The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition
By Lukas Feiler, Nikolaus Forgó and Michaela Nebel
()
About this ebook
This commentary provides a detailed examination of the individual articles of the GDPR and is an essential resource aimed at helping legal practitioners prepare for compliance. The second edition includes guidelines on the interpretation of the GDPR published by the European Data Protection Board as well as new case law by the Court of Justice of the European Union. This revised and updated edition includes:
•a general introduction to data protection law;
•full text of the GDPR’s articles and recitals;
•article-by-article commentary explaining the individual provisions and elements of each article.
In addition to lawyers and in-house counsel, this book is also suitable for law professors and students, and offers comprehensive coverage of this increasingly important area of data protection legislation.
Related to The EU General Data Protection Regulation (GDPR)
Related ebooks
Data Privacy and GDPR Handbook Rating: 0 out of 5 stars0 ratingsLEGAL ASPECTS OF DATA PROTECTION Rating: 0 out of 5 stars0 ratingsData Protection Compliance in the UK: A Pocket Guide Rating: 5 out of 5 stars5/5A Last Minute Hands-on Guide to GDPR Readiness Rating: 0 out of 5 stars0 ratingsPrivacy Requirements A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsLaw Firm Strategies for the 21st Century: Strategies for Success, Second Edition Rating: 0 out of 5 stars0 ratingsData Privacy And Security A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsFederal Inland Revenue Service and Taxation Reforms in Democratic Nigeria Rating: 0 out of 5 stars0 ratingsPrivacy Impact Assessment A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsNon Disclosure Agreement A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsPrivacy Impact A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsReforms and Nigerian Labour and Employment Relations: Perspectives, Issues and Challenges Rating: 0 out of 5 stars0 ratingsHandbook on Mortgage Law and Banking in Nigeria Rating: 0 out of 5 stars0 ratingsGDPR Compliance A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsData Protection Standard Requirements Rating: 0 out of 5 stars0 ratingsData Privacy Regulations A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsDigital Signature A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsEU General Data Protection Regulation Standard Requirements Rating: 0 out of 5 stars0 ratingsThe World Bank Legal Review: Legal Innovation and Empowerment for Development Rating: 0 out of 5 stars0 ratingsInformation Privacy A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsAn Executive Guide CCPA: The Why, When, Where, What , and Who Guide to the California Consumer Privacy Act -2018 Rating: 0 out of 5 stars0 ratingsCertified Information Privacy Technologist A Complete Guide Rating: 0 out of 5 stars0 ratingsElectronic and Mobile Commerce Law: An Analysis of Trade, Finance, Media and Cybercrime in the Digital Age Rating: 0 out of 5 stars0 ratingsA Review of Effective Tax Regime in Nigeria Rating: 0 out of 5 stars0 ratingsFramework Agreement A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsThe Violence Against Persons (Prohibition) Act, 2015 & Rivers State Child's Right Law No, 10 2019 Rating: 0 out of 5 stars0 ratingsGdpr For Marketers And Online Businesses Rating: 0 out of 5 stars0 ratingsGDPR A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsInternet Privacy A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsFIRS Handbook on Reforms in the Tax System 2004-2011 Rating: 0 out of 5 stars0 ratings
Law For You
Trans: When Ideology Meets Reality Rating: 3 out of 5 stars3/5Verbal Judo, Second Edition: The Gentle Art of Persuasion Rating: 4 out of 5 stars4/5Critical Race Theory: The Cutting Edge Rating: 4 out of 5 stars4/5Legal Words You Should Know: Over 1,000 Essential Terms to Understand Contracts, Wills, and the Legal System Rating: 4 out of 5 stars4/5Law For Dummies Rating: 4 out of 5 stars4/5The Socratic Method: A Practitioner's Handbook Rating: 4 out of 5 stars4/5Wills and Trusts Kit For Dummies Rating: 5 out of 5 stars5/5Estate & Trust Administration For Dummies Rating: 0 out of 5 stars0 ratingsThe Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5Win Your Case: How to Present, Persuade, and Prevail--Every Place, Every Time Rating: 5 out of 5 stars5/5Legal Writing in Plain English: A Text with Exercises Rating: 3 out of 5 stars3/5Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America Rating: 4 out of 5 stars4/5No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State Rating: 4 out of 5 stars4/5The Pro Se Litigant's Civil Litigation Handbook: How to Represent Yourself in a Civil Lawsuit Rating: 5 out of 5 stars5/5The Everything Executor and Trustee Book: A Step-by-Step Guide to Estate and Trust Administration Rating: 3 out of 5 stars3/5The Paralegal's Handbook: A Complete Reference for All Your Daily Tasks Rating: 4 out of 5 stars4/5The ZERO Percent: Secrets of the United States, the Power of Trust, Nationality, Banking and ZERO TAXES! Rating: 5 out of 5 stars5/5The LLC and Corporation Start-Up Guide: Your Complete Guide to Launching the Right Business Rating: 5 out of 5 stars5/5Death in Mud Lick: A Coal Country Fight against the Drug Companies That Delivered the Opioid Epidemic Rating: 4 out of 5 stars4/5The Law Rating: 4 out of 5 stars4/5Criminal Law Rating: 0 out of 5 stars0 ratingsWin In Court Every Time Rating: 5 out of 5 stars5/5Summary of Tom Wheelwright's TaxFree Wealth Rating: 0 out of 5 stars0 ratingsSecrets of Criminal Defense Rating: 5 out of 5 stars5/5Dictionary of Legal Terms: Definitions and Explanations for Non-Lawyers Rating: 5 out of 5 stars5/5Executor's Guide, The: Settling a Loved One's Estate or Trust Rating: 0 out of 5 stars0 ratingsNo Stone Unturned: The True Story of the World's Premier Forensic Investigators Rating: 4 out of 5 stars4/5
Reviews for The EU General Data Protection Regulation (GDPR)
0 ratings0 reviews
Book preview
The EU General Data Protection Regulation (GDPR) - Lukas Feiler
The EU General Data Protection Regulation (GDPR): A Commentary
Second Edition
Lukas Feiler
Nikolaus Forgó
Michaela Nebel
Authors
Lukas Feiler, Nikolaus Forgó and Michaela Nebel
Managing director
Sian O’Neill
The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition
is published by
Globe Law and Business Ltd
3 Mylor Close
Horsell
Woking
Surrey GU21 4DD
United Kingdom
Tel: +44 20 3745 4770
www.globelawandbusiness.com
Print and bound by CPI Group (UK) Ltd, Croydon CR0 4YY, United Kingdom
The EU General Data Protection Regulation (GDPR): A Commentary, Second Edition
ISBN 9781787424784
EPUB ISBN 9781787424791
Adobe PDF ISBN 9781787424807
© 2021 Globe Law and Business Ltd except where otherwise indicated.
Text of the EU General Data Protection Regulation © European Union, 1998–2021, http://eur-lex.europa.eu.
The right of Lukas Feiler, Nikolaus Forgó and Michaela Nebel to be identified as authors of this work has been asserted by them in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.
All rights reserved. No part of this publication may be reproduced in any material form (including photocopying, storing in any medium by electronic means or transmitting) without the written permission of the copyright owner, except in accordance with the provisions of the Copyright, Designs and Patents Act 1988 or under terms of a licence issued by the Copyright Licensing Agency Ltd, 5th Floor, Shackleton House, 4 Battle Bridge Lane, London SE1 2HX United Kingdom (www.cla.co.uk, email: licence@cla.co.uk). Applications for the copyright owner’s written permission to reproduce any part of this publication should be addressed to the publisher.
DISCLAIMER
This publication is intended as a general guide only. The information and opinions which it contains are not intended to be a comprehensive study, nor to provide legal advice, and should not be treated as a substitute for legal advice concerning particular situations. Legal advice should always be sought before taking any action based on the information provided. The publishers bear no responsibility for any errors or omissions contained herein.
Contents
List of abbreviations
List of Recitals of the General Data Protection Regulation
Introduction to the General Data Protection Regulation
1. Introduction
2. The most important compliance steps to be implemented
3. Basic terms of the GDPR
4. The scope of the GDPR
4.1 Material scope – what processing activities are covered?
4.2 Personal scope – who does the GDPR apply to?
4.3 Territorial scope – where does the GDPR apply?
5. The relationship with national data protection laws
6. The principles relating to the processing of personal data
7. Legal basis requirement for any data processing activity
7.1 Available legal bases
7.2 Requirements for valid consent
8. Information obligations and privacy notices
9. Rights of the data subject
10. Profiling and automated individual decision-making
11. Data protection compliance programme
11.1 Organisational measures including data protection strategies
11.2 Technical measures including privacy by design and by default
12. Maintaining a record of processing activities
13. Data protection impact assessment and consultation obligation with supervisory authority
14. Data protection officer
15. Data security
15.1 Mandatory data security measures
15.2 Obligation to notify personal data breaches
16. Mandatory arrangements between joint controllers
17. Obligations in case of outsourcing
18. International data transfers
18.1 Transfers not subject to notification or approval
18.2 Transfers subject to notification
18.3 Transfers subject to approval
19. International jurisdiction of supervisory authorities
20. Administrative fines and other sanctions
21. Civil liability and private enforcement
Text of the General Data Protection Regulation and commentary
Chapter I – General provisions
Article 1 Subject-matter and objectives
Article 2 Material scope
Article 3 Territorial scope
Article 4 Definitions
Chapter II – Principles
Article 5 Principles relating to processing of personal data
Article 6 Lawfulness of processing
Article 7 Conditions for consent
Article 8 Conditions applicable to child’s consent in relation to information society services
Article 9 Processing of special categories of personal data
Article 10 Processing of personal data relating to criminal convictions and offences
Article 11 Processing which does not require identification
Chapter III – Rights of the data subject
Section 1 – Transparency and modalities
Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
Section 2 – Information and access to personal data
Article 13 Information to be provided where personal data are collected from the data subject
Article 14 Information to be provided where personal data have not been obtained from the data subject
Article 15 Right of access by the data subject
Section 3 – Rectification and erasure
Article 16 Right to rectification
Article 17 Right to erasure (‘right to be forgotten’)
Article 18 Right to restriction of processing
Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 Right to data portability
Section 4 – Right to object and automated individual decision-making
Article 21 Right to object
Article 22 Automated individual decision-making, including profiling
Section 5 – Restrictions
Article 23 Restrictions
Chapter IV – Controller and processor
Section 1 – General obligations
Article 24 Responsibility of the controller
Article 25 Data protection by design and by default
Article 26 Joint controllers
Article 27 Representatives of controllers or processors not established in the Union
Article 28 Processor
Article 29 Processing under the authority of the controller or processor
Article 30 Records of processing activities
Article 31 Cooperation with the supervisory authority
Section 2 – Security of personal data
Article 32 Security of processing
Article 33 Notification of a personal data breach to the supervisory authority
Article 34 Communication of a personal data breach to the data subject
Section 3 – Data protection impact assessment and prior consultation
Article 35 Data protection impact assessment
Article 36 Prior consultation
Section 4 – Data protection officer
Article 37 Designation of the data protection officer
Article 38 Position of the data protection officer
Article 39 Tasks of the data protection officer
Section 5 – Codes of conduct and certification
Article 40 Codes of conduct
Article 41 Monitoring of approved codes of conduct
Article 42 Certification
Article 43 Certification bodies
Chapter V – Transfers of personal data to third countries or international organisations
Article 44 General principle for transfers
Article 45 Transfers on the basis of an adequacy decision
Article 46 Transfers subject to appropriate safeguards
Article 47 Binding corporate rules
Article 48 Transfers or disclosures not authorised by Union law
Article 49 Derogations for specific situations
Article 50 International cooperation for the protection of personal data
Chapter VI – Independent supervisory authorities
Section 1 – Independent status
Article 51 Supervisory authority
Article 52 Independence
Article 53 General conditions for the members of the supervisory authority
Article 54 Rules on the establishment of the supervisory authority
Section 2 – Competence, tasks and powers
Article 55 Competence
Article 56 Competence of the lead supervisory authority
Article 57 Tasks
Article 58 Powers
Article 59 Activity reports
Chapter VII – Cooperation and consistency
Section 1 – Cooperation
Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned
Article 61 Mutual assistance
Article 62 Joint operations of supervisory authorities
Section 2 – Consistency
Article 63 Consistency mechanism
Article 64 Opinion of the Board
Article 65 Dispute resolution by the Board
Article 66 Urgency procedure
Article 67 Exchange of information
Section 3 – European Data Protection Board
Article 68 European Data Protection Board
Article 69 Independence
Article 70 Tasks of the Board
Article 71 Reports
Article 72 Procedure
Article 73 Chair
Article 74 Tasks of the Chair
Article 75 Secretariat
Article 76 Confidentiality
Chapter VIII – Remedies, liability and penalties
Article 77 Right to lodge a complaint with a supervisory authority
Article 78 Right to an effective judicial remedy against a supervisory authority
Article 79 Right to an effective judicial remedy against a controller or processor
Article 80 Representation of data subjects
Article 81 Suspension of proceedings
Article 82 Right to compensation and liability
Article 83 General conditions for imposing administrative fines
Article 84 Penalties
Chapter IX – Provisions relating to specific processing situations
Article 85 Processing and freedom of expression and information
Article 86 Processing and public access to official documents
Article 87 Processing of the national identification number
Article 88 Processing in the context of employment
Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Article 90 Obligations of secrecy
Article 91 Existing data protection rules of churches and religious associations
Chapter X – Delegated acts and implementing acts
Article 92 Exercise of the delegation
Article 93 Committee procedure
Chapter XI – Final provisions
Article 94 Repeal of Directive 95/46/EC
Article 95 Relationship with Directive 2002/58/EC
Article 96 Relationship with previously concluded Agreements
Article 97 Commission reports
Article 98 Review of other Union legal acts on data protection
Article 99 Entry into force and application
Keyword index
About the authors
About Globe Law and Business
List of abbreviations
List of Recitals of the General Data Protection Regulation
Introduction to the General Data Protection Regulation
1. Introduction
The General Data Protection Regulation (GDPR) was – and still is – one of the most ambitious legal projects of the European Union in the last years. Since 25 May 2018 the GDPR replaces the Data Protection Directive. In addition to that, supplementary local data protection laws became applicable. Although the GDPR provided for a two-year period until it was to be applied, companies had to undertake a huge effort to adapt their contracts, business processes and IT solutions pursuant to the GDPR in a timely manner in order to achieve a prudent level of compliance when the GDPR applied from 25 May 2018.
Not only the high fines of up to EUR 20 million or 4% of the total worldwide annual turnover illustrate that companies must take the GDPR seriously. Data protection has become one of the largest compliance risk areas and therefore necessarily a priority for the management of every company.
The below introduction allows the reader to quickly get an overview of the GDPR or certain parts of the GDPR. For certain details, the introduction refers to specific articles of the GDPR or specific comments of articles of the GDPR in the commentary section of this book. The commentary section also includes the most relevant case law of the CJEU regarding the GDPR as well as the most relevant guidelines of the EDPB.
2. The most important compliance steps to be implemented
To achieve minimum compliance with the GDPR, the most important compliance steps to be implemented by controllers can be summarised as follows:
1) implementation of a basic data protection compliance programme (see chapter 11 below) including the appointment of a data protection officer , to the extent reasonable or required in the particular case (see chapter 14 below);
2) preparation of a record of processing activities (see chapter 12 below);
3) review of the legal basis of the respective data processing operation (see chapter 7 below), in particular the requirements regarding valid consent (see chapter 7.2 below);
4) development of GDPR compliant privacy notices (see chapter 8 below); and
5) review of the legal basis and transfer mechanism for international data transfers (see chapter 18 below).
For processors the most important compliance steps to be implemented can be summarised as follows:
1) appointment of a data protection officer to the extent required or reasonable in the particular case (see chapter 14 below);
2) preparation of records of processing activities (see chapter 12 below);
3) implementation of appropriate security measures (see chapter 15.1 );
4) ensuring that subprocessors are engaged only with prior specific or general written authorisation of the controller ( Art. 28 para. 2); and
5) assurance that international data transfers take place only if compliant with the requirements of the GDPR (see chapter 18 below).
The above-mentioned measures will not produce full compliance with the GDPR but they help to focus the personnel and financial resources of a controller or processor on central compliance aspects.
For larger organisations it will also be required to assess generally in advance the regulatory risks resulting from the GDPR to allow for an efficient deployment of resources.
3. Basic terms of the GDPR
The GDPR exclusively applies to personal data (see chapter 4.1 below). Personal data are defined as any information relating to an identified or identifiable natural person, who is referred to as the data subject (Art. 4 No. 1).
A subset of personal data is sensitive data (also ‘special categories of personal data’). Sensitive data are defined in Art. 9 para. 1 as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning a natural person’s sex life or sexual orientation, data concerning health within the meaning of Art. 4 No. 15, genetic data within the meaning of Art. 4 No. 13 and biometric data (eg, fingerprints or facial images) if processed for the purpose of uniquely identifying a natural person (Art. 9 cmt. 3).
The GDPR applies to controllers and processors (cf. Art. 3 cmt. 4). The GDPR defines the term controller as the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7).
Processor means a natural or legal person which processes personal data on behalf of the controller, that is, that it does not determine the purposes and means of the processing of personal data (Art. 4 No. 8). For example, if a company outsources the operation of its customer database to an IT service provider, the company still acts as a controller, whereas the IT service provider acts as a processor.
Processing is defined broadly as any operation which is performed on personal data such as the collection, recording, structuring, alteration, retrieval, use, disclosure by transmission, erasure or destruction (Art. 4 No. 2).
The term transfer is used quite frequently throughout the GDPR. However, it is not defined. Transfer includes the disclosure vis-à-vis another controller or processor, respectively a subprocessor (see Art. 44 cmt. 1).
The term supervisory authority means the data protection authority respectively established by each Member State.
4. The scope of the GDPR
The following provides an outline concerning: (i) the processing activities that are covered by the GDPR (see chapter 4.1 below); (ii) those to whom the GDPR applies (see chapter 4.2 below); and (iii) where the GDPR applies (see chapter 4.3 below).
4.1 Material scope – what processing activities are covered?
The GDPR generally applies to any processing of personal data. As set out above under chapter 3, personal data means any information relating to an identified or identifiable natural person. Whether a natural person is identifiable must be assessed objectively, not only taking into consideration the legal and factual possibilities of the controller, but also the possibilities of third parties (Art. 4 cmt. 3). For example, the IP address of a user constitutes personal data for the operator of a website, even if the operator of the website cannot identify the person but only the Internet access provider can identify the user (see decision of the CJEU, C-582/14 – Breyer/Germany regarding the interpretation under the Data Protection Directive; see also the statement of the advocate general).
If data relate to legal persons, they only constitute personal data pursuant to the GDPR if the name of the legal person contains the name of a natural person (Art. 4 cmt. 1). Moreover, data that relate to deceased persons do not constitute personal data within the meaning of the GDPR (Art. 4 cmt. 2).
The GDPR basically only applies to data processed by automatic means. For data that is processed manually (generally on paper) the GDPR applies only if the personal data form part of a filing system or if they are intended to form part of a filing system (Art. 2 para. 1). ‘Filing system’ means any structured set of personal data which are accessible according to specific criteria (Art. 4 No. 6) such as HR files organised pursuant to names. Individual paper-based files are not subject to the GDPR (Art. 2 cmt. 4).
As an act of law of the Union, the GDPR does not apply to matters which fall outside the scope of Union law (eg, national security; see Art. 2 para. 2 lit. a). Furthermore, the GDPR does not apply to common foreign and security policy (Art. 2 para. 2 lit. d) or to the areas of the prevention, investigation, detection or prosecution of criminal offences and the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Art. 2 para. 2 lit. d; in these areas, Directive (EU) 2016/680 applies which will have to be implemented separately into national laws).
Furthermore, the GDPR does not apply to the processing of personal data by natural persons in the course of a purely personal or household activity (‘household exemption’; Art. 2 para. 2 lit. c). This covers in particular the use of social networks for private purposes (Art. 2 cmt. 7).
4.2 Personal scope – who does the GDPR apply to?
The GDPR applies to controllers and processors (see chapter 3 above regarding the definition of these terms).
Under the Data Protection Directive the role of the processor was advantageous because the processor was subject to only a few regulatory obligations. The commercial disadvantage is the obligation to not use personal data for one’s own purposes and to not commercially exploit them. If a company wants to use personal data for its own purposes and wants to commercially exploit the data (ie, is aiming for ‘data ownership’), the company has to be qualified as a controller which results in substantial additional obligations.
This has been changed by the GDPR because the GDPR applies to processors as it does to controllers and therefore makes processors subject to substantial regulatory obligations (see chapter 2 above) and subject to the same administrative fines (see chapter 20 below). Due to the alignment of obligations of controllers and processors, the commercial advantages of being a controller will become more attractive. Many companies that have so far limited themselves to being a processor, will likely try to move into a controller role. This would not only result in the applicability of regulatory obligations regarding the legal basis of the data processing such as consent of the data subject (see chapter 7 below) and transparency requirements (see chapter 8 below), but also in the requirement to revise existing contracts with customers, vendors and data subjects to reflect the new regulatory reality.
4.3 Territorial scope – where does the GDPR apply?
The GDPR applies to controllers and processors that are established in the EU or the EEA (see Art. 3 cmt. 5). Processors in the EU are subject to the GDPR even if they process data for controllers that are not subject to the GDPR (Art. 3 cmt. 4).
Furthermore, the GDPR applies if the controller, respectively the processor, is not established in the EU or the EEA, but has an establishment (eg, an affiliate) in the EU or in the EEA and the processing of personal data takes place in the context of the activities of this establishment. This applies, for example, if the US parent company processes personal data of customers of a German or Austrian affiliate to support the sales activities of that affiliate (see Art. 3 cmt. 2).
To ensure that companies that do not have an establishment in the EU/EEA but are active in the European market are subject to the same conditions of competition as European companies, the GDPR also applies to controllers and processors that are not established in the Union if they are offering their goods or services, irrespective of whether a payment is required, in the Union, respectively the EEA (Art. 3 para. 2 lit. b).
Furthermore, the GDPR applies to controllers and processors that are not established in the Union, but monitor the behaviour of data subjects in the Union (Art. 3 para. 2 lit. b). This applies in particular to online advertising networks which log the web browsing activities of Internet users to deliver personal online advertisement.
5. The relationship with national data protection laws
Like any EU regulation, the GDPR in general applies directly and may not be implemented by national law. The previously existing national data protection laws were largely superseded by the GDPR as of 25 May 2018.
Notwithstanding the above, there are numerous topics within the scope of the GDPR for which the GDPR does not (or not comprehensively) provide an answer but expressly authorises Member States through opening clauses to enact national laws. The GDPR therefore allows for deviations among Member States. This applies in particular to the following topics (cf. Art. 92 cmt. 4):
1) How old must a minor be to validly consent to the processing of his/her personal data? ( Art. 8 para. 1 subpara. 2)
2) When is it not possible to validly consent to the processing of sensitive data? ( Art. 9 para. 2 lit. a)
3) Is the processing of genetic data, biometric data or health data subject to additional limitations? ( Art. 9 para. 5)
4) Is it permitted at all to process personal data on criminal convictions and offences? (eg, in connection with a whistleblower hotline; Art. 10 )
5) Are automated individual decisions and profiling that are not necessary for the performance of the contract with the data subject permitted without consent of the data subject? ( Art. 22 para. 2 lit. b)
6) Are the rights of data subjects subject to additional limitations? ( Art. 23 )
7) Do all controllers and processors have to appoint a data protection officer or only certain controllers and processors? ( Art. 37 para. 4)
8) Is it possible to impose administrative fines on public authorities and bodies? ( Art. 83 para. 7)
9) May data protection NGOs claim damages on behalf of data subjects? ( Art. 80 para. 1)
10) May data protection NGOs initiate legal proceedings against a controller or a processor without a data subject’s mandate? ( Art. 80 para. 2)
Additionally, the GDPR grants the Member States a very far-reaching legislative competence for the processing of employees’ personal data in the employment context (Art. 88) and allows the Member States to regulate the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression (Art. 85) and to find reconciliation between the right to public access to official documents and the right to the protection of personal data (Art. 86).
As of April 2021, all Member States have passed national data protection laws supplementing the GDPR (except for Slovenia, whose national data protection law is still in the legislative process). Some of the Member States have made a rather extensive use of the opening clauses, eg, Germany, other Member States were rather hesitant, eg, Austria.
As a result, the GDPR must always be read together with the respectively applicable national ‘GDPR implementation act’. Therefore, the GDPR is also called a ‘limping regulation’. It is problematic that the GDPR does not contain any ‘conflict of law’ provisions. Therefore, it remains unclear when to apply the law of which Member State.
In our opinion, this is an unintended gap which must be solved by analogy to the rules of competence under the GDPR (see chapter 19 below). If there is a lead competence of a certain supervisory authority for a controller or processor pursuant to Art. 56, the ‘GDPR implementation act’ of such Member State applies (see in detail Art. 92 cmt. 5).
6. The principles relating to the processing of personal data
The GDPR stipulates the following principles that must be complied with whenever personal data is processed (Art. 5 para. 1):
1) Lawfulness ( Art. 5 para. 1 lit. a): Personal data must be processed lawfully, that is, a legal basis for the processing is required (see chapter 7 below).
2) Fairness ( Art. 5 para. 1 lit. a): Personal data must be processed fairly which is of relevance in particular when conducting a balancing of interests test (see, eg, Art. 6 para. 1 lit. f).
3) Transparency ( Art. 5 para. 1 lit. a): Personal data must be processed in a transparent manner in relation to the data subject. This principle is further specified by the information obligations contained in the GDPR (see chapter 8 below).
4) Purpose limitation ( Art. 5 para. 1 lit. b): The first element of the purpose limitation principle is that personal data may only be collected if an explicit and legitimate purpose was specified no later than at the time of the collection (principle of purpose specification ). This may, for example, be done by documenting the processing purposes in the record of processing activities (see chapter 12 below). Since the processing purposes must be legitimate, other laws (eg, consumer protection law) must indirectly also be taken into consideration in data protection assessments. The second element of the purpose limitation principle requires that collected data may not be further processed in a manner that is incompatible with the purposes originally specified ( purpose limitation in a strict sense ) unless the data subject consented ( Art. 6 cmt. 13). Whether the purposes are compatible must be assessed by applying certain criteria stipulated in Art. 6 para. 4. If the new purpose is compatible with the former (original) purpose, it is unclear, whether the processing is permitted without the need for a new legal basis (eg, new consent) (cf. Art. 6 cmt. 15). However, data subjects must be informed about the new processing purpose ( Art. 13 para. 3 and Art. 14 para. 4).
5) Data minimisation ( Art. 5 para. 1 lit. c): The type and scope of the processed data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle is a specification of the general principle of proportionality. It would be regarded excessive and therefore a violation of the data minimisation principle if, for example, in order to document the used data volume of each employee, a company does not only log the size of the downloaded files but also the file name and the time of a download.
6) Accuracy ( Art. 5 para. 1 lit. d): Personal data must be accurate and, where necessary for the processing purpose, kept up to date.
7) Storage limitation ( Art. 5 para. 1 lit. e): Personal data may be stored no longer than necessary for the specified purposes for which the personal data are processed. Upon expiration of that period, data must be deleted or anonymised. For example, due to the principle of storage limitation, the storage of documents regarding a contractual relationship to defend against potential claims of a customer would violate the GDPR after the statutory limitation period expired.
8) Integrity and confidentiality ( Art. 5 para. 1 lit. f): Contrary to its name, this principle does not only require appropriate measures to protect the integrity and confidentiality of personal data, but also measures to protect availability and lawfulness of the processing. ‘Security and lawfulness’ would therefore be the more appropriate name for the principle in Art. 5 para. 1 lit. f (see Art. 5 cmt. 11).
The principles relating to processing of personal data are complemented by the principle of accountability which requires that the controller implements compliance measures to ensure compliance with the above-mentioned principles and that the controller is able to demonstrate compliance with these principles (Art. 5 para. 2). The second element of the accountability principle does not shift the burden of proof (which would not be compliant with the presumption of innocence). However, vis-à-vis data subjects, the ability to demonstrate compliance may help to fulfil the burden of proof. A violation of this material obligation is not subject to any administrative fines but only to the enforcement powers of the competent data protection authority (Art. 5 cmt. 13).
7. Legal basis requirement for any data processing activity
Due to the structure of the GDPR, any processing of personal data is prohibited unless in particular Arts. 6 or 9 provide for a respective legal basis for the processing. If a specific legal basis cannot be identified when assessing the compliance of a certain processing activity, the respective processing is prohibited.
7.1 Available legal bases
To identify a potentially applicable legal basis, a differentiation between the different types of personal data is necessary first.
If the processing operation covers personal data relating to criminal convictions and offences or related security measures, Art. 10 applies and the legal basis must be identified under national law.
In case of sensitive data (see chapter 3 above for a definition), the potential legal bases are listed in Art. 9; in the case of any other personal data, the legal bases are listed in Art. 6.
Art. 6 provides the following legal bases for the processing of personal data:
1) implied or explicit consent of the data subject ( Art. 6 para. 1 lit. a);
2) necessity to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ( Art. 6 para. 1 lit. b);
3) necessity to comply with a legal obligation to which the controller is subject ( Art. 6 para. 1 lit. c);
4) necessity to protect the vital interests of the data subject or of another natural person ( Art. 6 para. 1 lit. d);
5) necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the controller ( Art. 6 para. 1 lit. e); or
6) prevailing legitimate interests pursued by the controller ( Art. 6 para. 1 lit. f).
For the processing of sensitive data Art. 9 provides the following limited catalogue of potential legal bases:
1) explicit consent of the data subject ( Art. 9 para. 2 lit. a);
2) necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law which also includes rights and obligations pursuant to collective agreements or works council agreements ( Art. 9 para. 2 lit. b; Art. 9 cmt. 11);
3) necessity to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent ( Art. 9 para. 2 lit. c);
4) processing of personal data of members by a foundation, association or any other not-for-profit body with a political, philosophical, religious, or trade union aim ( Art. 9 para. 2 lit. d);
5) the processing relates to personal data which are manifestly made public by the data subject ( Art. 9 para. 2 lit. e);
6) necessity for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity ( Art. 9 para. 2 lit. f);
7) necessity for reasons of substantial public interest on the basis of Union or Member State law ( Art. 9 para. 2 lit. g);
8) necessity for the purposes of health or social care systems on the basis of Union or Member State law or pursuant to contract with a health professional ( Art. 9 para. 2 lit. h);
9) necessity for reasons of public interest in the area of public health on the basis of Union or Member State law ( Art. 9 para. 2 lit. i); and
10) necessity for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law ( Art. 9 para. 2 lit. j).
In practice, the data subject’s consent is particularly relevant. The legal basis of consent is regulated in a detailed manner in the GDPR. Therefore, the following paragraph will focus on consent in more detail.
7.2 Requirements for valid consent
Valid consent requires that consent must be freely given, specific, informed and unambiguous (cf. Art. 4 No. 11). The GDPR further clarifies that consent can be withdrawn at any time with future effect (Art. 7 para. 3).
Consent is freely given if the data subject has a real and free choice and therefore may reject or withdraw his or her consent without suffering any disadvantages (Art. 4 cmt. 23). This does, for example, not apply if an employee is threatened with dismissal in case the employee does not provide consent or withdraws his or her consent.
A freely given consent further requires that consent can be provided or rejected separately for individual processing operations – to the extent appropriate considering the situation (see Art. 4 cmt. 23; principle of separate consents). In practice, this means that when drafting consent declarations for more than one processing operation there should be a checkbox for each processing operation (eg, a checkbox for the processing of contact data for direct marketing purposes and another checkbox for the processing of creditworthiness data to decide on the contract conditions).
Additionally, a freely given consent requires that the performance of a contract or the provision of a service is not conditional on consent to the processing of personal data if that consent is not necessary for the performance of the contract or the provision of the service (cf. Art. 4 cmt. 23 and Art. 7 para. 4). This consent-related tying-in prohibition seems to question the business model of services that is offered for free on the Internet and financed through the analysis of user data. However, in our opinion, consent is (commercially) necessary in situations where only consent creates commercial conditions for a provision of the goods and services for free and, therefore, the tying-in prohibition regarding consent does not make consent invalid (see Art. 7 cmt. 11). If consent is, indeed, not necessary for technical, economic or legal reasons in order to perform the contract or provide the services, consent can, in our opinion, be given freely by offering two options for the provision of goods or services: first, conditional on consent, and second in exchange for adequate remuneration. In such a case, the performance of the contract and the provision of the services are not conditional on consent because the customer is free to choose the second option.
The requirement that consent must be given for a specific case means that a general consent without specification of the particular purpose of the processing is invalid (Art. 4 cmt. 24).
Informed consent means that the data subject must be acting in awareness of the facts, that is, that the data subject should be aware at least of the identity of the controller and the processing purposes and was informed about his or her right to withdraw consent at any time (cf. Art. 7 para. 3). Compliance with the information obligations (see chapter 8 below) is not required for consent to be valid (see Art. 4 cmt. 25).
The consent declaration can also be part of general terms and conditions. However, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language (Art. 7 para. 2).
The GDPR contains a special provision for the consent capacity of children regarding online services (information society service within the meaning of Art. 4 No. 25) that are offered to them directly (Art. 8 para. 1). The age of consent capacity is generally set at 16. It can, however, be lowered by Member State law to any age not below 13 years (regarding the lack of a conflict of laws regime, see chapter 5 above). If an online service is offered directly to a child but the child has not yet reached the age of consent capacity, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility (Art. 8 para. 2). If the online service is not directly offered to children – which could in particular be documented by asking for the age during the registration process – such measures do not have to be implemented (cf. Art. 8 cmt. 10).
Consents that were given before the applicability of the GDPR on 25 May 2018 will only be considered a valid basis for the processing if the consent has been given in line with the requirements of the GDPR (Recital 171 sentence 3).
Finally, it must be noted that the controller bears the burden of proof that the data subject has consented to the processing (Art. 7 para. 1). From a practical standpoint, every data subject consent should therefore be documented.
8. Information obligations and privacy notices
The GDPR provides comprehensive information obligations for controllers to transparently disclose to the data subject which of his or her personal data is processed by whom and under which conditions.
If personal data are collected from the data subject (cf. Art. 13 cmt. 2), the data subject must be informed no later than at the time when the personal data is collected (Art. 13 para. 1). If, on the other hand, the personal data have not been obtained from the data subject, the information must be provided at the latest within one month after obtaining the personal data, respectively if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed (Art. 14 para. 3).
Irrespective of whether the personal data were obtained from the data subject, the controller must inform the data subject about the following:
1) name, respectively company name and legal form, and contact details of the controller ( Art. 13 para. 1 lit. a; Art. 14 para. 1 lit. a);
2) contract details of the data protection officer ( Art. 13 para. 1 lit. b; Art. 14 para. 1 lit. b);
3) purposes of the processing and legal basis for the processing ( Art. 13 para. 1 lit. c; Art. 14 para. 1 lit. c);
4) the recipients or categories of recipients (controllers as well as processors; Art. 13 para. 1 lit. e; Art. 14 para. 1 lit. e);
5) in case of transfers to controllers or processors located in a country outside the EU/EEA ( Art. 13 para. 1 lit. f; Art. 14 para. 1 lit. f): whether an adequacy