)) for holding the data, and the individual withdraws their consent; you are relying on legitimate interests or public interest (Art. 6(1)(f) and (e)) as your basis for processing, the individual objects to the processing of their data (Art. 21(1)), and there is no overriding legitimate interest to continue this processing; o right to erasure can only be invoked based on a valid exercise of the right to object under Art.21(1), i.e. substantiated and not overridden by ‘legitimate grounds for processing’, or Art.21(2), i.e. when personal data is specifically being processed for direct marketing purposes you are processing the personal data for direct marketing purposes and the individual objects to that processing (Art. 21(2)); you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of Art. 5(1)(a)); you have to do it to comply with a legal obligation; or you have processed the personal data to offer information society services (e.g. online news, platforms for inserting advertising) to a child (Art. 8(1)). (2) If you have disclosed the personal data to others, you must contact each recipient and inform them that they have to erase the personal data, unless this proves impossible or involves disproportionate effort. (3) Exceptions: right of freedom of expression and information Public interest o compliance with a legal obligation or task carried out in the public interest o public interest in the area of public health o archiving purposes in the public interest establishment, exercise or defence of legal claims Google Spain Case Spanish newspaper mentioned data subject’s name in connection with attachment proceedings in an online newspaper article and google referenced the article with links in the search browser, so it can be found with a search query of the data subject’s name. Data subject requested Google to dereference the links the article that follow from searching the name (right to object (+ right to be forgotten) ➔ combination of right to object: focuses specifically on one particular processing operation (i.e. linking name to search result) and right to erasure: aims to remove the link between the search term and the result ➔ data subject’s right to privacy vs. legitimate interest of google and the newspaper to disseminate information and public interest (freedom of expression and information) ➔ CJEU decided that the legitimate interest of the newspaper and Google does not override the data subject’s right to privacy, up to national court to decide if there was a public interest in the data Case – C-398/15 Manni data subject has bankruptcy entry of a former company in the official company register of the Chamber of Commerce aims to object to the storage of these information because he claims that the entry has adverse on the sales of his current company and on its credit rating Register of the Chamber of Commerce serves: o third party interest (interest of third parties and ensure legal certainty and fair trading for the internal market may take precedence) o Fulfilling legal obligations (Directive 68/151 (compulsory disclosure of company data in public register)) -> terms of doing business ➔ CJEU left it to national court to decide whether the data subject’s data protection rights outweigh the rights under Directive 68/151 -> case by case basis ➔ noted that data subject could not sell based on data in register is not a sufficient reason Comparison to Google Spain Case: In google spain case, data was outdated and not relevant anymore, not the case here Google case delt with a private person, here it is a business person 8.6 Art. 18 - Right to restriction of processing (1) individual has right to request the restriction of processing when certain grounds apply (not an absolute right): the individual has contested the accuracy of their personal data, restriction during the period of verifying the accuracy of the data; the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of Art. 5(1)(a)); and the individual opposes erasure and requests restriction instead; you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or the individual has objected to you processing their data under Article 21(1), restriction during the period of verifying if your legitimate grounds override those of the individual. (2) When processing is restricted, you are permitted to store the personal data, but not use it 8.7 Art. 20 - Right to data portability (1) The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services (i.e. transmit data to another controller without hindrance from the controller), however only when: your lawful basis for processing this information is consent (Art. 6(1)(a)) or the performance of a contract (Art. 6(1)(b)); and you are carrying out the processing by automated means (i.e. excluding paper files). You should provide the personal data in a format that is: structured; commonly used; and machine-readable. (2) right to have the personal data transmitted directly from one controller to another, where technically feasible (4) only when there is no adverse effect on the rights and freedoms of others (complicated when data sets are interwoven, e.g. social media) Use in practice: Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. 8.8 Art. 21 - Right to object Individual has right to object to processing when certain grounds apply (not an absolute right) (even though the processing is lawful): processing is based on public interest or legitimate interest (Art. 6(1)(e) and (f)) o processing can be continued when you can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims personal data are processed for direct marketing purposes (absolute right) An individual must give specific reasons why they are objecting to the processing of their data. These reasons should be based upon their particular situation. Key difference to right to erasure: Focuses on a specific processing operation, whereas the right to erasure relates to the personal data itself ➔ The right to object only prevents further processing for one or more delineated purposes, whereas the right to erase prevents processing of any kind as the data can no longer be stored by the controller 8.9 Art. 22 – Right not to be subject to automated individual decision-making, including profiling (1) individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (2) Exceptions. necessary for entering into or performing a contract authorized by Union or Member State law explicit consent (3) measures to safeguard the data subject's rights and freedoms and legitimate interests right to o obtain human intervention by the controller o express point of view (data subject) o contest the decision (4) decisions shall not be based on sensitive data, unless Article 9(2)(a) (explicit consent) or (g) (substantial public interest) applies 9 Transfer of personal data Tools to transfer data to third countries: Adequacy decisions Appropriate safeguards o Standard contractual clauses o Ad hoc contractual clauses - must have SA authorization o Binding corporate rules o Approved codes of conduct and certification mechanisms o Reliance on international agreements - Example: Passenger name records (PNRs) Derogations for specific situations CJEU decided that posting data on website does not constitute a transfer of personal data to a third country because a website does not have the technical means to send the data to people who did not intend to access the website. 9.1 Art. 45 – Adequacy Decisions (1) and (3) European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection (domestic legislation or international commitments) (2) Criteria for adequacy of the level of protection: rule of law, respect for human rights and fundamental freedoms, relevant domestic legislation (such as national security and access of public authorities to personal data), data protection rules, case law, data subject rights (stable administrative and judicial system, so data subject can assert its rights) independent supervisory authorities international commitments and other obligations the third country has entered into adoption of an adequacy decision involves: a proposal from the European Commission an opinion of the of the European Data Protection Board an approval from representatives of EU countries the adoption of the decision by the European Commissioners (5) At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation. ➔ effect of adequacy decision is that personal data can flow from the EU and EFTA (Switzerland, Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data. ➔ Adequacy decisions so far: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Japan, Uruguay (not US because Privacy Shield framework was deemed invalid by CJEU in 2020) 9.2 Art. 46 – Appropriate Safeguards (2) appropriate safeguards without requiring any specific authorisation provided by: legally binding and enforceable instrument between public authorities or bodies (i.e. provisions to be inserted in administrative arrangements) Binding corporate rules Standard contractual clauses (adopted by Commission or supervisory authority) o Ad hoc contractual clauses between controller and recipient - must have supervisory authority authorization o Commission issued so far ▪ two sets of standard contractual clauses for data transfers from controllers in the EU and EEA to controller established in third countries ▪ one set of contractual clauses for data transfers from controllers in the EU or EEA to processors established in third countries Approved codes of conduct Approved certification mechanisms 9.2.1 Schrems Cases Case - C-362/14 Max Schrems v. Data Protection Commissioner Complaint: to the Irish Data Protection Commissioner (DPC) regarding the transfer of his personal data from Facebook's Irish subsidiary to the US US did not have adequate protection against surveillance activities of US public authorities (Snowden revelations) Ruling: Safe Harbour Privacy Principles (scheme for transfer of personal data between EU and US) were found to be invalid by CJEU data protection authorities have the power to investigate and suspend or prohibit data transfers, even if the transfers are based on a framework that has been approved by the European Commission ➔ Scheme was replaced by EU-US Privacy Shield: o data protection obligations for US companies o independent mechanism that deals with data subjects’ complaints o annual joint review Case - C-311/18 Schrems II Schrems filed a new complaint to the Irish DPC claiming Privacy Shield has same flaws as Safe Harbour US surveillance programmes interfered with his fundamental rights to o privacy (Charter Art. 7) o data protection (Charter Art. 8) o effective judicial protection (Charter Art. 47) Rulings of CJEU: US Privacy Shield is invalid o US does not provide for an equivalent data protection level to the EU ▪ controllers and processors transferring to third countries must assess if data protection is equivalent to EU level ▪ CJEU does not specify what constitutes an essentially equivalent level of protection, nor has this been specified in any later court ruling or new privacy legislation o legal bases for US surveillance programmes ▪ are not limited to what is necessary ▪ disproportionately interfere with rights to data protection and privacy (powers of US authorities not sufficiently limited and lack of actionable rights for EU subjects against US authorities) o Ombudsman mechanism lacks independence and enforceability o SCCs and BCRs are valid legal bases to transfer data to the US provided that controllers and processors ensure equivalent protection to GDPR EDPB issued recommendations to ensure equivalence with EU protection Risk assessment of transfers to third countries o Know your transfers - transfer must be adequate, relevant and limited to what is necessary in relation to the purposes o Verify the transfer tool o Assess if laws or practices in the third country infringe appropriate safeguards ▪ If that is the case, adopt supplementary measures o frequently re-evaluate the level of protection Supplementary measures o Examples: Encryption, shorter deletion deadlines, pseudonymization, restricted access and retransmission, data minimization o in accordance with Art. 32 – Security of processing 9.3 Art. 47 – Binding Corporate Rules Art. 4(1)(20) BCRs are internal rules for data transfers within multinational companies Governed by a code of conduct: allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. must ensure that all data transfers within a corporate group are safe must contain: o privacy principles, such as transparency, data quality, security o tools of effectiveness (such as audit, training, or complaint handling systems) o an element proving that the rules are binding (1) must be approved by supervisory authority wether they are legally binding confer enforceable rights on data subjects specify necessary details (Art. 47(2)) 9.4 Art. 48 – International Agreement When court or administrative authority of a third country requires the transfer or disclosure of personal data, it is only possible if there is an international agreement (e.g. mutual legal assistance treaty, Passenger name records (PNRs)) 9.5 Art. 49 – Derogations for specific situations (1) In the absence of adequacy decisions and appropriate safeguards, personal data may still be transferred if one the exceptions apply: explicit consent of the data subject after having been informed of the possible risks performance of a contract or pre-contractual measures requested by the data subject performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person public interest establishment, exercise or defence of legal claims vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent public register intended to provide information to the public according to EU or national law When there are no adequacy decisions or appropriate safeguards and the above exceptions do not apply, the transfer to a third country may still take place if: transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards Controller must inform supervisory authority and data subject of the transfer and the compelling legitimate interest. 10 Employee personal data Processing of employees’ personal data is subject to local employment law -> consultation must be carried out before processing Art. 88 (1) Member States can provide more specific rules in regard to processing of employees' personal data (2) rules shall include measures that safeguard the data subject's human dignity, legitimate interests and fundamental rights 10.1 Legal basis in employment employee’s consent (problematic because of imbalance of power) performance of employment contract compliance with legal obligation employer’s legitimate interest 10.1.1 Recruitment: processes before employment Application Private employers: Initial data retention based on legitimate interest (Art. 6(1)(f)) Public employers: Initial data retention based on public interest (Art. 6(1)(e)) For both: processing on sensitive personal data can be based on establishment, exercise or defense of legal claims (Art. 9(2)(f)) storage limitation applies (Art. 5(e)) Continued retention based on article 6(1)(a) or article 9(2)(f) Screening (i.e. assessing background information about applicant) Provided by applicant – GDPR article 6(1)(e) (public employer) or GDPR article 6(1)(f) (private employer) Collected by employer - GDPR article 6(1)(a) (public employer) and (private employer) data minimization applies (Art. 5(1)(c)) Exception in Art. 9 for the processing of sensitive personal data Art. 10 for the processing of data relating to criminal convictions and offences Personality tests 6(1)(f) (private employer) 6(1)(e) (public employer) employer may consider obtaining the applicant's consent to the processing of any sensitive data resulting from the personality test prior to the test, in accordance with article 9(2)(a) 10.1.2 Employment: processes in connection with the employment Entering into an employment agreement Processing necessary for performance of contract (Art. 6(1)(b)) o Contractual necessity must be assessed (perspective of the employee, nature and purpose of the employment agreement) o covering certain processing activities in a contract is not sufficient to make them necessary o necessity only if there are no realistic and less intrusive alternatives to the type of processing o Example: It could follow from an employment agreement that a real-estate agent has an outgoing role – hence the use of the image of the real-estate agent in sales material is a natural part of the employment agreement. Sensitive data: obligations and exercising specific rights of the employer in the field of employment and social security and social protection (Art. 9(2)(b)) Monitoring: Control measures in daily operations Types: o E-mail/Internet/SMS/telephone (e.g. screen emails to detect viruses) ▪ employer has the right to check e-mails when there is a legitimate reason and on the basis of clear rules known to the employee ▪ employer can prohibit the private use of workplace e-mails. However, a total ban will often be in breach of the principle of proportionality o Surveillance (video/phone/GPS/smartphones) ▪ principle of necessity, legitimacy, proportionality and transparency ▪ employer must clearly communicate the surveillance to the employees ▪ employee has the right to access his personal data ▪ Example: surveillance cameras legitimate interest can be property protection (e.g. access or vandalism) o -> DPIA might be necessary if there is high risk to employees fundamental rights and freedoms o data subject can reasonably expect the video surveillance -> not possible on toilets or changing rooms there is no less intrusive way to ensure property protection, data retention period the surveillance is proportional to the purpose of property protection employees are informed employees have access to their footage (identity of other people must be blurred) ▪ Example: monitoring workhours with automated performance evaluation requires DPIA because there is a high risk of loss of employment or reduction of salary o Urine/blood tests o Visitation o Door control Legal basis: o article 6 (1)(f) (private employer) o article 6 (1)(e) (public employer) o sensitive data: article 9(2)(f) Principles: o Necessity: no other less intrusive means to fulfil the purpose o Legitimacy: lawful ground and fairness o Proportionality: to the purpose/issue the employer is dealing with o Transparency: employer must inform employees of the monitoring (unless this undermines the purpose for the monitoring or there are compelling operational reasons) Other daily operations Reporting to tax authorities and banks, pension schemes etc -> article 6 (1)(b) and 6(1)(c) Measuring performance and making development plans -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer) Workplace surveys for employees workplace assessment etc. -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer), and 6(1)(c) for work place assessment internal sharing of personal data (e.g. intranet) -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer) Recording of absence -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer), sensitive data: article 9 10.1.3 Post-employment: processes post termination Balancing of interests Notification obligations (art. 13, 14 and 34) and the right of access (art. 15) do not apply if the interests of the data subject are considered to be overriden by o private interests (e.g. trade secrets, persons involved other than the data subject, protection of witnesses, or where the purpose of the collection is defeated if the data subject becomes aware of the collection) o public interest (e.g. handling criminal offences, breaches of regulated profession ethics) o or interests of the data subject or other data subjects o based on: ▪ 15(4) "The right... shall not infringe the rights and freedoms of others") ▪ requests by a data subject are manifestly unfounded or excessive (12(5)(b)) ▪ Restrictions in art. 23 implemented in national legislation (e.g. national security, defence, protection of data subject) Processes post termination Disputes relating to the employment -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer), sensitive data: article 9 Keeping historic records (museum) -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer) Workplace surveys for employees workplace assessment etc. -> article 6 (1)(e) (public employer), GDPR article 6 (1)(f) (private employer), and 6(1)(c) for workplace assessment 11 Marketing 11.1 Scopes of application EU Charter of fundamental rights (Articles 7, 8, 38 (Union policies shall ensure a high level of consumer protection)) GDPR Unfair Commercial Practices Directive (UCPD) o aims to protect the economic interest of consumers Unfair Contract Terms Directive (UCTD) o aims to protect consumers in the EU from unfair terms and conditions which might be included in a standard contract for goods and services they purchase (not individually negotiated) Interplay between consumer protection and data protection: GDPR requires fair and lawful processing Consumer protection law aims at striking a fair balance between traders and consumers -> balance can be affected by trader’s processing of personal data 11.2 Processing for marketing purposes 11.2.1 Legal basis usually consent, performance of a contract or legitimate interest Consent direct marketing requires consent to some extent the processing for (indirect) marketing purposes can be carried out under legitimate interest Giving consent can include ticking a box or choosing technical setting consent must be given for all of multiple purposes Request for consent must be clear, concise and not unnecessarily disruptive to the use of the service Performance of contract cannot be based on consent to marketing (e.g. separate tick box required) Right to withdraw consent at any time (e.g. unsubscribe link) Consent request must not contain unfair terms -> defined in Unfair Contract Terms Directive Legitimate interest marketing is a legitimate purpose, namely influencing consumers’ preferences in order to increase profits -> carried out for legitimate interest (Recital 47) subject to balancing test o trader’s legitimate interest not overridden by the interests or fundamental rights of consumer o consumer can reasonably expect processing (easier overridden when data subject is a child) Right to object to direct marketing at any time (Art. 21(2)) by automated means using technical specifications, in the context of the use of information society services 11.2.2 Cookies regulated by ePrivacy directive Access to information in the terminal equipment of the user (i.e. data stored on electrical device) only with consent and after informing about GDPR refusing consent does not prevent technical storage or access o for the transmission of a communication o strictly necessary for providing the service (must be explicitly

Summary & Notes on EU Law - General Data Protection Regulation (GDPR) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue