The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition

By Lukas Feiler, Nikolaus Forgó and Michaela Nebel

Since 25 May 2018 the General Data Protection Regulation 2016/679 (GDPR) has applied, representing a significant overhaul of data protection law in the European Union. Although it was drafted and passed by the European Union, the GDPR imposes obligations onto organisations anywhere, so long as they collect or target data relating to people in the EU. It is one of the toughest privacy and security laws in the world and harsh fines are levied against those who violate its privacy and security standards.

This commentary provides a detailed examination of the individual articles of the GDPR and is an essential resource aimed at helping legal practitioners prepare for compliance. The second edition includes guidelines on the interpretation of the GDPR published by the European Data Protection Board as well as new case law by the Court of Justice of the European Union. This revised and updated edition includes:
•a general introduction to data protection law;
•full text of the GDPR’s articles and recitals;
•article-by-article commentary explaining the individual provisions and elements of each article.

In addition to lawyers and in-house counsel, this book is also suitable for law professors and students, and offers comprehensive coverage of this increasingly important area of data protection legislation.

• Language: English
• Publisher: Globe Law and Business
• Release date: Oct 25, 2021
• ISBN: 9781787424791

Book preview

The EU General Data Protection Regulation (GDPR): A Commentary

Second Edition

Lukas Feiler

Nikolaus Forgó

Michaela Nebel

Authors

Lukas Feiler, Nikolaus Forgó and Michaela Nebel

Managing director

Sian O’Neill

The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition

is published by

Globe Law and Business Ltd

3 Mylor Close

Horsell

Woking

Surrey GU21 4DD

United Kingdom

Tel: +44 20 3745 4770

www.globelawandbusiness.com

Print and bound by CPI Group (UK) Ltd, Croydon CR0 4YY, United Kingdom

The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition

ISBN 9781787424784

EPUB ISBN 9781787424791

Adobe PDF ISBN 9781787424807

© 2021 Globe Law and Business Ltd except where otherwise indicated.

Text of the EU General Data Protection Regulation © European Union, 1998–2021, http://eur-lex.europa.eu.

The right of Lukas Feiler, Nikolaus Forgó and Michaela Nebel to be identified as authors of this work has been asserted by them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. No part of this publication may be reproduced in any material form (including photocopying, storing in any medium by electronic means or transmitting) without the written permission of the copyright owner, except in accordance with the provisions of the Copyright, Designs and Patents Act 1988 or under terms of a licence issued by the Copyright Licensing Agency Ltd, 5th Floor, Shackleton House, 4 Battle Bridge Lane, London SE1 2HX United Kingdom (www.cla.co.uk, email: licence@cla.co.uk). Applications for the copyright owner’s written permission to reproduce any part of this publication should be addressed to the publisher.

DISCLAIMER

This publication is intended as a general guide only. The information and opinions which it contains are not intended to be a comprehensive study, nor to provide legal advice, and should not be treated as a substitute for legal advice concerning particular situations. Legal advice should always be sought before taking any action based on the information provided. The publishers bear no responsibility for any errors or omissions contained herein.

Contents

List of abbreviations

List of Recitals of the General Data Protection Regulation

Introduction to the General Data Protection Regulation

1. Introduction

2. The most important compliance steps to be implemented

3. Basic terms of the GDPR

4. The scope of the GDPR

4.1 Material scope – what processing activities are covered?

4.2 Personal scope – who does the GDPR apply to?

4.3 Territorial scope – where does the GDPR apply?

5. The relationship with national data protection laws

6. The principles relating to the processing of personal data

7. Legal basis requirement for any data processing activity

7.1 Available legal bases

7.2 Requirements for valid consent

8. Information obligations and privacy notices

9. Rights of the data subject

10. Profiling and automated individual decision-making

11. Data protection compliance programme

11.1 Organisational measures including data protection strategies

11.2 Technical measures including privacy by design and by default

12. Maintaining a record of processing activities

13. Data protection impact assessment and consultation obligation with supervisory authority

14. Data protection officer

15. Data security

15.1 Mandatory data security measures

15.2 Obligation to notify personal data breaches

16. Mandatory arrangements between joint controllers

17. Obligations in case of outsourcing

18. International data transfers

18.1 Transfers not subject to notification or approval

18.2 Transfers subject to notification

18.3 Transfers subject to approval

19. International jurisdiction of supervisory authorities

20. Administrative fines and other sanctions

21. Civil liability and private enforcement

Text of the General Data Protection Regulation and commentary

Chapter I – General provisions

Article 1 Subject-matter and objectives

Article 2 Material scope

Article 3 Territorial scope

Article 4 Definitions

Chapter II – Principles

Article 5 Principles relating to processing of personal data

Article 6 Lawfulness of processing

Article 7 Conditions for consent

Article 8 Conditions applicable to child’s consent in relation to information society services

Article 9 Processing of special categories of personal data

Article 10 Processing of personal data relating to criminal convictions and offences

Article 11 Processing which does not require identification

Chapter III – Rights of the data subject

Section 1 – Transparency and modalities

Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject

Section 2 – Information and access to personal data

Article 13 Information to be provided where personal data are collected from the data subject

Article 14 Information to be provided where personal data have not been obtained from the data subject

Article 15 Right of access by the data subject

Section 3 – Rectification and erasure

Article 16 Right to rectification

Article 17 Right to erasure (‘right to be forgotten’)

Article 18 Right to restriction of processing

Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Article 20 Right to data portability

Section 4 – Right to object and automated individual decision-making

Article 21 Right to object

Article 22 Automated individual decision-making, including profiling

Section 5 – Restrictions

Article 23 Restrictions

Chapter IV – Controller and processor

Section 1 – General obligations

Article 24 Responsibility of the controller

Article 25 Data protection by design and by default

Article 26 Joint controllers

Article 27 Representatives of controllers or processors not established in the Union

Article 28 Processor

Article 29 Processing under the authority of the controller or processor

Article 30 Records of processing activities

Article 31 Cooperation with the supervisory authority

Section 2 – Security of personal data

Article 32 Security of processing

Article 33 Notification of a personal data breach to the supervisory authority

Article 34 Communication of a personal data breach to the data subject

Section 3 – Data protection impact assessment and prior consultation

Article 35 Data protection impact assessment

Article 36 Prior consultation

Section 4 – Data protection officer

Article 37 Designation of the data protection officer

Article 38 Position of the data protection officer

Article 39 Tasks of the data protection officer

Section 5 – Codes of conduct and certification

Article 40 Codes of conduct

Article 41 Monitoring of approved codes of conduct

Article 42 Certification

Article 43 Certification bodies

Chapter V – Transfers of personal data to third countries or international organisations

Article 44 General principle for transfers

Article 45 Transfers on the basis of an adequacy decision

Article 46 Transfers subject to appropriate safeguards

Article 47 Binding corporate rules

Article 48 Transfers or disclosures not authorised by Union law

Article 49 Derogations for specific situations

Article 50 International cooperation for the protection of personal data

Chapter VI – Independent supervisory authorities

Section 1 – Independent status

Article 51 Supervisory authority

Article 52 Independence

Article 53 General conditions for the members of the supervisory authority

Article 54 Rules on the establishment of the supervisory authority

Section 2 – Competence, tasks and powers

Article 55 Competence

Article 56 Competence of the lead supervisory authority

Article 57 Tasks

Article 58 Powers

Article 59 Activity reports

Chapter VII – Cooperation and consistency

Section 1 – Cooperation

Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned

Article 61 Mutual assistance

Article 62 Joint operations of supervisory authorities

Section 2 – Consistency

Article 63 Consistency mechanism

Article 64 Opinion of the Board

Article 65 Dispute resolution by the Board

Article 66 Urgency procedure

Article 67 Exchange of information

Section 3 – European Data Protection Board

Article 68 European Data Protection Board

Article 69 Independence

Article 70 Tasks of the Board

Article 71 Reports

Article 72 Procedure

Article 73 Chair

Article 74 Tasks of the Chair

Article 75 Secretariat

Article 76 Confidentiality

Chapter VIII – Remedies, liability and penalties

Article 77 Right to lodge a complaint with a supervisory authority

Article 78 Right to an effective judicial remedy against a supervisory authority

Article 79 Right to an effective judicial remedy against a controller or processor

Article 80 Representation of data subjects

Article 81 Suspension of proceedings

Article 82 Right to compensation and liability

Article 83 General conditions for imposing administrative fines

Article 84 Penalties

Chapter IX – Provisions relating to specific processing situations

Article 85 Processing and freedom of expression and information

Article 86 Processing and public access to official documents

Article 87 Processing of the national identification number

Article 88 Processing in the context of employment

Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Article 90 Obligations of secrecy

Article 91 Existing data protection rules of churches and religious associations

Chapter X – Delegated acts and implementing acts

Article 92 Exercise of the delegation

Article 93 Committee procedure

Chapter XI – Final provisions

Article 94 Repeal of Directive 95/46/EC

Article 95 Relationship with Directive 2002/58/EC

Article 96 Relationship with previously concluded Agreements

Article 97 Commission reports

Article 98 Review of other Union legal acts on data protection

Article 99 Entry into force and application

Keyword index

About the authors

About Globe Law and Business

List of abbreviations

List of Recitals of the General Data Protection Regulation

Introduction to the General Data Protection Regulation

1. Introduction

The General Data Protection Regulation (GDPR) was – and still is – one of the most ambitious legal projects of the European Union in the last years. Since 25 May 2018 the GDPR replaces the Data Protection Directive. In addition to that, supplementary local data protection laws became applicable. Although the GDPR provided for a two-year period until it was to be applied, companies had to undertake a huge effort to adapt their contracts, business processes and IT solutions pursuant to the GDPR in a timely manner in order to achieve a prudent level of compliance when the GDPR applied from 25 May 2018.

Not only the high fines of up to EUR 20 million or 4% of the total worldwide annual turnover illustrate that companies must take the GDPR seriously. Data protection has become one of the largest compliance risk areas and therefore necessarily a priority for the management of every company.

The below introduction allows the reader to quickly get an overview of the GDPR or certain parts of the GDPR. For certain details, the introduction refers to specific articles of the GDPR or specific comments of articles of the GDPR in the commentary section of this book. The commentary section also includes the most relevant case law of the CJEU regarding the GDPR as well as the most relevant guidelines of the EDPB.

2. The most important compliance steps to be implemented

To achieve minimum compliance with the GDPR, the most important compliance steps to be implemented by controllers can be summarised as follows:

1) implementation of a basic data protection compliance programme (see chapter 11 below) including the appointment of a data protection officer , to the extent reasonable or required in the particular case (see chapter 14 below);

2) preparation of a record of processing activities (see chapter 12 below);

3) review of the legal basis of the respective data processing operation (see chapter 7 below), in particular the requirements regarding valid consent (see chapter 7.2 below);

4) development of GDPR compliant privacy notices (see chapter 8 below); and

5) review of the legal basis and transfer mechanism for international data transfers (see chapter 18 below).

For processors the most important compliance steps to be implemented can be summarised as follows:

1) appointment of a data protection officer to the extent required or reasonable in the particular case (see chapter 14 below);

2) preparation of records of processing activities (see chapter 12 below);

3) implementation of appropriate security measures (see chapter 15.1 );

4) ensuring that subprocessors are engaged only with prior specific or general written authorisation of the controller ( Art. 28 para. 2); and

5) assurance that international data transfers take place only if compliant with the requirements of the GDPR (see chapter 18 below).

The above-mentioned measures will not produce full compliance with the GDPR but they help to focus the personnel and financial resources of a controller or processor on central compliance aspects.

For larger organisations it will also be required to assess generally in advance the regulatory risks resulting from the GDPR to allow for an efficient deployment of resources.

3. Basic terms of the GDPR

The GDPR exclusively applies to personal data (see chapter 4.1 below). Personal data are defined as any information relating to an identified or identifiable natural person, who is referred to as the data subject (Art. 4 No. 1).

A subset of personal data is sensitive data (also ‘special categories of personal data’). Sensitive data are defined in Art. 9 para. 1 as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning a natural person’s sex life or sexual orientation, data concerning health within the meaning of Art. 4 No. 15, genetic data within the meaning of Art. 4 No. 13 and biometric data (eg, fingerprints or facial images) if processed for the purpose of uniquely identifying a natural person (Art. 9 cmt. 3).

The GDPR applies to controllers and processors (cf. Art. 3 cmt. 4). The GDPR defines the term controller as the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7).

Processor means a natural or legal person which processes personal data on behalf of the controller, that is, that it does not determine the purposes and means of the processing of personal data (Art. 4 No. 8). For example, if a company outsources the operation of its customer database to an IT service provider, the company still acts as a controller, whereas the IT service provider acts as a processor.

Processing is defined broadly as any operation which is performed on personal data such as the collection, recording, structuring, alteration, retrieval, use, disclosure by transmission, erasure or destruction (Art. 4 No. 2).

The term transfer is used quite frequently throughout the GDPR. However, it is not defined. Transfer includes the disclosure vis-à-vis another controller or processor, respectively a subprocessor (see Art. 44 cmt. 1).

The term supervisory authority means the data protection authority respectively established by each Member State.

4. The scope of the GDPR

The following provides an outline concerning: (i) the processing activities that are covered by the GDPR (see chapter 4.1 below); (ii) those to whom the GDPR applies (see chapter 4.2 below); and (iii) where the GDPR applies (see chapter 4.3 below).

4.1 Material scope – what processing activities are covered?

The GDPR generally applies to any processing of personal data. As set out above under chapter 3, personal data means any information relating to an identified or identifiable natural person. Whether a natural person is identifiable must be assessed objectively, not only taking into consideration the legal and factual possibilities of the controller, but also the possibilities of third parties (Art. 4 cmt. 3). For example, the IP address of a user constitutes personal data for the operator of a website, even if the operator of the website cannot identify the person but only the Internet access provider can identify the user (see decision of the CJEU, C-582/14 – Breyer/Germany regarding the interpretation under the Data Protection Directive; see also the statement of the advocate general).

If data relate to legal persons, they only constitute personal data pursuant to the GDPR if the name of the legal person contains the name of a natural person (Art. 4 cmt. 1). Moreover, data that relate to deceased persons do not constitute personal data within the meaning of the GDPR (Art. 4 cmt. 2).

The GDPR basically only applies to data processed by automatic means. For data that is processed manually (generally on paper) the GDPR applies only if the personal data form part of a filing system or if they are intended to form part of a filing system (Art. 2 para. 1). ‘Filing system’ means any structured set of personal data which are accessible according to specific criteria (Art. 4 No. 6) such as HR files organised pursuant to names. Individual paper-based files are not subject to the GDPR (Art. 2 cmt. 4).

As an act of law of the Union, the GDPR does not apply to matters which fall outside the scope of Union law (eg, national security; see Art. 2 para. 2 lit. a). Furthermore, the GDPR does not apply to common foreign and security policy (Art. 2 para. 2 lit. d) or to the areas of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Art. 2 para. 2 lit. d; in these areas, Directive (EU) 2016/680 applies which will have to be implemented separately into national laws).

Furthermore, the GDPR does not apply to the processing of personal data by natural persons in the course of a purely personal or household activity (‘household exemption’; Art. 2 para. 2 lit. c). This covers in particular the use of social networks for private purposes (Art. 2 cmt. 7).

4.2 Personal scope – who does the GDPR apply to?

The GDPR applies to controllers and processors (see chapter 3 above regarding the definition of these terms).

Under the Data Protection Directive the role of the processor was advantageous because the processor was subject to only a few regulatory obligations. The commercial disadvantage is the obligation to not use personal data for one’s own purposes and to not commercially exploit them. If a company wants to use personal data for its own purposes and wants to commercially exploit the data (ie, is aiming for ‘data ownership’), the company has to be qualified as a controller which results in substantial additional obligations.

This has been changed by the GDPR because the GDPR applies to processors as it does to controllers and therefore makes processors subject to substantial regulatory obligations (see chapter 2 above) and subject to the same administrative fines (see chapter 20 below). Due to the alignment of obligations of controllers and processors, the commercial advantages of being a controller will become more attractive. Many companies that have so far limited themselves to being a processor, will likely try to move into a controller role. This would not only result in the applicability of regulatory obligations regarding the legal basis of the data processing such as consent of the data subject (see chapter 7 below) and transparency requirements (see chapter 8 below), but also in the requirement to revise existing contracts with customers, vendors and data subjects to reflect the new regulatory reality.

4.3 Territorial scope – where does the GDPR apply?

The GDPR applies to controllers and processors that are established in the EU or the EEA (see Art. 3 cmt. 5). Processors in the EU are subject to the GDPR even if they process data for controllers that are not subject to the GDPR (Art. 3 cmt. 4).

Furthermore, the GDPR applies if the controller, respectively the processor, is not established in the EU or the EEA, but has an establishment (eg, an affiliate) in the EU or in the EEA and the processing of personal data takes place in the context of the activities of this establishment. This applies, for example, if the US parent company processes personal data of customers of a German or Austrian affiliate to support the sales activities of that affiliate (see Art. 3 cmt. 2).

To ensure that companies that do not have an establishment in the EU/EEA but are active in the European market are subject to the same conditions of competition as European companies, the GDPR also applies to controllers and processors that are not established in the Union if they are offering their goods or services, irrespective of whether a payment is required, in the Union, respectively the EEA (Art. 3 para. 2 lit. b).

Furthermore, the GDPR applies to controllers and processors that are not established in the Union, but monitor the behaviour of data subjects in the Union (Art. 3 para. 2 lit. b). This applies in particular to online advertising networks which log the web browsing activities of Internet users to deliver personal online advertisement.

5. The relationship with national data protection laws

Like any EU regulation, the GDPR in general applies directly and may not be implemented by national law. The previously existing national data protection laws were largely superseded by the GDPR as of 25 May 2018.

Notwithstanding the above, there are numerous topics within the scope of the GDPR for which the GDPR does not (or not comprehensively) provide an answer but expressly authorises Member States through opening clauses to enact national laws. The GDPR therefore allows for deviations among Member States. This applies in particular to the following topics (cf. Art. 92 cmt. 4):

1) How old must a minor be to validly consent to the processing of his/her personal data? ( Art. 8 para. 1 subpara. 2)

2) When is it not possible to validly consent to the processing of sensitive data? ( Art. 9 para. 2 lit. a)

3) Is the processing of genetic data, biometric data or health data subject to additional limitations? ( Art. 9 para. 5)

4) Is it permitted at all to process personal data on criminal convictions and offences? (eg, in connection with a whistleblower hotline; Art. 10 )

5) Are automated individual decisions and profiling that are not necessary for the performance of the contract with the data subject permitted without consent of the data subject? ( Art. 22 para. 2 lit. b)

6) Are the rights of data subjects subject to additional limitations? ( Art. 23 )

7) Do all controllers and processors have to appoint a data protection officer or only certain controllers and processors? ( Art. 37 para. 4)

8) Is it possible to impose administrative fines on public authorities and bodies? ( Art. 83 para. 7)

9) May data protection NGOs claim damages on behalf of data subjects? ( Art. 80 para. 1)

10) May data protection NGOs initiate legal proceedings against a controller or a processor without a data subject’s mandate? ( Art. 80 para. 2)

Additionally, the GDPR grants the Member States a very far-reaching legislative competence for the processing of employees’ personal data in the employment context (Art. 88) and allows the Member States to regulate the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression (Art. 85) and to find reconciliation between the right to public access to official documents and the right to the protection of personal data (Art. 86).

As of April 2021, all Member States have passed national data protection laws supplementing the GDPR (except for Slovenia, whose national data protection law is still in the legislative process). Some of the Member States have made a rather extensive use of the opening clauses, eg, Germany, other Member States were rather hesitant, eg, Austria.

As a result, the GDPR must always be read together with the respectively applicable national ‘GDPR implementation act’. Therefore, the GDPR is also called a ‘limping regulation’. It is problematic that the GDPR does not contain any ‘conflict of law’ provisions. Therefore, it remains unclear when to apply the law of which Member State.

In our opinion, this is an unintended gap which must be solved by analogy to the rules of competence under the GDPR (see chapter 19 below). If there is a lead competence of a certain supervisory authority for a controller or processor pursuant to Art. 56, the ‘GDPR implementation act’ of such Member State applies (see in detail Art. 92 cmt. 5).

6. The principles relating to the processing of personal data

The GDPR stipulates the following principles that must be complied with whenever personal data is processed (Art. 5 para. 1):

1) Lawfulness ( Art. 5 para. 1 lit. a): Personal data must be processed lawfully, that is, a legal basis for the processing is required (see chapter 7 below).

2) Fairness ( Art. 5 para. 1 lit. a): Personal data must be processed fairly which is of relevance in particular when conducting a balancing of interests test (see, eg, Art. 6 para. 1 lit. f).

3) Transparency ( Art. 5 para. 1 lit. a): Personal data must be processed in a transparent manner in relation to the data subject. This principle is further specified by the information obligations contained in the GDPR (see chapter 8 below).

4) Purpose limitation ( Art. 5 para. 1 lit. b): The first element of the purpose limitation principle is that personal data may only be collected if an explicit and legitimate purpose was specified no later than at the time of the collection (principle of purpose specification ). This may, for example, be done by documenting the processing purposes in the record of processing activities (see chapter 12 below). Since the processing purposes must be legitimate, other laws (eg, consumer protection law) must indirectly also be taken into consideration in data protection assessments. The second element of the purpose limitation principle requires that collected data may not be further processed in a manner that is incompatible with the purposes originally specified ( purpose limitation in a strict sense ) unless the data subject consented ( Art. 6 cmt. 13). Whether the purposes are compatible must be assessed by applying certain criteria stipulated in Art. 6 para. 4. If the new purpose is compatible with the former (original) purpose, it is unclear, whether the processing is permitted without the need for a new legal basis (eg, new consent) (cf. Art. 6 cmt. 15). However, data subjects must be informed about the new processing purpose ( Art. 13 para. 3 and Art. 14 para. 4).

5) Data minimisation ( Art. 5 para. 1 lit. c): The type and scope of the processed data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle is a specification of the general principle of proportionality. It would be regarded excessive and therefore a violation of the data minimisation principle if, for example, in order to document the used data volume of each employee, a company does not only log the size of the downloaded files but also the file name and the time of a download.

6) Accuracy ( Art. 5 para. 1 lit. d): Personal data must be accurate and, where necessary for the processing purpose, kept up to date.

7) Storage limitation ( Art. 5 para. 1 lit. e): Personal data may be stored no longer than necessary for the specified purposes for which the personal data are processed. Upon expiration of that period, data must be deleted or anonymised. For example, due to the principle of storage limitation, the storage of documents regarding a contractual relationship to defend against potential claims of a customer would violate the GDPR after the statutory limitation period expired.

8) Integrity and confidentiality ( Art. 5 para. 1 lit. f): Contrary to its name, this principle does not only require appropriate measures to protect the integrity and confidentiality of personal data, but also measures to protect availability and lawfulness of the processing. ‘Security and lawfulness’ would therefore be the more appropriate name for the principle in Art. 5 para. 1 lit. f (see Art. 5 cmt. 11).

The principles relating to processing of personal data are complemented by the principle of accountability which requires that the controller implements compliance measures to ensure compliance with the above-mentioned principles and that the controller is able to demonstrate compliance with these principles (Art. 5 para. 2). The second element of the accountability principle does not shift the burden of proof (which would not be compliant with the presumption of innocence). However, vis-à-vis data subjects, the ability to demonstrate compliance may help to fulfil the burden of proof. A violation of this material obligation is not subject to any administrative fines but only to the enforcement powers of the competent data protection authority (Art. 5 cmt. 13).

7. Legal basis requirement for any data processing activity

Due to the structure of the GDPR, any processing of personal data is prohibited unless in particular Arts. 6 or 9 provide for a respective legal basis for the processing. If a specific legal basis cannot be identified when assessing the compliance of a certain processing activity, the respective processing is prohibited.

7.1 Available legal bases

To identify a potentially applicable legal basis, a differentiation between the different types of personal data is necessary first.

If the processing operation covers personal data relating to criminal convictions and offences or related security measures, Art. 10 applies and the legal basis must be identified under national law.

In case of sensitive data (see chapter 3 above for a definition), the potential legal bases are listed in Art. 9; in the case of any other personal data, the legal bases are listed in Art. 6.

Art. 6 provides the following legal bases for the processing of personal data:

1) implied or explicit consent of the data subject ( Art. 6 para. 1 lit. a);

2) necessity to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ( Art. 6 para. 1 lit. b);

3) necessity to comply with a legal obligation to which the controller is subject ( Art. 6 para. 1 lit. c);

4) necessity to protect the vital interests of the data subject or of another natural person ( Art. 6 para. 1 lit. d);

5) necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the controller ( Art. 6 para. 1 lit. e); or

6) prevailing legitimate interests pursued by the controller ( Art. 6 para. 1 lit. f).

For the processing of sensitive data Art. 9 provides the following limited catalogue of potential legal bases:

1) explicit consent of the data subject ( Art. 9 para. 2 lit. a);

2) necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law which also includes rights and obligations pursuant to collective agreements or works council agreements ( Art. 9 para. 2 lit. b; Art. 9 cmt. 11);

3) necessity to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent ( Art. 9 para. 2 lit. c);

4) processing of personal data of members by a foundation, association or any other not-for-profit body with a political, philosophical, religious, or trade union aim ( Art. 9 para. 2 lit. d);

5) the processing relates to personal data which are manifestly made public by the data subject ( Art. 9 para. 2 lit. e);

6) necessity for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ( Art. 9 para. 2 lit. f);

7) necessity for reasons of substantial public interest on the basis of Union or Member State law ( Art. 9 para. 2 lit. g);

8) necessity for the purposes of health or social care systems on the basis of Union or Member State law or pursuant to contract with a health professional ( Art. 9 para. 2 lit. h);

9) necessity for reasons of public interest in the area of public health on the basis of Union or Member State law ( Art. 9 para. 2 lit. i); and

10) necessity for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law ( Art. 9 para. 2 lit. j).

In practice, the data subject’s consent is particularly relevant. The legal basis of consent is regulated in a detailed manner in the GDPR. Therefore, the following paragraph will focus on consent in more detail.

7.2 Requirements for valid consent

Valid consent requires that consent must be freely given, specific, informed and unambiguous (cf. Art. 4 No. 11). The GDPR further clarifies that consent can be withdrawn at any time with future effect (Art. 7 para. 3).

Consent is freely given if the data subject has a real and free choice and therefore may reject or withdraw his or her consent without suffering any disadvantages (Art. 4 cmt. 23). This does, for example, not apply if an employee is threatened with dismissal in case the employee does not provide consent or withdraws his or her consent.

A freely given consent further requires that consent can be provided or rejected separately for individual processing operations – to the extent appropriate considering the situation (see Art. 4 cmt. 23; principle of separate consents). In practice, this means that when drafting consent declarations for more than one processing operation there should be a checkbox for each processing operation (eg, a checkbox for the processing of contact data for direct marketing purposes and another checkbox for the processing of creditworthiness data to decide on the contract conditions).

Additionally, a freely given consent requires that the performance of a contract or the provision of a service is not conditional on consent to the processing of personal data if that consent is not necessary for the performance of the contract or the provision of the service (cf. Art. 4 cmt. 23 and Art. 7 para. 4). This consent-related tying-in prohibition seems to question the business model of services that is offered for free on the Internet and financed through the analysis of user data. However, in our opinion, consent is (commercially) necessary in situations where only consent creates commercial conditions for a provision of the goods and services for free and, therefore, the tying-in prohibition regarding consent does not make consent invalid (see Art. 7 cmt. 11). If consent is, indeed, not necessary for technical, economic or legal reasons in order to perform the contract or provide the services, consent can, in our opinion, be given freely by offering two options for the provision of goods or services: first, conditional on consent, and second in exchange for adequate remuneration. In such a case, the performance of the contract and the provision of the services are not conditional on consent because the customer is free to choose the second option.

The requirement that consent must be given for a specific case means that a general consent without specification of the particular purpose of the processing is invalid (Art. 4 cmt. 24).

Informed consent means that the data subject must be acting in awareness of the facts, that is, that the data subject should be aware at least of the identity of the controller and the processing purposes and was informed about his or her right to withdraw consent at any time (cf. Art. 7 para. 3). Compliance with the information obligations (see chapter 8 below) is not required for consent to be valid (see Art. 4 cmt. 25).

The consent declaration can also be part of general terms and conditions. However, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language (Art. 7 para. 2).

The GDPR contains a special provision for the consent capacity of children regarding online services (information society service within the meaning of Art. 4 No. 25) that are offered to them directly (Art. 8 para. 1). The age of consent capacity is generally set at 16. It can, however, be lowered by Member State law to any age not below 13 years (regarding the lack of a conflict of laws regime, see chapter 5 above). If an online service is offered directly to a child but the child has not yet reached the age of consent capacity, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility (Art. 8 para. 2). If the online service is not directly offered to children – which could in particular be documented by asking for the age during the registration process – such measures do not have to be implemented (cf. Art. 8 cmt. 10).

Consents that were given before the applicability of the GDPR on 25 May 2018 will only be considered a valid basis for the processing if the consent has been given in line with the requirements of the GDPR (Recital 171 sentence 3).

Finally, it must be noted that the controller bears the burden of proof that the data subject has consented to the processing (Art. 7 para. 1). From a practical standpoint, every data subject consent should therefore be documented.

8. Information obligations and privacy notices

The GDPR provides comprehensive information obligations for controllers to transparently disclose to the data subject which of his or her personal data is processed by whom and under which conditions.

If personal data are collected from the data subject (cf. Art. 13 cmt. 2), the data subject must be informed no later than at the time when the personal data is collected (Art. 13 para. 1). If, on the other hand, the personal data have not been obtained from the data subject, the information must be provided at the latest within one month after obtaining the personal data, respectively if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed (Art. 14 para. 3).

Irrespective of whether the personal data were obtained from the data subject, the controller must inform the data subject about the following:

1) name, respectively company name and legal form, and contact details of the controller ( Art. 13 para. 1 lit. a; Art. 14 para. 1 lit. a);

2) contract details of the data protection officer ( Art. 13 para. 1 lit. b; Art. 14 para. 1 lit. b);

3) purposes of the processing and legal basis for the processing ( Art. 13 para. 1 lit. c; Art. 14 para. 1 lit. c);

4) the recipients or categories of recipients (controllers as well as processors; Art. 13 para. 1 lit. e; Art. 14 para. 1 lit. e);

5) in case of transfers to controllers or processors located in a country outside the EU/EEA ( Art. 13 para. 1 lit. f; Art. 14 para. 1 lit. f): whether an adequacy